Introduction to Cisco Identity Services Engine

Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure access to network resources. Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices. An administrator can then use this information to make proactive governance decisions by creating access control policies for the various network elements, including access switches, wireless controllers, Virtual Private Network (VPN) gateways, 5GaaS networks, and data center switches. Cisco ISE acts as the policy manager in the Cisco TrustSec solution and supports TrustSec software-defined segmentation.

Cisco ISE is available on secure network server appliances with different performance characterizations, and also as software that can be run on a virtual machines (VMs). Note that you can add more appliances to a deployment for better performance.

Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also enables the configuration and management of distinct personas and services, thereby giving you the ability to create and apply services, where needed, in a network, but operate the Cisco ISE deployment as a complete and coordinated system.

For detailed Cisco ISE ordering and licensing information, see the Cisco Identity Services Engine Ordering Guide.

For information on monitoring and troubleshooting the system, see the "Monitoring and Troubleshooting Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.

What is New in Cisco ISE, Release 3.1?

This section lists the new and changed features in Cisco ISE 3.1.


Cisco ISE 3.1 OVA, ISO, and upgrade bundle files have been replaced on the Software Download site. For more information, see Cisco ISE 3.1 Files Replaced on Software Download Site.

Android Settings for Native Supplicant Profile

Android settings are added for native supplicant profile. You can select one of the following options for Certificate Enrollment Protocol:

  • Enrollment over Secure Transport (EST)

  • Simple Certificate Enrollment Protocol (SCEP)

If you choose the EST protocol, Cisco ISE will ask for additional password inputs from Android users while issuing certificates.

For more information, see "Native Supplicant Profile Settings" in the Chapter "Compliance" in the Cisco ISE Administrator Guide, Release 3.1.

Enhancements in Audit Logs

The following audit logs have been enhanced to include more details about relevant events:

  • Posture audit logs now include information regarding:

    • Creation and deletion of posture policies.

    • Changes made to existing posture policies, such as changes in fields such as Conditions, Rule Name, and so on.

    • Addition, deletion, or modification in posture configurations such as Conditions, Remediation Actions, Requirements, and so on.

  • RBAC audit logs now include information regarding creation and deletion of existing menu access and data access content.

  • Network Access and Admin Users audit logs now include information regarding creation, edition, and deletion of Network Access and Admin Users.

Bidirectional Posture Flow

You can configure AnyConnect to probe Cisco ISE at specified intervals when the posture status is not compliant. This helps prevent a client from being stuck in pending state.

The bidirectional posture flow is supported for Windows, Linux, and MacOS clients.

For more information, see "Bidirectional Posture Flow" in the Chapter "Compliance" in the Cisco ISE Administrator Guide, Release 3.1.

Obtain Configuration Backup Using Cisco Support Diagnostics Connector

You can use Cisco Support Diagnostics Connector to trigger configuration backup and upload the backup files to the Cisco Support Diagnostics folder. After uploading the backup files to the Cisco Support Diagnostics folder, you can delete the backup files from the Cisco ISE local disk. To use this feature, you must enable smart licensing and Cisco Support Diagnostics in Cisco ISE.

For more information, see "Obtain Configuration Backup Using Cisco Support Diagnostics Connector" in the Chapter "Troubleshoot" in the Cisco ISE Administrator Guide, Release 3.1.

Configuration of Authorization Result Alarm

You can configure alarms based on the results of authorization policies. This allows you to monitor the impact of any networking, infrastructure, or application changes on endpoint authorizations. You can define the scope of your alarms by choosing specific Network Device Groups (NDGs). For each NDG you choose, a new Authorization Result alarm is created.

You can filter the authorization logs to be monitored for an alarm by choosing specific authorization profiles and Security Group Tags (SGTs). Only endpoints that have met authorization policy sets with the specified authorization profiles and SGTs are monitored by the alarm.

For more information, see "Configure Authorization Result Alarm" in the Chapter "Troubleshoot" in the Cisco ISE Administrator Guide, Release 3.1.

Configuration of Preferred Domain Controllers

You can specify the domain controllers that you want to use in case of domain failover. If a domain fails, Cisco ISE compares the priority scores of the domain controllers that are added to the preferred list and selects the one with the highest priority score. If that domain controller is offline or is not reachable because of an issue, the next one in the preferred list with the highest priority score is used. If all the domain controllers in the preferred list are down, a domain controller outside the list is selected based on the priority score. When the domain controller that was used before the failover is restored, Cisco ISE switches back to that domain controller.

For more information, see "Configure Preferred Domain Controllers" in the Chapter "Asset Visibility" in the Cisco ISE Administrator Guide, Release 3.1.

Context Visibility Enhancements

  • In the Export Endpoints dialog box, you can now check the Importable Only check box if you want to export only the attributes that can be imported to Cisco ISE without any modification to the CSV file. Using this option prevents the need to modify the columns or metadata in the exported CSV file before importing it to Cisco ISE.

  • While using the Quick Filter or Advanced Filter option, you can use the Export Filtered option to export only the filtered endpoints.

For more information, see "Export Endpoints Using CSV File" in the Chapter "Asset Visibility" in the Cisco ISE Administrator Guide, Release 3.1.

Full Upgrade and Split Upgrade Options Added to Cisco ISE GUI

In the Administration > System > Upgrade> Upgrade Selection window, you can choose one of the following options based on your requirements:

  • Full Upgrade: Full upgrade is a multistep process that enables a complete upgrade of your Cisco ISE deployment sequentially. This upgrades all the nodes in parallel and in lesser time compared to the split upgrade process. Because all the nodes are upgraded parallelly, services will be down during the upgrade process.

  • Split Upgrade: Split upgrade is a multistep process that enables the upgrade of your Cisco ISE deployment while allowing services to remain available during the upgrade process for users. With the split upgrade option, you will be able to choose the nodes to be upgraded.

For more information, see "Upgrade a Cisco ISE Deployment from the GUI" in the Chapter "Upgrade Method" in Cisco Identity Services Engine Upgrade Journey, Release 3.1.

Cisco ISE on Amazon Web Services

You can launch a Cisco ISE instance on the Amazon Web Services (AWS) platform using a Cloud Formation Template (CFT) or an Amazon Machine Image (AMI).

For more information, see the Chapter "Install Cisco ISE with AmazonWeb Services" in Cisco ISE Installation Guide, Release 3.1.

Virtual Appliance Licenses

Cisco ISE Release 3.1 and later supports the ISE VM license, which replaces the VM Small, VM Medium, and VM Large licenses that were supported in releases prior to Release 3.1. The new ISE VM license covers the Cisco ISE VM nodes in both on-premises and cloud deployments.

For more information, see "Cisco ISE Licenses" in the Chapter "Licensing" in the Cisco ISE Administrator Guide, Release 3.1.

Download or Upload Files from Local Disk

You can easily add, download, or delete the files that are used for local disk management.

For more information, see "Download and Upload Files from Local Disk" in the Chapter "Maintain and Monitor" in the Cisco ISE Administrator Guide, Release 3.1.

MacOS Versions in Posture Policy Configurations

In Cisco ISE 3.0 and earlier, you could configure posture policies and requirements with minor MacOS versions such as MacOS 11.1, MacOS 11.2, and so on. In Cisco ISE 3.1, you can only choose major MacOS versions such as MacOS 11 (All) to configure posture policies and requirements.

