Note

Come to the Content Hub at content.cisco.com, where, using the Faceted Search feature, you can accurately zoom in on the content you want; create customized PDF books on the fly for ready reference; and can do so much more...

So, what are you waiting for? Click content.cisco.com now!

And, if you are already experiencing the Content Hub, we'd like to hear from you!

Click the Feedback icon on the page and let your thoughts flow!


Introduction

Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure access to network resources. Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices. An administrator can then use this information to make proactive governance decisions by creating access control policies for the various network elements, including access switches, Cisco Wireless Controllers, Virtual Private Network (VPN) gateways, and data center switches. Cisco ISE acts as the policy manager in the Cisco TrustSec solution and supports TrustSec software-defined segmentation.

Cisco ISE is available on Secure Network Server appliances with different performance characterizations, and also as software that can be run on a virtual machine (VM). Note that you can add more appliances to a deployment for better performance.

Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also enables the configuration and management of distinct personas and services, thereby giving you the ability to create and apply services where needed, in a network, but operate the Cisco ISE deployment as a complete and coordinated system.

For more information about the features that are supported in this Cisco ISE release, see the Cisco Identity Services Engine Administrator Guide.

To access documentation on cisco.com, go to End-User Documentation.

What is New in Cisco ISE, Release 3.0?

Cisco ISE Release 3.0 uses Essentials, Advantage, and Premier licenses.

For more information about the licenses that are supported in this Cisco ISE release, see the Chapter “Licensing” in the Cisco Identity Services Engine Administrator Guide.

The new features are organized by according to the license required for the features.

Essentials License

The following features require the Cisco ISE Essentials license.

Debug Wizard by Function

The Debug Wizard contains predefined debug templates that you can use to troubleshoot issues on ISE nodes. You can configure the Debug Profiles and the Debug Logs.

Business Outcome: Cisco TAC can now enable the debug logs easily over multiple nodes in an Cisco ISE deployment. This feature helps in quicker troubleshooting.

SAML SSO for Multi-Factor Authentication

Edit the authentication context value in SAML request headings to support multifactor authentications.

Business Outcome: SAML authentication will now support multifactor authentications.

Support for Cisco ISE as a VM Deployment on VMware Cloud on AWS

The process for installing Cisco ISE as a VM on VMware Cloud on AWS is same as that for installing Cisco ISE virtual deployment. Ensure that the security group policies are configured on VMware Cloud to enable reachability to on-premises deployment. See Supported Virtual Environments.

Business Outcome: Cisco ISE as a Virtual Machine can be hosted on the software-defined data center (SDDC) provided by VMware Cloud on AWS.

Multiple Attributes Lookup for ODBC Identity Store

Click the Advanced Settings option while adding an ODBC identity store to use the attributes under the following dictionaries as input parameters in the Fetch Attributes stored procedure (in addition to the username and password):

  • RADIUS

  • Device

  • Network Access (AuthenticationMethod, Device IP Address, EapAuthentication, EapTunnel, ISE Host Name, Protocol, UserName, VN, and WasMachineAuthenticated)

You can configure the stored procedures to retrieve the following output parameters from the ODBC database:

  • ACL

  • Security Group

  • VLAN (name or number)

  • Web-redirect ACL

  • Web-redirect portal name

Business Outcome: You can use these attributes to configure the authorization profiles. For example, you can configure an authorization profile to use the VLAN that is returned from the ODBC database based on the specified input attributes (such as MAC address, username, called-station-ID, or device location), instead of manually specifying the VLAN for each authorization profile.

Cisco ISE API Gateway

Cisco ISE API gateway is an API management solution, which acts as a single entry point to multiple Cisco ISE Service APIs to provide better security and traffic management. The API requests from the external clients are routed to the API gateway on Cisco ISE. The requests are further forwarded to the Cisco ISE nodes where service APIs are running, based on the rules configured on the API Gateway.

Business Outcome: Enhanced conversion of information exchange and cross-domain automation for a Cisco Software Defined Access (SDA) fabric in combination with Cisco ACI infrastructure.

Certificate Fingerprinting

The certificate fingerprinting process is used to evaluate immediate issuer fingerprint SHA256 certificate with the trusted certificates. This enforces a secured mechanism for multiple certificates to support different domains. Certificate fingerprinting also allows you to lock the trusted certificates for the 802.1x protocol.

Business Outcome: Several domains are supported by multiple trusted certificates.

MSRPC Protocol for Passive ID Service

From Cisco ISE Release 3.0 onwards, you can use MS-Eventing API or Microsoft Remote Procedure Call (MSRPC) protocol for Passive Identity. Use the MSRPC protocol to establish node communication and monitor heartbeats between nodes in Cisco ISE. This option is available in addition to the WMI protocol for the Passive ID service.

The MSRPC protocol promotes a reliable mechanism when Cisco ISE or Cisco ISE-PIC collects and monitors the events from several domain controllers. It also reduces latency on the Active Directory Domain Controllers user login events.

Business Outcome: Provides a reliable mechanism for monitoring DC events.

Health Check

Cisco ISE Release 3.0 introduces an on-demand health check option to diagnose all the nodes in your deployment. Running a health check on all the nodes prior to any operation helps identify critical issues, if any, that may cause downtime or blocker. Health Check provides the working status of all the dependent components. On failure of a component, it immediately provides troubleshooting recommendations to resolve the issue for a seamless execution of the operation.

Ensure that you run Health Check before initiating the upgrade process.

Business Outcome: Identify critical issues to avoid downtime or blockers.

Telemetry Updates

Additional network statistics are collected.

Business Outcome: The more information you can gather about customer networks, the better job you can do analyzing how to improve your products.

TCP Dump Enhancements

You now have more control over TCP dump files. You can also run TCP dump on additional interfaces.

Business Outcome: Collecting data about TCP traffic is now easier.