When you upgrade to Cisco ISE 3.1, any posture condition that includes a minor MacOS version is automatically updated to the corresponding major MacOS version. For example, a posture condition that was configured for MacOS 11.1 will be updated to MacOS 11 (All).

OpenAPI Service

OpenAPIs are REST APIs based on HTTPS operating over port 443. From Cisco ISE 3.1 onwards, newer APIs are available in the OpenAPI format. For more information on Cisco ISE OpenAPIs, see https://<ise-ip>/api/swagger-ui/index.html.

The following OpenAPIs have been introduced in Cisco ISE 3.1:

  • Repository Management

  • Configuration Data Backup and Restore

  • Certificate Management

  • Policy Management

    • RADIUS Policy

    • TACACS+ Policy

For more information, see "Enable API Service" in the Chapter "Basic Setup" in Cisco ISE Administrator Guide, Release 3.1.

Posture Support for Linux Operating System

Posture is a service in Cisco ISE that allows you to check the state of all the endpoints that are connecting to a network for compliance with corporate security policies. Cisco ISE 3.1 supports the following Linux operating system versions, in addition to Windows and Mac operating systems:

  • Ubuntu

    • 18.04

    • 20.04

  • Red Hat

    • 7.5

    • 7.9

    • 8.1

    • 8.2

    • 8.3

  • SUSE

    • 12.3

    • 12.4

    • 12.5

    • 15.0

    • 15.1

    • 15.2

The following posture conditions are supported for Linux operating system:

  • File Condition

  • Application Condition

  • Antimalware Condition

  • Patch Management Condition

You can configure agent profiles for Linux clients. You can add client-provisioning resources for AnyConnect Linux clients.

For more information, see the Chapter "Compliance" in Cisco ISE Administrator Guide, Release 3.1.

ERS Service Auto Enabled on VMware Cloud Environment

The External RESTful Services (ERS) API service is enabled by default when the Amazon Machine Image (AMI) version of Cisco ISE is deployed on a VMware Cloud environment. This helps in easy integration of Cisco ISE with other Cisco products and third-party applications, without the need to enable the ERS service from the Cisco ISE GUI.

For more information, see "Enable API Service" in the Chapter "Basic Setup" in the Cisco ISE Administrator Guide, Release 3.1.

pxGrid Client Auto Approval API

pxGrid can be used to share context-sensitive information from the Cisco ISE session directory with other network systems such as Cisco ISE ecosystem partner systems and other Cisco platforms. The pxGrid Client Auto Approval API can be used to:

  • Enable automatic approval of certificate-based connection requests from new pxGrid clients. Enable this option only when you trust all the clients in your environment.

  • Enable username or password-based authentication for the pxGrid clients. When this option is enabled, pxGrid clients cannot be automatically approved. A pxGrid client can register itself with the pxGrid controller by sending the username through a REST API. The pxGrid controller generates a password for the pxGrid client during client registration. An administrator can approve or deny the connection request.

For more information about the PxGrid Client Auto Approval API, see the “pxGrid Settings” section in the ERS SDK. You can access the ERS SDK with the following URL:



Only users with ERS Admin role can access the ERS SDK.

Configuration of Maximum Password Attempts for Active Directory Account

You can configure the badPwdCount attribute to prevent Active Directory account lockout due to too many bad password attempts. Before authenticating the user, Cisco ISE compares the maximum bad password attempts configured in Cisco ISE with the current value of the badPwdCount attribute on Active Directory. When the maximum bad password attempts configured in Cisco ISE is equal to the value of the badPwdCount attribute, the authentication is dropped and not sent to Active Directory.

For more information, see "Configure Maximum Password Attempts for AD Account" in the Chapter "Asset Visibility" in the Cisco ISE Administrator Guide, Release 3.1.

Handle Random and Changing MAC Addresses with Mobile Device Management Servers

As a privacy measure, mobile devices and some desktop operating systems increasingly use random and changing MAC addresses for each SSID that they connect to. In Cisco ISE, you can now work around this problem by configuring Cisco ISE to use a unique device identifier called GUID instead of MAC addresses. When an endpoint enrolls with a Mobile Device Management (MDM) server, the MDM server sends a certificate with a GUID value to the endpoint. The endpoint uses this certificate for authentication with Cisco ISE. Cisco ISE receives the GUID for the endpoint from the certificate. All communications between Cisco ISE and the MDM server now use the GUID to identify the endpoint, ensuring accuracy and consistency between the two systems.

For more information, see "Handle Random and Changing MAC Addresses With Mobile Device Management Servers" in the Chapter "Secure Wired Access" in Cisco ISE Administrator Guide, Release 3.1

MAC Randomization for BYOD

Android and iOS devices increasingly use random and changing MAC addresses for each SSID that they connect to. Cisco ISE and MDM systems see different MAC addresses for the same device depending on which SSID they use to connect to the service. Therefore, a unique identifier is generated by the Cisco ISE Provisioning service to identify these endpoints.

For more information, see "MAC Randomization for BYOD" in the Chapter "Basic Setup" in Cisco ISE Administrator Guide, Release 3.1.

Endpoint API Enhancement

The logicalProfileName filter can be used to get endpoints that belong to a specific Logical Profile. The supported operator for logicalProfileNamefilter is EQ (equal to). The syntax to invoke the API with this filter is:

/ers/config/endpoint?filter={filter name}.{operator}.{logical profile name}

For more information, see Cisco ISE API Reference Guide.

Posture Script Remediation

You can create and upload posture remediation scripts to Cisco ISE to resolve non-compliance issues in endpoints.

For more information, see "Add a Script Remediation" in the Chapter "Compliance" in Cisco ISE Administrator Guide, Release 3.1.

RHEL 8.2 Support

Cisco ISE runs on the Cisco Application Deployment Engine Operating System (ADEOS), which is based on Red Hat Enterprise Linux (RHEL). For Cisco ISE 3.1, ADEOS is based on RHEL 8.2.

RHEL 8.2 supports the following VMware ESXi versions:

  • VMware ESXi 6.5

  • VMware ESXi 6.5 U1

  • VMware ESXi 6.5 U2

  • VMware ESXi 6.5 U3

  • VMware ESXi 6.7

  • VMware ESXi 6.7 U1

  • VMware ESXi 6.7 U2

  • VMware ESXi 6.7 U3

  • VMware ESXi 7.0

  • VMware ESXi 7.0 U1

  • VMware ESXi 7.0 U2

For more information, see the Chapter "Overview" in Cisco Identity Services Engine Upgrade Journey, Release 3.1.

SAML-Based Admin Login

SAML-based admin login adds a single sign on capability to Cisco ISE using the SAML 2.0 standard. You can use an external Identity Provider such as Okta or any Identity Provider that implements SAML 2.0.

For more information, see "SAML-based Admin Login" in the Chapter "‘Asset Visibility" in Cisco ISE Administrator Guide, Release 3.1.

Specific License Reservation

Specific License Reservation is a smart licensing method that helps you manage your smart licensing when your organization's security requirements do not allow a persistent connection between Cisco ISE and the Cisco Smart Software Manager (CSSM). Specific License Reservation allows you to reserve specific license entitlements on a Cisco ISE node.