Resource Owner Password Credentials Flow to Authenticate Users with Azure Active Directory

The Resource Owner Password Credentials (ROPC) flow allows Cisco ISE to carry out authorization and authentication in a network with cloud-based identity providers. This is a controlled introduction feature. We recommend that you thoroughly test this feature in a test environment before using it in a production environment.

Business Outcome: The ROPC flow allows Cisco ISE to authorize and authenticate Azure Active Directory users.

Interactive Help

Interactive Help provides tips and step-by-step guidance to complete tasks with ease.

Business Outcome: This helps the end users to easily understand the work flow and complete their tasks with ease.

Advantage License

The following features require the Cisco ISE Advantage License.

New pxGrid Pages

The new pxGrid interface has new pages that separate pxGrid v1 and pxGrid v2. There is also a new Summary window with session and client information.

Business Outcome: Improves workflow when managing pxGrid sessions.


Note

pxGrid 1.0, which uses legacy Extensible Messaging and Presence Protocol (XMPP) is in maintenance mode, and will be deprecated soon. We introduced pxGrid 2.0 in Cisco ISE, Release 2.4. pxGrid 2.0 uses REST and Websocket protocols, which are a simple and standardized application-to-application communications interface. We encourage partners to switch their pxGrid client implementations to these new protocols.

For more information about why we recommend a switch to pxGrid 2.0, see Welcome to Learning Cisco Platform Exchange Grid (pxGrid)


Configuration of Baseline Policies from Desktop Device Manager

When you upgrade to Cisco ISE Release 3.0, we recommend that you do not use root patches to select configuration baseline policies from the connected Desktop Device Manager servers.

You can also verify Windows endpoints with Device Identifiers instead of MAC addresses for greater accuracy, when dongles, docking stations, or MAC address randomization techniques are in use.

Business Outcome: You can check for endpoint compliance using configuration baseline policies created in Desktop Device Manager servers. Use device identifiers instead of MAC addresses for greater accuracy in endpoint identification.

Cisco ISE ACI-SDA Integration with VN Awareness

Cisco ISE Release 3.0 provides enhanced conversion of information exchange and cross-domain automation for a Cisco Software Defined Access (SDA) fabric in combination with Cisco ACI infrastructure. This implementation supports the exchange and translation of EPG and SGT information, extension of SDA Virtual Networks(VNs) into the Cisco ACI fabric, SDA and ACI fabric data plane automation, along with the exchange of IP-SGT bindings and sending the bindings to pxGrid and SXP domains.

Business Outcome: Better security and traffic management.

Minimum Version of Antivirus and Antimalware

From Cisco ISE Release 3.0 onwards, you can create a posture policy to set a minimum version of antivirus and antimalware for the endpoints in your network. This policy ensures that the endpoints comply with the minimum version of antivirus and antimalware of your network policy. It also automatically updates the condition with new versions of antivirus and antimalware, thus reducing the manual effort required to revise the condition.

Business Outcome: Enhanced security because the endpoints comply with the network policy.

Posture Session Sharing

Posture status is shared between PSNs. The status is not configurable; it is always on.

Business Outcome: Client connections do not need to rerun posture, when switching to a different PSN.

Agentless Posture

This new posture type delivers an agent to the client through SSH, and optionally removes the client when posture is complete. AnyConnect is not required.

Business Outcome: Lower footprint, and temporary posture agent is not visible to the customer.

Multi-DNAC Support

Cisco DNA Center systems cannot scale to more than the range of 25 to 100 thousand endpoints. Cisco ISE can scale to two million endpoints. Currently, you can only integrate one Cisco DNA Center system with one Cisco ISE system. Large Cisco ISE deployments can benefit by integrating multiple DNA Center clusters with a single Cisco ISE. Cisco now supports multiple Cisco DNA center clusters per Cisco ISE deployment, also known as Multi-DNAC.

Business Outcome: This feature for the Access Control app in Cisco DNA Center allows you to integrate up to four Cisco DNA Center clusters with a single Cisco ISE system.

Premier License

The following features require Cisco ISE Premier License.

Endpoint Scripts Wizard

The Endpoint Scripts Wizard allows you to run scripts on connected endpoints to carry out administrative tasks that comply with your organization’s requirements. This includes tasks such as uninstalling obsolete software, starting or terminating processes or applications, and enabling or disabling specific services.

Business Outcome: Easily carry out administrative tasks on connected endpoints to comply with your organization’s requirements.

System Requirements

For an uninterrupted Cisco ISE configuration, ensure that the following system requirements are fulfilled.

For more details on hardware platforms for and installation of this Cisco ISE release, see the Cisco Identity Services Engine Hardware Installation Guide.

Supported Hardware

Cisco ISE, Release 3.0, can be installed and run on the following platforms.

Table 1. Supported Platforms

Hardware Platform

Configuration

Cisco SNS-3515-K9 (small)

For appliance hardware specifications, see the Cisco Secure Network Server Appliance Hardware Installation Guide.

Cisco SNS-3595-K9 (large)

Cisco SNS-3615-K9 (small)

Cisco SNS-3655-K9 (medium)

Cisco SNS-3695-K9 (large)

Cisco ISE-VM-K9 (VMware, Linux KVM, Microsoft Hyper-V)

VMware ESXi 5.x, 6.x, 7.x

After installation, you can configure Cisco ISE with specific component personas such as Administration, Monitoring, and pxGrid on the platforms that are listed in the above table. In addition to these personas, Cisco ISE contains other types of personas within Policy Service, such as Profiling Service, Session Services, Threat-Centric NAC Service, SXP Service for TrustSec, TACACS+ Device Admin Service, and Passive Identity Service.


Caution

  • Cisco Secured Network Server (SNS) 3400 Series appliances are not supported in Cisco ISE, Release 2.4, and later.

  • Memory allocation of less than 16 GB is not supported for VM appliance configurations. In the event of a Cisco ISE behavior issue, all the users will be required to change the allocated memory to at least 16 GB before opening a case with the Cisco Technical Assistance Center.

  • Legacy Access Control Server (ACS) and Network Access Control (NAC) appliances (including the Cisco ISE 3300 Series) are not supported in Cisco ISE, Release 2.0, and later.


Supported Virtual Environments

Cisco ISE supports the following virtual environment platforms:

  • VMware ESXi 5.x, 6.x, 7.x

    • Cisco ISE has been validated with Cisco HyperFlex HX-Series with VMware ESXi 6.5.

    • A virtual machine can be hosted on the software-defined data center (SDDC) provided by VMware Cloud. The process for installing Cisco ISE on VMware Cloud is exactly the same as that for installing Cisco ISE on VMware virtual machine. Ensure that the security group policies are configured on VMware Cloud (under Networking & Security > Security > Gateway Firewall) to enable access to the on-premises deployment.

  • Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later

  • KVM on QEMU 1.5.3-160

Federal Information Processing Standard Mode Support

Cisco ISE uses embedded Federal Information Processing Standard (FIPS) 140-2-validated cryptographic module, Cisco FIPS Object Module Version 6.2 (Certificate #2984). For details about the FIPS compliance claims, see Global Government Certifications.

When FIPS mode is enabled on Cisco ISE, consider the following:

  • All non-FIPS-compliant cipher suites will be disabled.

  • Certificates and private keys must use only FIPS-compliant hash and encryption algorithms.

  • RSA private keys must be of 2048 bits or greater.

  • Elliptical Curve Digital Signature Algorithm (ECDSA) private keys must be of 224 bits or greater.

  • Diffie–Hellman Ephemeral (DHE) ciphers work with Diffie–Hellman (DH) parameters of 2048 bits or greater.

  • SHA1 is not allowed to generate ISE local server certificates.

  • The anonymous PAC provisioning option in EAP-FAST is disabled.

  • The local SSH server operates in FIPS mode.

  • The following protocols are not supported in FIPS mode for RADIUS:

    • EAP-MD5

    • PAP

    • CHAP

    • MS-CHAPv1

    • MS-CHAPv2

    • LEAP

Supported Browsers

The supported browsers for the Admin portal include:

  • Mozilla Firefox 80 and earlier versions

  • Mozilla Firefox ESR 60.9 and earlier versions

  • Google Chrome 85 and earlier versions

  • Microsoft Internet Explorer 11.x

Validated External Identity Sources

Table 2. Validated External Identity Sources

External Identity Source

OS/Version

Active Directory

1 2

Microsoft Windows Active Directory 2012

Microsoft Windows Active Directory 2012 R2

3

Microsoft Windows Active Directory 2016

Microsoft Windows Active Directory 2019

4

LDAP Servers

SunONE LDAP Directory Server

Version 5.2

OpenLDAP Directory Server

Version 2.4.23

Any LDAP v3 compliant server

Token Servers

RSA ACE/Server

6.x series

RSA Authentication Manager

7.x and 8.x series

Any RADIUS RFC 2865-compliant token server

Security Assertion Markup Language (SAML) Single Sign-On (SSO)

Microsoft Azure

Oracle Access Manager (OAM)

Version 11.1.2.2.0

Oracle Identity Federation (OIF)

Version 11.1.1.2.0

PingFederate Server

Version 6.10.0.4

PingOne Cloud

Secure Auth

8.1.1

Any SAMLv2-compliant Identity Provider

Open Database Connectivity (ODBC) Identity Source

Microsoft SQL Server

Microsoft SQL Server 2012

Oracle

Enterprise Edition Release 12.1.0.2.0

PostgreSQL

9.0

Sybase

16.0

MySQL

6.3

Social Login (for Guest User Accounts)

Facebook

1

Cisco ISE OCSP functionality is available only on Microsoft Windows Active Directory 2008 and later.

2

You can only add up to 200 Domain Controllers on ISE. On exceeding the limit, you will receive the following error:

Error creating <DC FQDN> - Number of DCs Exceeds allowed maximum of 200
3

Cisco ISE supports all the legacy features in Microsoft Windows Active Directory 2012 R2, however, the new features in Microsoft Windows Active Directory 2012 R2, such as Protective User Groups, are not supported.

4

Cisco ISE supports all the legacy features in Microsoft Windows Active Directory 2019, from Cisco ISE Release 2.6.0.156 Patch 4 and above.

See the Cisco Identity Services Engine Administrator Guide for more information.

Supported Antivirus and Antimalware Products

For more information on the antivirus and antimalware products supported by the ISE posture agent, see the Cisco AnyConnect ISE Posture Support Charts in the Cisco Identity Services Engine Compatibility Guide .

Validated OpenSSL Version

Cisco ISE is validated with OpenSSL 1.0.2.x (CiscoSSL 6.0).

Known Limitations and Workarounds

LDAP Server Reconfiguration after Upgrade

Limitation

The primary Hostname or IP is not updated which causes authentication failures. This is because while upgarding the Cisco ISE deployment, the deployment IDs tend to reset.

Condition

When you enable the Specify server for each ISE node option in the Connection window. To view this window, click the Menu icon () and choose Administration > Identity Management > External Identity Sources > LDAP > Add or choose and an existing server, and then upgrade your Cisco ISE deployment which has PSNs, the deployment IDs tend to reset.

Workaround

Reconfigure the LDAP Server settings for each node. For more information, see LDAP Identity Source Settings section in the Administrative Access to Cisco ISE Using an External Identity Store chapter in the "Cisco Identity Services Engine Administrator Guide, Release 2.4".

Online Help in Japanese

If you have configured your localization settings to enable Japanese in your Cisco ISE, note that the Online Help does not include information on new features introduced in this release. See Cisco ISE Administration Guide, Release 3.0 for information on these features.