You can create a Specific License Reservation by defining the type and number of licenses you need to reserve, and then activate the reservation on a Cisco ISE node. The Cisco ISE node on which you register and enable the reservation then tracks license usage and enforces license consumption compliance.

For more information, see "Specific License Reservation" in the Chapter "Licensing" in Cisco ISE Administrator Guide, Release 3.1.

Upgrade to pxGrid 2.0

From Cisco ISE Release 3.1, all pxGrid connections must be based on pxGrid 2.0. pxGrid 1.0-based (XMPP-based) integrations will cease to work on Cisco ISE from Release 3.1 onwards.

pxGrid Version 2.0, which is based on WebSockets, was introduced in Cisco ISE Release 2.4. We recommend that you plan and upgrade your other systems to pxGrid 2.0-compliant versions in order to prevent potential disruptions, if any, to integrations.

For more information, see the Chapter "pxGrid" in Cisco ISE Administrator Guide, Release 3.1.


The output of show application status ise command reflects only the status of pxGrid 1.0 services.

Zero Touch Provisioning

Zero Touch Provisioning (ZTP) refers to the uninterrupted provisioning mechanism that helps to automate Cisco ISE installation, infrastructure service enablement, patching, and hot patching without manual intervention.

For more information, see "Zero Touch Provisioning" in the Chapter "Additional Installation Information" in Cisco ISE Installation Guide, Release 3.1.

Cisco Secure Access Control System-to-Cisco ISE Migration Tool

The Cisco Secure Access Control System-to-Cisco ISE Migration Tool is not supported for Cisco ISE 3.1 and later. End-of-Life dates have been announced for Cisco Secure Access Control System. For more information, see End-of-Life Notice.

System Requirements

For an uninterrupted Cisco ISE configuration, ensure that the following system requirements are fulfilled.

For more details on hardware platforms and installation of this Cisco ISE release, see the Cisco Identity Services Engine Hardware Installation Guide.

Supported Hardware

Cisco ISE 3.1 can be installed on the following platforms:

Table 1. Supported Platforms

Hardware Platform


Cisco SNS-3595-K9 (large)

For appliance hardware specifications, see the Cisco Secure Network Server Appliance Hardware Installation Guide.

Cisco SNS-3615-K9 (small)

Cisco SNS-3655-K9 (medium)

Cisco SNS-3695-K9 (large)

After installation, you can configure Cisco ISE with specific component personas such as Administration, Monitoring, or pxGrid on the platforms that are listed in the above table. In addition to these personas, Cisco ISE contains other types of personas within Policy Service, such as Profiling Service, Session Services, Threat-Centric NAC Service, SXP Service for TrustSec, TACACS+ Device Admin Service, and Passive Identity Service.


  • Cisco ISE 3.1 does not support the Cisco Secured Network Server (SNS) 3515 appliance.

  • Memory allocation of less than 16 GB is not supported for VM appliance configurations. In the event of a Cisco ISE behavior issue, all the users are required to change the allocated memory to at least 16 GB before opening a case with the Cisco Technical Assistance Center.

Supported Virtual Environments

Cisco ISE supports the following virtual environment platforms:

    • VMware version 9 for ESXi 6.5

    • VMware version 14 for ESXi 6.7 and later

    You can deploy Cisco ISE on VMware cloud solutions on the following public cloud platforms:

    • VMware cloud in Amazon Web Services (AWS): Host Cisco ISE on a software-defined data centre provided by VMware Cloud on AWS.

    • Azure VMware Solution: Azure VMware Solution runs VMware workloads natively on Microsoft Azure. You can host Cisco ISE as a VMware virtual machine.

    • Google Cloud VMware Engine: Google Cloud VMware Engine runs software defined data centre by VMware on the Google Cloud. You can host Cisco ISE as a VMware virtual machine on the software defined data centre provided by the VMware Engine.

  • Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later

  • KVM on QEMU 2.12.0-99

  • Nutanix AHV 20201105.2096


From Cisco ISE 3.1, you can use the VMware migration feature to migrate virtual machine (VM) instances (running any persona) between hosts. Cisco ISE supports both hot and cold migration. Hot migration is also called live migration or vMotion. Cisco ISE need not be shutdown or powered off during the hot migration. You can migrate the Cisco ISE VM without any interruption in its availability.

For information about the virtual machine requirements, see the Cisco Identity Services Engine Installation Guide for your version of Cisco ISE.

Federal Information Processing Standard (FIPS) Mode Support

Cisco ISE uses embedded Federal Information Processing Standard (FIPS) 140-2-validated cryptographic module, Cisco FIPS Object Module Version 7.2 (Certificate #3790). For details about the FIPS compliance claims, see Global Government Certifications.

When FIPS mode is enabled on Cisco ISE, consider the following:

  • All non-FIPS-compliant cipher suites will be disabled.

  • Certificates and private keys must use only FIPS-compliant hash and encryption algorithms.

  • RSA private keys must be 2048 bits or greater.

  • Elliptical Curve Digital Signature Algorithm (ECDSA) private keys must be 224 bits or greater.

  • Diffie–Hellman Ephemeral (DHE) ciphers work with Diffie–Hellman (DH) parameters of 2048 bits or greater.

  • SHA1 is not allowed to generate ISE local server certificates.

  • The anonymous PAC provisioning option in EAP-FAST is disabled.

  • The local SSH server operates in FIPS mode.

  • The following protocols are not supported in FIPS mode for RADIUS:

    • EAP-MD5

    • PAP

    • CHAP

    • MS-CHAPv1

    • MS-CHAPv2

    • LEAP

Validated Browsers

Cisco ISE 3.1 has been validated with the following browsers:

  • Mozilla Firefox 102 and earlier versions from version 82

  • Mozilla Firefox ESR 91.3 and earlier versions

  • Google Chrome 103 and earlier versions from version 86

  • Microsoft Edge, the latest version and one version earlier than the latest version

Validated External Identity Sources


The supported Active Directory versions are the same for both Cisco ISE and Cisco ISE-PIC.

Table 2. Validated External Identity Sources

External Identity Source


Active Directory


Microsoft Windows Active Directory 2012

Windows Server 2012

Microsoft Windows Active Directory 2012 R2


Windows Server 2012 R2

Microsoft Windows Active Directory 2016

Windows Server 2016

Microsoft Windows Active Directory 2019


Windows Server 2019

LDAP Servers

SunONE LDAP Directory Server

Version 5.2

OpenLDAP Directory Server

Version 2.4.23

Any LDAP v3 compliant server

Any version that is LDAP v3 compliant

Token Servers

RSA ACE/Server

6.x series

RSA Authentication Manager

7.x and 8.x series

Any RADIUS RFC 2865-compliant token server

Any version that is RFC 2865 compliant

Security Assertion Markup Language (SAML) Single Sign-On (SSO)

Microsoft Azure


Oracle Access Manager (OAM)


Oracle Identity Federation (OIF)


PingFederate Server


PingOne Cloud


Secure Auth


Any SAMLv2-compliant Identity Provider

Any Identity Provider version that is SAMLv2 compliant

Open Database Connectivity (ODBC) Identity Source

Microsoft SQL Server

Microsoft SQL Server 2012


Enterprise Edition Release







Social Login (for Guest User Accounts)




You can only add up to 200 Domain Controllers on Cisco ISE. On exceeding the limit, you will receive the following error:

Error creating <DC FQDN> - Number of DCs Exceeds allowed maximum of 200

Cisco ISE supports all the legacy features in Microsoft Windows Active Directory 2012 R2. However, the new features in Microsoft Windows Active Directory 2012 R2, such as Protective User Groups, are not supported.