Upgrade Information


Note

If you have installed a hot patch, roll back the hot patch before applying an upgrade patch.


Upgrading to Release 3.0

You can directly upgrade to Release 3.0 from the following Cisco ISE releases:

  • 2.4

  • 2.6

  • 2.7

If you are on a version earlier than Cisco ISE, Release 2.4, you must first upgrade to one of the releases listed above, and then upgrade to Release 3.0.


Note

We recommend that you upgrade to the latest patch in the existing version before starting the upgrade.


License Changes

The licenses that are used for Cisco ISE Releases 2.x, such as Base, Plus, and Apex, have been replaced with new license types. Cisco ISE Release 3.0 uses Essentials, Advantage, and Premier licenses. See the Chapter “Licensing” in the Cisco Identity Services Engine Administrator Guide.

You must convert your existing smart or traditional licenses to the new license type through the Cisco Smart Software Manager (CSSM), to enable license consumption in Cisco ISE Release 3.0.

Upgrade Procedure Prerequisites

  • Run the Upgrade Readiness Tool (URT) before an ISE software upgrade in order to check if the configured data can be upgraded to the required ISE version. Most upgrade failures occur because of data upgrade issues. The URT is designed to validate the data before the actual upgrade, and reports and tries to fix the issues, wherever possible. The URT can be downloaded from the Cisco ISE Download Software Center.

  • We recommend that you install all the relevant patches before beginning the upgrade.

For more information, see the Cisco Identity Services Engine Upgrade Guide.

Telemetry

After installation, when you log in to the Admin portal for the first time, the Cisco ISE Telemetry banner is displayed. Using this feature, Cisco ISE securely collects nonsensitive information about your deployment, network access devices, profiler, and other services that you are using. This data is used to provide better services and more features in the forthcoming releases. By default, telemetry is enabled. To disable or modify the account information, In the Cisco ISE GUI, click the Menu icon () and choose Administration > Settings > Network Settings Diagnostics > Telemetry. The account is unique to each deployment. Each admin user need not provide it separately.

Telemetry provides valuable information about the status and capabilities of Cisco ISE. Telemetry is used by Cisco to improve appliance lifecycle management for IT teams who have deployed Cisco ISE. Collecting this data helps the product teams serve customers better. This data and related insights enable Cisco to proactively identify potential issues, improve services and support, facilitate discussions to gather additional value from new and existing features, and assist IT teams with inventory report of license entitlement and upcoming renewals.

It may take up to 24 hours after the feature is disabled for Cisco ISE to stop sharing telemetry data.

Types of data collected include Product Usage Telemetry and Cisco Support Diagnostics.

Cisco ISE Integration with Cisco Digital Network Architecture Center

Cisco ISE can integrate with Cisco DNA Center. For information about configuring Cisco ISE to work with Cisco DNA Center, see the Cisco DNA Center documentation.

For information about Cisco ISE compatibility with Cisco DNA Center, see Cisco SD-Access Compatibility Matrix.

Cisco AI Endpoint Analytics

Cisco AI Endpoint Analytics is a solution on Cisco DNA Center that improves endpoint profiling fidelity. It provides fine-grained endpoint identification and assigns labels to various endpoints. Information gathered through deep packet inspection, and probes from sources like Cisco ISE, Cisco SD-AVC, and network devices, is analyzed for endpoint profiling.

Cisco AI Endpoint Analytics also uses artificial intelligence and machine learning capabilities to intuitively group endpoints with similar attributes. IT administrators can review such groups and assign labels to them. These endpoint labels are then available in Cisco ISE if your Cisco ISE account is connected to an on-premise Cisco DNA Center.

These endpoint labels from Cisco AI Endpoint Analytics can be used by Cisco ISE administrators to create custom authorization policies. You can provide the right set of access privileges to endpoints or endpoint groups through such authorization policies.

Download and Install a New Patch

To obtain the patch file that is necessary to apply a patch to Cisco ISE, log in to the Cisco Download Software site at https://software.cisco.com/download/home (you will be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.

For instructions on how to apply the patch to your system, see the "Install a Software Patch" section in the Cisco Identity Services Engine Administrator Guide.

For instructions on how to install a patch using CLI, see the "Patch Install" section in the Cisco Identity Services Engine CLI Reference Guide.


Note

When installing Release 2.4 Patch 4 and later, CLI services will be temporarily unavailable during kernel upgrade. If the CLI is accessed during this time, the CLI displays the Stub Library could not be opened error message. However, after patch installation is complete, CLI services will be available again.


Caveats

The Caveats section includes the bug ID and a short description of the bug. For details on the symptoms, conditions, and workaround for a specific caveat, use the Cisco Bug Search Tool (BST). The bug IDs are sorted alphanumerically.


Note

The Open Caveats sections lists the open caveats that apply to the current release and might apply to releases earlier than Cisco ISE 3.0. A caveat that is open for an earlier release and is still unresolved applies to all future releases until it is resolved.


The BST, which is the online successor to the Bug Toolkit, is designed to improve effectiveness of network risk management and device troubleshooting. You can search for bugs based on product, release, or keyword, and aggregate key data such as bug details, product, and version. For more details on the tool, see the Help page located at http://www.cisco.com/web/applicat/cbsshelp/help.html.

Resolved Caveats in Cisco ISE Release 3.0

Caveat ID Number

Description

CSCuo02920

ISE not returning configured Radius AVP 18 in access-reject

CSCuz02795

GET-BY-ID Not Implemented exception when home page is refreshed

CSCva44035

ISE shows IP Addr. instead MAC Addr. for VPN users in live auth sometime

CSCvb55884

ISE RBAC Network Device Type/Location View not working

CSCvd38796

No AD domain attributes retrieved for RA-VPN/CWA if AD used for both authC and authZ

CSCve89689

MNT API does not support special charactor

CSCvf30470

MAC OX fails after upgrade to 3.6.11362.2 compliance module

CSCvg50777

nas-update=true accounting attribute will cause session to not be deleted.

CSCvh77224

ENH // Smart License registration using HTTPS Proxy fails

CSCvi35647

Posture session state need to be shared across PSNs in multi-node deployment

CSCvi62805

CSCvi62805 ISE ODBC does not convert the mac address as per configured stored procedure

CSCvj47301

ISE sends CoA to active-compliant sessions when a node-group member is unreachable

CSCvj59836

Typo in Onboard Portal For IOS Devices

CSCvj77817

2.3P4, 2.4P3 upgrade is failing during OS upgrade

CSCvk04307

ISE Guest/BYOD Portal Retry Redirects to 1.1.1.1

CSCvk50684

RADIUS DTLS and Portal usage not being assigned to new self-signed certificate on hostname change

CSCvn02461

Include profiler update for Cisco IP phones - 8832,7832

CSCvn12644

ISE Crashes during policy evaluation for AD attributes

CSCvn48096

Selecting checkbox All endpoints across pages on context visibility doesn't work

CSCvn73740

EAP-TLS authentications with Endpoint profile set to not unknown fails in second authorization.

CSCvn99149

Request cache controll set to private, no-cache and no-store

CSCvo15770

address shows as HTML code in context visibility

CSCvo22887

ISE 2.4 URT does not check is node is on a supported appliance

CSCvo28970

AnyConnect displays Cisco NAC agent error when using Cisco temporal agent

CSCvo84056

Enable or disable "Username/password" in Self-Reg Success Page doesn't hold in Page customization

CSCvo87602

Memory leak on ISE node with the openldap rpm running version 2.4.44

CSCvp42493

Guest ERS API "SearchResult" total is inconsistent with other APIs

CSCvp59038

ISE Secondary PAN node sending RST to other ISE node with src ip address 169.254.2.2

CSCvp61452

[ENH] Remove archives during patch installation phase

CSCvp85813

ISE TACACS livelogs does not have the option to filter using specific NAS ip address.

CSCvp88443

ISE CoA is not sent even though new Logical Profile is used under Authz Policy Exceptions

CSCvp93322

Significant memory increase in MNT during Longevity test

CSCvq12204

ISE 2.4 SNMPv3 user added with wrong hash after reload causing SNMPv3 authentication failure.

CSCvq13431

ISE PSN node crashing while fetching context attributes during posture plus RADIUS flow

CSCvq43600

Disabled PSN persona but TACACS port 49 still open.

CSCvq48396

Replication failed alarm generated and ORA-00001 exceptions seen on ise-psc.log

CSCvq61089

My Device Portal does not show a device after BYOD on-boarding with SAML authentication

CSCvq70247

Preview of of the self registration guest portal does not display "Registration Code" label

CSCvq88821

SNMP traps on access switch connected to APs causes incorrect profiling.

CSCvq90601

EAP Chaining: Dynamic Attribute value is unavailable

CSCvr07294

Radius Authentication and Radius Account Report performance is slow

CSCvr22373

ENH: Support native event log API's, EVT API for the passive ID functionality

CSCvr39943

Blank Course of Action for Threat events received from CTA cloud to TC-NAC adapter

CSCvr40545

EAP-FAST authentication failed with no shared cipher in case of private key encryption failed.

CSCvr40574

Export failed in ISE gui in case of private key encryption failed no ERROR msg in ISE GUI

CSCvr44495

pxGrid not publishing MnT events

CSCvr48726

[enh] Increase Range of Time Interval For Compliance Device ReAuth Query for SCCM

CSCvr68432

2.4P10 Endpoint added via REST has visible policy assignment only in "edit" mode

CSCvr68971

ISE IP routing precedence issue

CSCvr70044

" No policy server detect" on ISE posture module during high load .

CSCvr81384

Failing Network Devices CSV import, process silently aborting without reason

CSCvr83696

ISE: prefers cached AD OU over new OU after changing the Account OU

CSCvr84143

tzdata needs to be updated in ISE guest OS

CSCvr85363

ISE App crash due to user API

CSCvr87373

ACI mappings are not published to SXP pxGrid topic

CSCvr95948

ISE fails to re-establish External syslog connection after break in connectivity

CSCvr96003

SYSAUX tablespace is getting filled up with AWR and OPSSTAT data

CSCvs03810

ISE doesn't display the correct user in RADIUS reports if the user was entered differently twice

CSCvs04433

ISE : TACACS : PSN crashes for TACACS+

CSCvs05260

App server and EST services crash/restart at 1 every morning

CSCvs07344

ISE: Reset config on 2.4 patch 9 throws some errors despite finishing successfully.

CSCvs09981

Add the capability to filter out failed COA due to MAR cache checks among group nodes in ISE

CSCvs19481

Cisco Identity Services Engine Cross-Site Scripting Vulnerability

CSCvs23628

Policy engine continues to evaluate all Policy Sets even after rule is matched

CSCvs25258

Improve behavior against brute force password attacks

CSCvs25569

Invalid root CA certificate accepted

CSCvs36036

ISE 2.6 should allow multiple blank lines in dACL syntax, even if user chooses IPv4 (or) IPv6.

CSCvs36150

ISE 2.x Network Device stuck loading

CSCvs36758

Unable to configure CRL URL with 2 parenthesis at ISE 2.6

CSCvs38883

Trustsec matrix pushing stale data

CSCvs39633

NAD group CSV imports should allow all supported characters in description field.