Cisco ISE 2.6 Patch 4 and later support all the legacy features in Microsoft Windows Active Directory 2019.

See the Cisco Identity Services Engine Administrator Guide for more information.

Validated OpenSSL Version

Cisco ISE 3.1 is validated with OpenSSL 1.1.1k.

OpenSSL Update Requires CA:True in CA Certificates

For a certificate to be defined as a CA certificate, the certificate must contain the following property:


This property is mandatory to comply with recent OpenSSL updates.

Known Limitations and Workarounds

This section provides information about the various known limitations and the corresponding workarounds.

Authentication Might Fail for SNMP Users After Upgrade due to Wrong Hash Value

If you are upgrading from Cisco ISE 2.7 or earlier release to Cisco ISE 3.1, you must reconfigure the settings for SNMP users after the upgrade. Otherwise, authentication might fail for SNMP users because of wrong hash value.

Use the following commands to reconfigure the settings for SNMPv3 users:

no snmp-server user <snmp user> <snmp version> <auth password> <priv password>

snmp-server user <snmp user> <snmp version> <auth password> <priv password>

Special Characters Usage Limitations in Name and Description Fields

  • These special characters cannot be used in the Description field for TACACS+ profiles and Device Administration Network conditions—[%\<>*^:"|',=/()$.@;&-!#{}.?]. Supported characters are alphanumeric, underscore, and space.

  • These special characters cannot be used in the Name and Description fields for Authorization profiles—%\<>*^:\"|',=. Supported characters for the Name and Description fields are alphanumeric, hyphen, dot, underscore, and space.

  • These special characters cannot be used in the Name and Description fields for Time and Date conditions—[%\#$&()~+*@{}!/?;:',=^`]"<>". Supported characters for the Name and Description fields are alphanumeric, hyphen, dot, underscore, and space.

Make a Wish Option not Available in Japanese

If you have configured your localization settings to enable Japanese in your Cisco ISE, note that the Make a Wish option will not be available in Japanese.

Radius Logs for Authentication

Details of an authentication event can be viewed in the Details field of the Radius Authentications window. The details of an authentication event are available only for 7 days, after which no data on the authentication event will be visible. All the authentication log data will be removed when a purge is triggered.

Server IP Update Under Trustsec AAA Server List

When the IP address of the Cisco ISE instance is changed using the CLI, Cisco ISE services are restarted. After the services are up, you must change the IP address of the Trustsec AAA server. In the Cisco ISE GUI, click the Menu icon () and choose Workcenters > TrustSec > Components > Trustsec Servers > Trustsec AAA Servers.

EAP-TLS Authentication Might Fail for Certificates Using TPM Module

In Cisco ISE Release 3.1, EAP-TLS authentication might fail for certificates using TPM module on Windows 10. This is an issue with the TPM module and not with Cisco ISE.

Upgrade Information

Upgrading to Release 3.1

You can directly upgrade to Release 3.1 from the following Cisco ISE releases:

  • 2.6

  • 2.7

  • 3.0

If you are on a version earlier than Cisco ISE, Release 2.6, you must first upgrade to one of the releases listed above, and then upgrade to Release 3.1.

We recommend that you upgrade to the latest patch in the existing version before starting the upgrade.

Cisco ISE 3.1 has parity with 2.6 Patch 9, 2.7 Patch 4​, and 3.0 Patch 2.

Upgrade Procedure Prerequisites

  • Run the Upgrade Readiness Tool (URT) before the upgrade to check whether the configured data can be upgraded to the required Cisco ISE version. Most upgrade failures occur because of data upgrade issues. The URT validates the data before the actual upgrade and reports the issues, if any. The URT can be downloaded from the Cisco ISE Download Software Center.

  • We recommend that you install all the relevant patches before beginning the upgrade.

For more information, see the Cisco Identity Services Engine Upgrade Guide.


After installation, when you log in to the Admin portal for the first time, the Cisco ISE Telemetry banner is displayed. Using this feature, Cisco ISE securely collects nonsensitive information about your deployment, network access devices, profiler, and other services that you are using. This data will be used to provide better services and more features in the forthcoming releases. By default, telemetry is enabled. To disable or modify the account information, choose Administration > Settings > Network Settings Diagnostics > Telemetry. The account is unique for each deployment. Each admin user need not provide it separately.

It may take up to 24 hours after the Telemetry feature is disabled for Cisco ISE to stop sharing telemetry data.

Types of data collected include Product Usage Telemetry and Cisco Support Diagnostics.

Cisco Support Diagnostics

The Cisco Support Diagnostics Connector enables Cisco Technical Assistance Center (TAC) and Cisco support engineers to obtain support information on the deployment through the primary administration node. By default, this feature is disabled. See the Cisco Identity Services Engine Administrator Guide for instructions on how to enable this feature.

Cisco ISE Live Update Portals

Cisco ISE Live Update portals help you to automatically download the Supplicant Provisioning wizard, AV/AS support (Compliance Module), and agent installer packages that support client provisioning and posture policy services. These live update portals are configured in Cisco ISE during the initial deployment to retrieve the latest client provisioning and posture software directly from to the corresponding device using Cisco ISE.

If the default Update portal URL is not reachable and your network requires a proxy server, configure the proxy settings. In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Settings > Proxy before you access the Live Update portals. If proxy settings allow access to the profiler, posture, and client-provisioning feeds, access to a Mobile Device Management (MDM) server is blocked because Cisco ISE cannot bypass the proxy services for MDM communication. To resolve this, you can configure the proxy services to allow communication to the MDM servers. For more information on proxy settings, see the "Specify Proxy Settings in Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.

Client Provisioning and Posture Live Update Portals

You can download Client Provisioning resources from:

In the Cisco ISE GUI, click the Menu icon () and choose Work Centers > Posture > Settings > Software Updates > Client Provisioning.

The following software elements are available at this URL:

  • Supplicant Provisioning wizards for Windows and Mac OS X native supplicants

  • Windows versions of the latest Cisco ISE persistent and temporal agents

  • Mac OS X versions of the latest Cisco ISE persistent agents

  • ActiveX and Java Applet installer helpers

  • AV/AS compliance module files

For more information on automatically downloading the software packages that are available at the Client Provisioning Update portal to Cisco ISE, see the "Download Client Provisioning Resources Automatically" section in the "Configure Client Provisioning" chapter in the Cisco Identity Services Engine Administrator Guide.

You can download Posture updates from:

In the Cisco ISE GUI, click the Menu icon () and choose Work Centers > Posture > Settings > Software Updates > Posture Updates

The following software elements are available at this URL:

  • Cisco-predefined checks and rules

  • Windows and Mac OS X AV/AS support charts

  • Cisco ISE operating system support

For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the "Download Posture Updates Automatically" section in the Cisco Identity Services Engine Administrator Guide.

If you do not want to enable the automatic download capabilities, you can choose to download updates offline.

Cisco ISE Offline Updates

This offline update option allows you to download client provisioning and posture updates, when direct internet access to from a device using Cisco ISE is not available or is not permitted by a security policy.

To download offline client provisioning resources:


Step 1

Go to:

Step 2

Provide your login credentials.

Step 3

Navigate to the Cisco Identity Services Engine download window, and select the release.

The following Offline Installation Packages are available for download:

  • win_spw-<version>—Offline SPW Installation Package for Windows

  • mac-spw-<version>.zip—Offline SPW Installation Package for Mac OS X

  • compliancemodule-<version>—Offline Compliance Module Installation Package

  • macagent-<version>—Offline Mac Agent Installation Package

  • webagent-<version>—Offline Web Agent Installation Package

Step 4

Click either Download or Add to Cart.

For more information on adding the downloaded installation packages to Cisco ISE, see the "Add Client Provisioning Resources from a Local Machine" section in the Cisco Identity Services Engine Administrator Guide.

You can update the checks, operating system information, and antivirus and antispyware support charts for Windows and Mac operating systems offline from an archive in your local system, using posture updates.

For offline updates, ensure that the versions of the archive files match the versions in the configuration file. Use offline posture updates after you configure Cisco ISE and want to enable dynamic updates for the posture policy service.

To download offline posture updates:


Step 1

Go to

Step 2

Save the file to your local system. This file is used to update the operating system information, checks, rules, and antivirus and antispyware support charts for Windows and Mac operating systems.

Step 3

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Settings > Posture.

Step 4

Click the arrow to view the settings for posture.

Step 5

Click Updates.

The Posture Updates window is displayed.
Step 6

Click the Offline option.

Step 7

Click Browse to locate the archive file ( from the local folder in your system.

The File to Update field is a mandatory field. You can select only one archive file (.zip) containing the appropriate files. Archive files other than .zip, such as .tar, and .gz are not supported.
Step 8

Click Update Now.

Cisco ISE Integration with Cisco Digital Network Architecture Center

Cisco ISE can integrate with Cisco DNA Center. For information about configuring Cisco ISE to work with Cisco DNA Center, see the Cisco DNA Center documentation.

For information about Cisco ISE compatibility with Cisco DNA Center, see the Cisco SD-Access Compatibility Matrix.

Cisco AI Endpoint Analytics

Cisco AI Endpoint Analytics is a solution on Cisco DNA Center that improves endpoint profiling fidelity. It provides fine-grained endpoint identification and assigns labels to various endpoints. Information gathered through deep-packet inspection, and probes from sources such as Cisco ISE, Cisco SD-AVC, and network devices, is analyzed for endpoint profiling.

Cisco AI Endpoint Analytics also uses artificial intelligence (AI) and machine learning capabilities to intuitively group endpoints with similar attributes. IT administrators can review such groups and assign labels to them. These endpoint labels are then available in Cisco ISE if your Cisco ISE account is connected to on-premises Cisco DNA Center.

These endpoint labels from Cisco AI Endpoint Analytics can be used by Cisco ISE administrators to create custom authorization policies. You can provide the right set of access privileges to endpoints or endpoint groups through such authorization policies.

Install a New Patch

For instructions on how to apply the patch to your system, see the "Install a Software Patch" section in the Cisco Identity Services Engine Administrator Guide.

For instructions on how to install a patch using CLI, see the "Patch Install" section in the Cisco Identity Services Engine CLI Reference Guide.


If you have installed a hot patch on Cisco ISE 3.1, you must roll back the hot patch before installing a patch. Otherwise, the services might not be started due to integrity check security issue.


The Caveats section includes the bug ID and a short description of the bug. For details on the symptoms, conditions, and workaround for a specific caveat, use the Cisco Bug Search Tool (BST). The bug IDs are sorted alphanumerically.


The Open Caveats sections lists the open caveats that apply to the current release and might apply to releases earlier than Cisco ISE 3.1. A caveat that is open for an earlier release and is still unresolved applies to all future releases until it is resolved.

The BST, which is the online successor to the Bug Toolkit, is designed to improve the effectiveness of network risk management and device troubleshooting. You can search for bugs based on product, release, or keyword, and aggregate key data such as bug details, product, and version. For more details on the tool, see the Help page located at

New Features in Cisco ISE, Release 3.1 - Cumulative Patch 4

Enhancement to the Groups tab in the REST Identity Store

You can now retrieve, filter, and delete REST identity store groups while configuring Resource Owner Password Credentials in Cisco ISE.

While adding the groups, click Retrieve Groups to import the user groups from the connected identity source. Check the check boxes next to the groups that you want to select and click Save. You can also select all the groups, if needed. The selected groups are listed in the Groups tab.

You can filter the results using the filter option.

To delete a user group, check the check box next to the group that you want to delete and click Delete.

For more information, see "Configure Resource Owner Password Credentials Flow" in the Chapter "Asset Visibility" in the Cisco ISE Administrator Guide, Release 3.1


Changes to IP Default Gateway Require Restart

Cisco ISE 3.1 Patch 4 onwards, when you add or change a gateway, the CLI warns the administrator that service restart may be required, and proceeds to execute the comand only if the Yes option is selected.

For more information, see the Cisco ISE CLI Commands in Configuration Mode chapter in the Cisco ISE CLI Reference Guide, Release 3.1

Resolved Caveats in Cisco ISE Release 3.1 - Cumulative Patch 4

The following table lists the resolved caveats in Release 3.1 cumulative patch 4.

Caveat ID Number



64-character limit is not enough to accommodate external user identities, such as user principal name


Unable to edit certificates imported to ISE Trusted Certificate


CIAM: python-pip 9.0.3


When Essential License is disabled on the Cisco ISE GUI, the Smart Licensing Portal does not report license consumption.


Unable to import network device configured with SNMPv3 SHA2 authorization


Toggle to enable or disable RSA PSS cipher based on policy under Allowed Protocols


CIAM: libcurl 7.61.1


Cisco ISE-PIC does not forward live sessions beginning with special characters


CIAM: libjpeg-turbo 1.5.3


Cisco ISE does not allow user to change the admin password without validating current password


Certificate based admin login does not work when the client or browser send more than one certificate


CIAM: sqlite 3.26.0


CIAM: ncurses 6.1


Special characters are not supported in Attributes


Underscore is vulnerable in Guest Portals


REST ID does not filter groups based on name or SID for Azure AD groups


Having a single quote (') in the middle of the password on Proxy settings causes the page to become un-editable


No Replication Stopped Alarm triggered


Create a nested endpoint group using ERS API


OpenAPI Error 400 while fetching Nested Conditions


Failure to import Internal CA and key from ISE 2.7P2 to 3.0


ADE-OS CLI TCP parameters fail to make changes and are no longer relevant


Disable temporary management persona on upgraded node fails in split upgrade


CIAM: cyrus-sasl 2.1.27


Unable to edit PAN Auto Failover alarms


CIAM: libdnf 0.39.1


Ping-node call causes application server to crash (OOM exception) during CRL validation


PGA memory used by the instance exceeds PGA_AGGREGATE_LIMIT on MNT node


NTP Sync Failure Alarms with more than 2 NTP Servers Configured.