CSCvs39880

Highload on Mnt nodes with Xms value

CSCvs40406

SEC_ERROR_BAD_DATABASE seen in system/app debug logs while removing a trusted CA cert

CSCvs41571

Self Registered Guest portal unable to save guest type settings

CSCvs42072

Unable to edit static group assignment

CSCvs42441

Service account passwords returned from server in SMS and LDAP page

CSCvs42758

The CRL is expired with specific condition

CSCvs44006

Cisco Identity Services Engine Cross-Site Scripting Vulnerability

CSCvs44795

ISE not updating SGT's correctly

CSCvs46274

Radius Accounting report doesn't work - no accounting records show

CSCvs46399

AuthZ profile advanced profile for url-redirect does not allow custom HTTPS destination

CSCvs46853

ISE 2.6 CA Certificate with the same CN removed from Trusted Store while integrating with DNA-C

CSCvs46998

Condition disappeared from the library but is still in DB

CSCvs47941

Fail to import Internal CA and key on ISE2.6

CSCvs50437

ISE versions use old JDBC version (11.2.0.3) which is not compatible with new Oracle Database

CSCvs51296

ISE allows to insert a space before command under Command Sets

CSCvs51519

NFS mounting causes crash

CSCvs51537

Backups are not triggering with special characters for encryption key

CSCvs52031

MACAdress API is not working(API/mnt/Session/MACAddress)

CSCvs53606

ISE 2.4: Administrator Login Report, Auth failed when using cert based admin auth

CSCvs55464

Creating a new user in the sponsor portal shows "invalid input"

CSCvs55594

Days to Expiry value, marked as 0 for random authentications

CSCvs56617

In captive portal user can trigger the sending of emails at will

CSCvs58106

NAD CSV imports should allow all supported characters in the TrustSecDeviceID

CSCvs60518

ISE Admin User Unable To Change The Group For Internal Users

CSCvs62081

collector log filled with repeated pxGrid and DNAC messages

CSCvs62586

Tacacsprofile not retrieved properly using REST API

CSCvs62597

Authz Profiles not pulling properly using REST API (Pagination is missing)

CSCvs65467

Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability

CSCvs65989

After importing network device / groups, unable to add new Location

CSCvs67042

ISE 2.2+ affected with memory leak. Everyday 1-2% increase in native memory due to Inflater()

CSCvs68914

ISE errors when Security Group is created with an underscore via ERS API

CSCvs69726

ISE 2.2+ affected with memory leak. Everyday 1-2% increase in native memory by PORT_Alloc_Util()

CSCvs70997

ISE: 2.4p9 Intermediate CA cert not installed when configuring SCEP RA

CSCvs75068

Cannot add registry key value condition containing % or < as it throws an error

CSCvs75274

Unable to do portal customization for "certificate provisioning portal"

CSCvs76257

ISE crashes due to empty string instead of username in RadiusProxyFlow::stripUserName()

CSCvs77182

ISE: Unable to use attribute "url-redirect" with HTTPS, same URL with HTTP works fine.

CSCvs78160

URT fails on a ConditionsData clause from INetworkAuthZCheck

CSCvs79836

Expired Certificates not listed for deletion

CSCvs82557

SXP Bindings are not published to pxGrid 2.0 clients

CSCvs83303

API is not retrieving the data when interim-updates are not stored DB

CSCvs85970

Having string 'TACACS' in AD join-point causes AD joinpoint to not show in AuthZ condition

CSCvs86344

ISE 2.4 Guest ERS Call Get-By-Name fails when guest username contains @ sign (guest@example.com)

CSCvs86775

ISE 2.6 Install: Input Validation- Check IP Domain Name

CSCvs88368

ISE SNMP server crashes when using Hash Password.

CSCvs89440

CEPM schema stats not collected/scheduled for PAN only node

CSCvs89683

RabbitMQ user password printed in plain text in ADE-OS log, should be masked or removed

CSCvs91026

Docker image ise-rabbitmq could not be successfully loaded post config reset

CSCvs91408

LONG:Significant memory increase in PMNT node of longevity test

CSCvs91808

Importing metadata xml file with special characters results in unsupported tags error

CSCvs96516

Multiple Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities

CSCvs96541

TACACS auth/acc reports are not visbile after restoring OP backup

CSCvs96544

Importing Endpoint CSV file to CV 2.4 patch 9 does not retain 'description' field

CSCvs96560

ISE ERS API lookup slow when large number of endpoints exist

CSCvs97302

.dmp files not deleted from /opt/oracle/base/admin/cpm10/dpdump even after the reset-config on ISE

CSCvs98094

File Remediation check is failing while tested with ISE 2.7 server

CSCvt00283

404 error upon refresh of success page of guest sponsored portal

CSCvt00780

We are not able to Localize message for OS detection message in BYOD welcome page

CSCvt01161

NMAP - MCAFeeEPROOrchestratorClientscan fails to execute on 2.6 version of ISE

CSCvt03094

ISE expired TACACS sessions are not cleared in a timely manner from session cache

CSCvt03292

Cert Revoke and CPP not functioning without APEX license.

CSCvt03935

Change "View" Options Wording in TrustSec Policy Matrix--ISE

CSCvt04047

POST getBackupRestoreStatus occures on every ISE page after navigating to Backup/Restore menu

CSCvt04144

No threshold option for High disk Utilization in Alarm Settings

CSCvt05201

Posture with tunnel group policy evaluation is eating away Java Mem

CSCvt07230

ISE shouldnt be allowing ANY in egress policy when imported

CSCvt08143

Time difference in ISE 2.6

CSCvt09164

ISE 2.2 P16 Already extended guest user cannot be extended again

CSCvt09434

Add proper logging and reporting to handle SCCM server timeout

CSCvt09458

ISE MDM integration - misleading COA type in the debugs

CSCvt10214

[ENH] Add the ability to "GET|PUT|DELETE by Name" using the API for network devices

CSCvt11130

Sh version command is not working ISE non-admin CLI user

CSCvt11179

"AD-Operating-System" attribute is not being fetched when this OS attribute changes on the AD Server

CSCvt11366

Exporting Endpoints from CLI results in java exception

CSCvt11380

Still Possible to Create SGTs within Policy Sets Eventhough DNAC Manages GBAC

CSCvt11664

ISE Feed Server fails via 'createLicenseSource' method "FlexlmListException: Error"

CSCvt12236

IP SGT static mapping import not working correctly with hostnames

CSCvt13707

pxGrid 2.0 WebSocket distributed upstream connect issue

CSCvt13719

pxGrid 2.0 WebSocket ping pong too slow even on idled standalone

CSCvt13746

ISE doesn't display all device admin authz rules when there are more authz policies and exceptions

CSCvt14248

Certificate Authority Service initializing EST Service not running after upgrade to ISE 2.6/2.7

CSCvt15256

Authentication goes to process fail when "Guest User" ID Store is used.