Session Directory Write failed, SQLException: String Data right truncation on ISE3.0P4


"File path field must contain a valid file name" error when file conditions are configured for posture


CIAM: jszip 2.5.0


High latency observed for TACACS+ requests with date or time condition in authorization policies


High Operations DB Usage Alarm percentage needs to be configurable


Guest users (AD or internal) cannot delete or add their own devices on a specific node


Context Visibility Endpoints And NADs from an existing deployment are not removed after Restore


Frequent Insufficient Virtual Machine Resources alarms


Unable to get message option in Posture remediation actions


Unable to download a created support bundle from GUI if logged in using the DomainName\UserName format


Inconsistent behaviour on handling of SSH host keys


ISE PRA failover


SAML certificates should not be marked as Stale if PAN is removed from deployment


SHA-2 option is not available for NAD creation using REST API


TrustSec Dashboard Refresh Call causes High CPU on MNT


Race condition causes registration or sync failure in Cisco ISE 3.1


$ui_time_left$ variable shows the wrong duration


Cisco ISE adds six additional hours to nextUpdate date for CRL


System summary does not get updated post Patch RollBack and Patch Install


Guest portal registration page shows "error loading page" error when the email address contains apostrophe


DNA Center - ISE Integration: ISE shows an old DNAC certificate for pxGrid endpoint


Admin access is allowed for ISE GUI with secondary interfaces GigabitEthernet 1 and Bond 1


P1 Stale nodes in TCPDump Menu


Compatibility problems with Hyper-V Gen-2


Error when network device groups are created using REST APIs


Unable to enter ipv6 address for on-premise SSM server


ERS call /ers/config/sgmapping/{id} does not return SGT value for custom SGT's


CIAM: openssh 7.6


Max Sessions are not enforced with EAP-FAST-Chaining


CIAM: bind 9.11.4


Multiline issues for guest SMS notification in Cisco ISE Portal


NTP Service Failure


Unable to host SSH/SFTP with newer HostKeyAlgorithms (e.g. RSA-SHA2-512)


CIAM: jackson-databind 2.9.8


After ppgrade, the files in the rabbitmq certificate directory show incorrect permissions


CIAM: openssl upgrade to 1.0.2ze and 1.1.1o


ISE ERS Validation Error - [validDays] mandatory field is missing


BH Healthcheck and full upgrade pre-check times out when third party CA certificate is used for admin


Patch 2 - Services do not start due to "Integrity check failed" error


Guest redirect with authentication virtual LAN no longer works on ISE 3.1


After fixing failed pre-upgrade check, Proceed button is still not available


ISE Deployment : All nodes throw OUT_OF_SYNC error as a result of incorrect certificate expiry check


CIAM: glib 2.56.4


CIAM: openssl 1.1.1g


CIAM: libgcrypt 1.5.3


PermSize attribute on sysodbcini file is missing


Cisco ISE does not send $mobilenumber$ value in the SMTP API body


Sponsor Portal shows error 500 when "Allow kerberos SSO" portal setting is enabled


Key Performance Metrics report has no entries for 8 AM and 9 AM every day


ISE PSN nodes crash due to incorrect cryptoLib initialization


Queue size needs to be capped on RMQ in 3.x


Spring Hibernate TPS upgrade (Hibernate 5.5.2, Spring 5.3.8)


ODBC Behavior Failover Issues


Unable to restore CFG backup from linux SFTP repository if the file is owned by a group name without space


ISE Evaluation for Struts2 CVE-2021-31805


Posture policy page does not load for SAML login


Configuration backup fails due to "EDF_DB_LOG"


Data dump transfer between nodes fail during upgrade due to connection error


Duplicated column "Failure Reasons" is found in RADIUS Authentications Report


ISE Evaluation log4j CVE-2021-44228


Location of "Location" and "Device Type" fields keep changing whenever Network Devices tab is clicked


CIAM: glibc 2.17


Default domain configuration in Passive-Syslog provider does not work in ISE 3.1


Cisco ISE GUI does not load after login


Upgrade External Radius Server List does not show up after upgrading to Cisco ISE 3.0 or above


Unable to login into GUI of MnT nodes using RSA 2FA in distribusted deployment


CIAM: cups 1.6.3


SSH to Cisco ISE fails on maually imported SSH Public Keys


Cisco ISE must avoid sending Empty Cisco AV-Pairs in access-accept packets


Invalid character error in Admin Groups


Unable to delete endpoint identity group created via REST API if no description is set


Cannot disable "Dedicated MnT" Option from GUI after it is enabled


Default route is on the incorrect interface if bonding is configured


Default route is removed or tied to the wrong interface after upgrading


T+ ports (49) are still open if disable Device admin process under deployment page


Improvement to logs needed with Conflict handling SGT-IP mapping with Virtual Networks


From address to send email is invalid if it does not end with .com or .net


Application Server is stuck in the initializing state after configuration backup is restored


Cisco ISE does not update expiry date after SLR license is updated


CIAM: nettle 3.4.1


Invalid Characters in External RADIUS Token Shared Secret.


Services fail to start after backup from old ISE vrsion 2.6 is restored


Timezone update should happen automatically


AD User SamAccountName parameter is null for user sessions


Application Server stays in Initializing state after installing Cisco ISE 3.1 Patch 3 on Cisco ISE Patch 2


Cisco ISE can login to GUI with disabled shadow admin accounts with external identity source


Sorting internal users based on User Identity Groups does not work in Identities under Identity Mangement tab


CIAM: samba 4.13.3


Services auto restart fail with an internal error during IP address change in eth 1


CIAM: samba 4.8.3


Inaccurate dictionary word evaluation for passwords


Unable to edit or remove Scheduled Reports if the admin who created them is no longer available


CIAM: cryptography 2.3


TrustCertQuickView gives the same information for all trusted certificates


400 Bad Request error is thrown when Internal User is enabled with external password type using Rest API.


Application server restart on all nodes after changing the Primary PAN Admin certificate


Add ability to disable TLS 1.0 and 1.1 on ISE PIC node


Removing an IP Access list from ISE destroys the distributed deployment

New Features in Cisco ISE, Release 3.1 - Cumulative Patch 3

Support for Cisco pxGrid Cloud

Cisco ISE 3.1 patch 3 supports Cisco pxGrid Cloud. Cisco pxGrid Cloud is a new Cisco cloud offer that extends pxGrid and ERS access to cloud-based applications. To allow connectivity between a Cisco ISE deployment and Cisco pxGrid Cloud, pxGrid Cloud service must be enabled on one or more pxGrid nodes in the Cisco ISE deployment. For more information on Cisco pxGrid Cloud, see Cisco pxGrid Cloud Solution Guide.

Automatic Renewal of OSCP Certificates

From Cisco ISE Release 3.1 Cumulative Patch 2 onwards, the following rules are applicable for the renewal of OCSP certificates:

  • For a multi-node Cisco ISE deployment, OCSP certificates are renewed automatically if you install the patch through the Cisco ISE GUI. If you install the patch through the Cisco ISE CLI, we recommend you to renew the OCSP certificate manually.

  • For a standalone Cisco ISE deployment, OCSP certificates are renewed automatically irrespective of whether you install the patch through the Cisco ISE GUI or the Cisco ISE CLI.

  • If you uninstall Patch 2, you have to renew the OCSP certificate manually.