CSCvt15893

Preventive bug :Radius Errors/Misconfigured supplicants tables do not exist after upgrade to ISE2.6

CSCvt15935

High Load Alarms coinciding with System Summary Dashboard not populating for some nodes

CSCvt16882

When accessing the portal with iPad using Apple CNA and AUP as a link we get 400 Bad Request error.

CSCvt17283

GUI Slowness while enabling AVC

CSCvt17783

ISE shouldn't allow ANY SGT or value 65535 to be exposed over SGT import or export

CSCvt18613

AuthZ Conditions with AD Groups Not matched for TEAP - EAP-Chaining

CSCvt19657

ISE ERS API Endpoint update slow when large number of endpoints exist

CSCvt22900

"*Endpoint Consumption Count Updated :" not updated in Licensing

CSCvt24276

Cannot add/modify allowed values more than 6 attributes to System Use dictionaries

CSCvt25610

ISE2.7 compliance counter is 0

CSCvt26108

ISE 2.7 Anyconnect configuration's deferred updates do not get saved

CSCvt34876

ISE latency in responding to RADIUS and high CPU

CSCvt35044

EP lookup takes more time causing high latency for guest flow

CSCvt35239

NullpointerException thrown in catalina.out during posture flow when clientMac is null

CSCvt36117

Identity group update for an internal user in ISE via ERS

CSCvt36322

ISE 2.6 MDM flow fails if redirect value is present in the URL

CSCvt36452

Expired Evaluation profiler lic on ISE will cause default radius probe to enable

CSCvt37910

[ENH] Add the ability to "GET|PUT|DELETE by Name" using the API for /ers/config/internaluser

CSCvt38308

ISE: If min pwd length is increased then exisiting shorter pwd fails to login via GUI with no error

CSCvt40534

MNT node election process is not properly designed.

CSCvt42064

ISE wrongly reports posture session lookup calls as SSH login

CSCvt43844

ISE: runtime-aaa debugs do not print packet details in ascii; breaking Endpoint debugs

CSCvt46584

Backups failing due to disk space issue not purged ENDPOINTS_REJECT_RELEASE table

CSCvt46850

Unavailability to edit saved compound conditions using conditions library.

CSCvt49961

Syslog Target configured with FQDN can cause Network Outage

CSCvt53541

SMS over HTTPS is not sending username/password to gateway

CSCvt55300

"Current IP address" is displayed in CV even though IP attribute in redis has been removed

CSCvt55312

ISE BYOD with Apple CNA fails with 9800

CSCvt57274

Authentication summary report for yesterday and today not showing adata

CSCvt57571

App-server crashes if IP-access submitted w/o any entries

CSCvt57805

Intermittent password rule error for REST API Update Operation

CSCvt61181

ISE ERS API - GET calls on network devices is slow while processing SNMP configuration

CSCvt63793

Posture - non redirection flow fails with "No policy server detected" when LSD is disbaled

CSCvt65332

Description using two lines, or <Enter> was used, under Client provisioning resources throws errorA

CSCvt65719

Misleading Null Pointer exception, post Manual sync is performed

CSCvt65853

ISE-2.x || MNT REST API for ReAuth fails when using in distributed deployment

CSCvt67595

Livelogs are not showing for User authentication failed

CSCvt69912

ISE still generates false positive alarm "Alarms: Patch Failure"

CSCvt70689

Application server may crash when MAR cache replication is enabled

CSCvt71355

pxGrid unable to delete user in INIT state

CSCvt71559

Alarm Dashlet shows 'No Data Found'.

CSCvt73953

Mismatched Information between CLI export and Context Visibility

CSCvt76509

ISE Backup file transfer logs show Success although there is no space in the SFTP Repository

CSCvt80285

Cannot select 45 or more products when creating Anti-Malware Condition for definition

CSCvt81194

CPU spikes are being observed at policy HitCountCollector

CSCvt82384

Rotation of diagnostics.log is not working on ISE

CSCvt85722

No debug log for non working MNT widgets

CSCvt85757

Sponsor portal display ? for non English characters

CSCvt85836

Session cache getting filled with incomplete sessions

CSCvt87409

ISE DACL Syntax check not detecting IPv4 format errors

CSCvt89098

ISE does not reattempt wildcard replication for failed nodes

CSCvt91871

ISE RADIUS Accounting Report details shows "No data found" under Accounting Details

CSCvt93117

ise-psc.log filled up with "check TTConnection is valid" causing relevant logs to roll over

CSCvt93603

ISE 2.6p6 Unable to delete custom endpoint attribute

CSCvt96594

ISE 2.6 : Create Guest User using external sponsor users via ERS fails with 401 Unauthorized Error

CSCvu04874

suspected memory leak in io.netty.buffer.PoolChunk

CSCvu05164

ISE is not allowing to disable Radius in NAD via API

CSCvu10009

Mandatory values when using Update-By-Name method with Internal Users

CSCvu15948

TC-NAC adapter stopped scanning with nexpose (insiteVM)