Microsoft Intune Integration Changes Due to Microsoft Graph Updates

Microsoft is deprecating Azure Active Directory (Azure AD) Graph and will not support Azure AD Graph-enabled integrations after June 30, 2022. You must migrate any integrations that use Azure AD Graph to Microsoft Graph. Cisco ISE typically uses the Azure AD Graph for integration with the endpoint management solution Microsoft Intune.

For more information on the migration from Azure AD Graph to Microsoft Graph, see the following resources:

Cisco ISE Release 3.1 Patch 3 supports Microsoft Intune integrations that use Microsoft Graph. To avoid any disruption in the integration between Cisco ISE and Microsoft Intune, update your Cisco ISE to Cisco ISE Release 3.1 Patch 3. Then, update your Cisco ISE integration in Microsoft Azure to use Microsoft Graph instead of Azure AD Graph, before June 30, 2022. In Cisco ISE, you must update your Microsoft Intune integrations to update the Auto Discovery URL field—Replace<Directory (tenant) ID> with

See Connect Microsoft Intune to Cisco ISE as a Mobile Device Management Server for more information on the configuration steps.

Opening TAC Support Cases in Cisco ISE

You can now open TAC Support Cases for Cisco ISE and other Cisco products from the Cisco ISE GUI.

For more information, see "Open TAC Support Cases in Cisco ISE" in the Chapter "Troubleshoot" in Cisco ISE Administrator Guide, Release 3.1.

SHA1 Ciphers Disabled by Default

From Cisco ISE Relase 3.1 Patch 2, SHA1 ciphers on port 443 are disabled by default.

Resolved Caveats in Cisco ISE Release 3.1 - Cumulative Patch 3

The following table lists the resolved caveats in Release 3.1 cumulative patch 3.

Caveat ID Number



After installing patch 2 services are stuck due to "Integrity check failed" error


New objects do not exist in the condition studio


WLC failed to validate EAPOL Key M2 with ISE 3.1


Unable to fetch the attributes from ODBC after upgrading to ISE 3.0 patch 3


Could not create Identity User if username includes $


Single Byod Flow with Internal CA failing with "12557 User Auth failed because OCSP status is unknown" error


Upgrade from ISE 2.4 patch 13 to ISE 2.7 fails if external RADIUS server is configured


backup-logs using public key encryption on the ISE CLI does not allow for caputure of core files


Local Log Settings tooltip on all fields shows irrelevant and unuseful Trust Certificates


ISE 3.1 SAML admin authentication fails when user assertion contains multiple values in the "Groups" claim


ISE 2.7 Authentication success settings shows success/success url


TACACS authorization policy querying for username fails because username from session cache is null


nextPage field is missing from the json response of API 'GET /ers/config/radiusserversequence'


Device Port Network Conditions does not validate interface ID


CIAM: gnutls 3.6.14


CIAM: libx11 1.6.8


CIAM: python 3.6.8


CIAM: file 5.33


CIAM: sysstat 11.7.3


Cisco Identity Services Engine Assessment of CVE-2021-4034 Polkit


Node database utilization information is not properly displayed in Operational Data Purging > Database Utilization window


Microsoft Intune Graph Url change from to


Get-By-Id server sequence returns empty server list after first change made on the sequence via GUI


Reports are unusable due to misshandling fields with multiple values


Sponsor Portal admin unable to create random guest accounts with 1 hour duration or less


CIAM: nss - multiple versions


Queue Link Error:WARN:{socket_closed_unexpectedly;'connection.start'}


GRUB2 Arbitrary Code Execution Vulnerability


CIAM: openssh 7.6


Internal users using External Password Store are getting disabled if we create users using API flow


Enabling cookies for POST /ers/config/internaluser/ causes Identity Group(s) does not exist error


ISE 3.0 checks only the first SAN entry


IP-SGT mapping does not link with new network access device group


ISE authorization profiles option get truncated during editing/saving (Chrome only)


RCM and MDM flows fail because of session cache not being populated


Full upgrade not working with patch when CLI or disk repository is used


CSV NAD import is rejected due to special symbol @ at the beginning of RADIUS shared secret


Fix for CSCvu35802 breaks AD group retrieval with certificate attribute as identity in EAP-Chaining


ISE 3.1 Guest Username/Password Policy is not modifiable


Multiple runtime crashes seen due to memory allocation inconsistency


AD security groups cannot have their OU end with dot character in Posture Policy


CIAM: binutils 2.30


CIAM: json-c 0.13.1


Posture firewall remediation action unchangeable


RegEx expressions in TACACS Command Sets malformed


Session service unavailable for pxGrid Session Directory with dedicated MnT


PEAP session timeout value restricted to max 604800


ISE 3.1 is requesting ISE-PIC licenses from Smart account


CIAM: nss - multiple versions


ISE 3.1 on AWS gives a false negative on the DNS check for Health Checks


Attribute value dc-opaque causing issues with Live Logs


ISE CPP not loading correctly for some languages


ISE unable to fetch the url attribute value from improper index during posture flow


ERS API does't allow for use of dot character in "Network Device Group" name or create / update


Eap-chaining authorization failure due to machine authentication flag set to true incorrectly


GET for dacls using /ers/config/downloadableacl does not return a value for nextPage or previousPage


ISE 3.0 & 3.1: Device Admin License alone should allow access to all TACACS menus


CIAM: lz4 1.8.3


CIAM: glibc 2.28


IPv6 changes the Subnet to /128 when using the duplicate option from Network device tab


Unknown NAD and Misconfigured Network Device Detected alarms


Inconsistent sorting on ERS APIs for endpoint group


MDM intune integration broken for vpn user on ISE 3.1


ISE client pxGrid certificate is not delivered to DNAC


Unable to create network device group with name Location or Device Type


Endpoint stuck in posture unknown state


ISE displays an alarm stating an invalid response from licensing cloud


Deleted Root Network Device groups are still referenced in the Network Devices exported CSV report


SNMPv3 COA request is not issued by ISE 2.7


ISE API add user operation with long custom attribute string takes around 4 minutes using Curl


Updated fields list for PUT on /erc/config/authorizationprofile/{id} usually empty


Unable to change network Device group Name and Description at the same time


Existing routes are not installed in routing table after MTU change


ISE Conditions Studio - Identity Groups Drop-down limited to 1000


DELETE /ers/config/networkdevicegroup/{id} not working; CRUD exception


CIAM: tcp-dump 4.9.3


Authorization profile throws an error when special characters are used


ISE Evaluation log4j CVE-2021-44228


CoA was not initiated for switches for which matrix was not changed, hence Policy sync failed


Empty User Custom attribute included in Authorization Advanced Attributes Settings results in incorrect AVP


ISE replacing pxGrid certificate when generating ISE internal CA


"Queue Link Error: Message=From Node1 To Node2; Cause=Timeout" error seen when NAT is used


ISE 3.1 Patch 1: Unable to connect to ISE via SSH when FIPS is enabled


Catalina.out file is huge because of SSL audit events


CIAM: sqlite 3.18.2


When SNMP config is set on the network device, a delay of 20 seconds is introduced while processing SNMP record


Deployment-RegistrationPoller causing performance issues on PAN node with 200+ internal certificates


ISE 3.1: Unable to generate pxGrid certificates with Active Directory superadmin


ISE configured with 15 Collection filters hides the 15th filter


Optimize bouncy-castle class to improve performance on PAN


Serviceability: "DNS Resolution Failure" alarm should show ISE server


Session cache must be updated during EAP chaining flow to handle relevant identities