CSCvu16067

Changes in IP-TABLES ISE 2.6 causing TCP delays, TACACS latency

CSCvu20359

Markup langauge error when use file check condition with dot(.) in file name

CSCvu21093

ISE 2.6p6 // Portal background displays incorrectly

CSCvu25625

ISE is returning an incorrect version for the rest API call from DNAC

CSCvu25975

Import option is not working under Tacacs command sets

CSCvu28305

ISE logging timestamp shows future date

CSCvu29434

ISE2.6P6 services fail to initialize after reload on SNS 3655 PSN

CSCvu30286

ERS SGT create is not permitted after moving from Multiple matrix to Single matrix

CSCvu31176

2.4P11 VPN + Posture : Apex Licenses are not being consumed,

CSCvu31853

NDG added through ERS became associated with all network devices in DB

CSCvu32240

When running ISR ERS API for internaluser update the existing identityGroups value is set to null

CSCvu32865

High cpu on ISE 2.7 causing authentication latency

CSCvu33416

License out of compliance alarm with a valid license

CSCvu33861

ISE 2.4 p6 - REST API MnT query to get device by MAC address taking more than 2 seconds

CSCvu34433

ISE 2.x, Free space on Undo tablespace not cleared as per isehourlycron.sh cron script

CSCvu34895

Report repository export is not working with dedicated mnt enable.

CSCvu35802

Shared email for AD users fail to retrieve groups,ISE shows multiple account found in forest

CSCvu39653

Session API for MAC Address returning Char 0x0 out of allowed range

CSCvu41815

[CFD] GBAC sync breaks on deleting VN from SG if AuthZ profile is mapped to the same VN for diff SG

CSCvu42244

Machine Authentications via EAP-TLS fail during authorization flow citing a user not found error

CSCvu47395

ISE 2.x, 3.x : Drop_Cache required for systems with High Memory Issues

CSCvu48417

ISE ERS API DELETE device returns 500 error with more than 1 call

CSCvu49019

suspected Memory Leak in Elastic search

CSCvu49724

Devices configured SNMP v2c version on DNAC is not seen on Network devices in ISE

CSCvu53022

ISE: prefers cached AD OU over new OU after changing the Account OU

CSCvu53836

ISE Authorize-Only requests are not assessed against Internal User Groups

CSCvu55332

REST API call can remove Network Device Group referenced in Policy Set

CSCvu55557

Radius secret 4 chars min requirement is not checked when REST API used to create NAD

CSCvu58476

Improve error messaging on My Device Portal when the identity store has issues

CSCvu58793

ERS REST API returns duplicate values multiple times when use filter by locations

CSCvu59093

SessionDB columns are missing from ISE (>=2.4)

CSCvu59491

ISE creates new site in insiteVM (tc-nac server)

CSCvu63642

Context Visibility fuses endpoint parameters on username update

CSCvu63833

Failed Logins to ISE GUI Are Not Seen in Audit Report When AD Is Selected as the Identity Source

CSCvu67707

CWE-937 Use of JavaScript Library with Known Vulnerability

CSCvu68700

ISE 2.6 p5 ERS API res for XML or JSON req with invalid creds is HTTP 401 with unexpected HTML body

CSCvu70683

Alarm Suppression required for ERS queries along with suppression on iselocalstore.log

CSCvu70768

Alarms and system summary is not showing up on ISE GUI

CSCvu73387

authentication failure with reason"12308 Client sent Result TLV indicating failure"

CSCvu74198

ISE: LDAP and ODBC identity store names do not allow hyphen

CSCvu83759

ISE is deleting Key pairs after changes perfomed in sftp repository

CSCvu90107

ISE allows duplicates device ID in ERS flow in all version.

CSCvu90703

CLDAP thread is hung and running infinite

CSCvu91016

InternalUser Attributes in ATZ policy will fail TACACS+ ASCII Authentication

CSCvu91601

ISE Authentication Status API Call Duration does not work as expected

CSCvu94733

Guest authentication fails with "Account is not yet active" for incorrect password

CSCvv00377

Overlap of network devices using subnet and IP range

CSCvv07049

ISE unable to connect with ODBC "Connection failed" with a port number

CSCvv09167

TACACS Aggregate table is not purged properly.

CSCvv15811

ISE TCP ports 84xx not opened if there is shutdown interface with IP address assigned

CSCvv23256

ISE Authentication Status API Call does not return all records for the specified time range

CSCvv26811

Policy Export Is Not Being Saved Without Encryption After It is Saved With Encryption

CSCvv44914

isedataupgrade.sh failed. ISE global data upgrade failed -2.7,3.0 from ISE 2.6P6

Open Caveats in Cisco ISE Release 3.0

Caveat ID Number

Description

CSCvq75448

FMC subscription to ISE unavailable with large count of SGTs

CSCvr24059

Source SGT correlation doesn't work for FMC and FTD 6.5

CSCvv45728

few labels in the ISE Admin GUI are not translated into Japanese

CSCvv54305

"Support TrustSec Verification reports" checkbox shouldnt be enabled

CSCvv54754

IE latest version:Portal tiles are overlapping in guest portal page on a DB restored setup.

CSCvv55971

IE GUI :Progress bars & info icons overlapping/misaligned with module names in health check page.

CSCvv57822

Deadlock in pxgrid nodes due to TRACE level debug.

CSCvv58353

HTTPS serverlist config not persistent post upgrade from 2.7 P1 to ISE 3.0

CSCvt97146

[ISE-3.0]ISED crashing continuously in WSA

CSCvu78668

[ISE3.0]:ISE-WSA Integration fails when no session is present

CSCvv66302

Domain doesnt get assigned to sxp peer

CSCvv67101

TAC Support Cases Redirection Issue

Communications, Services, and Additional Information

  • To receive timely and relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you are looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure and validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.

  • To obtain information about general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.