Guest Portal fields causing words to be repeated for Apple VoiceOver


Success page is blank and Done button not enabled in Hotspot Guest Portals


Sessions are not removed when the Tacacs+ requests resulted in "Could not find selected service" error


Unable to add more than one ACI IP address/hostname when trying to enable ACI integration in ISE


ISE 3.1 - GUI is not working when IPv6 disabled globally


CIAM: pcre 8.41


Guest portal does not load if hosted on a different interface from Gig0


REST ID is fetching the groups from Cloud when the connector settings page is opened


ISE 3.0p2 - Monitor All setting displays incorrectly with multiple matrices and different views


AD security groups cannot have their OU end with dot character in Client Provisioning Policy


CIAM: libsolv 0.7.16


High Active Directory latency during high TPS causes HOL Blocking on ADRT


Reauthentication issue seen in third party devices


ISE 3.0 APIC Integration: Failed to create security groups


Need to handle Posture expiry when 8 octet MAC is present in endpoint on the deployment node


Cannot export SAML provider info xml file from ISE GUI


Inconsistent sorting on ERS API for identity groups

Open Caveats in Cisco ISE Release 3.1 - Cumulative Patch 3

Caveat ID Number



SXP service is not starting after restart from ISE UI


Getting "Page not accessible" pop-up message in ISE-PIC node


ISE PSN nodes crashing due to incorrect cryptoLib initialization

New Features in Cisco ISE, Release 3.1 - Cumulative Patch 1

Cisco ISE on AWS

  • The software version Cisco ISE 3.1 Patch 1 is available on Amazon Web Services.

  • You can now install Cisco ISE in evaluation mode in the AWS instance named t3.xlarge. For more information about using Cisco ISE in evaluation mode in AWS, see the section "Cisco ISE Evaluation Instance on AWS" in the Cisco ISE Installation Guide, Release 3.1.

    t3.xlarge instances only support Cisco ISE Release 3.1 Patch 1 and later releases.

Signed SAML Authentication Request for Cisco ISE

Cisco ISE now only accepts signed SAML requests and assertions for authentication.

For more information, see "Configure SAML ID Provider" in the Chapter "Asset Visibility" in Cisco ISE Administrator Guide, Release 3.1.

Resolved Caveats in Cisco ISE Release 3.1 - Cumulative Patch 1

The following table lists the resolved caveats in Release 3.1 cumulative patch 1.

Caveat ID Number



MnT log processor is not running because collector log permission.


/ers/config/<obj>/bulk/submit returning invalid Location URI /ers/config/<obj>/bulk/submit/<bulkID>


Blanket bug for code enhancements for MnT component


2.4p12 patch install stuck forever


A race condition was found in the mkhomedir tool shipped with the oddjo


ISE 3.0 BH : TACACS live logs do not give an option select Network Device IP


DOC: unknown maximum time difference for thisUpdate of OCSP response


CIAM found poi vulnerable


Auth Passed live logs are not seen when using a profile name with more than 50 characters


Multiple Vulnerabilities in glibc


3.0P2:Accounting Report Export is taking more time to complete.


CIAM found netty vulnerable


CTS-SXP-CONN : ph_tcp_close from device to ISE SXP connection - Hawkeye


[CFD] User unable to create a guest SSID during Portal Creation step - ISE is busy error


Certificate Validation Syslog Message Sent During Specific Certificate Audits--ISE


CIAM: openjdk - multiple versions


CIAM: libx11 1.6.8


CIAM: glibc 2.28


CIAM: gnupg 2.2.9


CIAM: systemd 219


CIAM: vim 8.0.1763


CIAM: nettle 3.4.1


CIAM: unbound 1.7.3


CIAM: pcre2 10.32


CIAM: cpio 2.12


CIAM: libarchive 3.3.2


CIAM: network-manager 1.22.8


Customer fields in guest portal contains & - $ #


Cisco Identity Services Engine XML External Entity Injection Vulnerability


CIAM: librepo 1.11.0


ISE Guest SAML authentication fails with "Access rights validated" HTML page


Incorrect Posture Compound Condition Hotfixes


CTS PAC not activating on Switch: via ISE 3.1 build


CIAM: go 1.15.7 CVE-2021-33194


ISE restore popup menu displays wrong text


ISE 3.0 Device Admin License alone should allow access to Administration > System > Logging menu


Possible to choose SPAN without Policy persona in NAD Send configuration changes to device CoA


posture lease breaks for eap chaining from 2.7


TACACs report showing duplicate entries due to EPOCH time being null


TACACS Authentication report shows duplicate entries


EP's incorreclty profiled as "cisco-router" due to nmap performing aggressive guesses


SessionCache not cleared for Tacacs AuthZ failures results in high heap usage and auth latency


Special characters in Banner blocking SFTP repo


ISE 2.7 patch 4 unable to upload .json file for Umbrella security profile.


P1PNSBaseline: SuperMnT: on last 30days Radius Auth report takes ~5mins with filter


ISE 2.6 p 9, Default permissions can't go back to default group Internal after adding a new group


ISE GUI stuck at loading if AD group does not exist when using cert based auth for GUI access


ise 2.7 Failed to add endpoint to group


Not able to scroll to different pages in Issued certficates page


ISE GUI shows all the licenses as Out of Compliance - Smart Licensing


Agentless posture breaks for locale


Okta redirection fails for first ID store and works when second ID store is assigned


Unable to see the UI pxgrid pages, if we enabled&disabled pxgrid at deployment tab on secondary node


ISE: Application server stuck initializing after backup restore due to mdm configuration


User unable to generate support bundle


menu access customization is not working


ISE Health Check MDM Validation false alarm


NTP (' - ') source state description missing in ISE CLI


CIAM: libxml 2.9.1


CIAM: jspdf 2.3.0


CIAM: systemd - multiple versions


CIAM: podman 1.6.4


Sponsor Permissions are not passed to Guest REST API for "By Name" calls.


ISE manage account selection issue


ISE PIC 3.1 Request traditional license


CIAM: jsoup 1.10.3


ISE 3.0 TimesTen connection closed when an SQLException is encountered


ISE GUI : net::ERR_ABORTED 404 : /admin/ng/nls/fr-fr/


CIAM: bind 9.11.20


Cisco:cisco-av-pair AuthZ conditions stopped working


Inability to import ISE certificates issued for PAN to other nodes in spite of the SAN field fqdn.


ISE3.1 No response when click "choose file" on import Endpoints from CSV file page.


ISE 2.7: EndpointPersister thread getting stopped


CIAM: libgcrypt 1.5.3


If we set mtu greater than 1500 then the mtu value is not setting persistently across reboot.


Local disk management UI for uploading file is broken


Local Log Settings tooltip on all fields shows irrelevant and unuseful 'Trust Certificates'


Configuration changes to Guest types is not updated in audit reports


ISE 3.1:While updating Network Device from DNAC, Shared Secret/password is empty or masked


Pxgrid shown disabled on Summary page for ISE-PIC


ISE 3.1 : Authentication tab shows blank result in Context Visivility


adding FQDN in discovery host, Discovery host: invalid ip address or host name


Agentless Posture for Windows 10 devices not passing AntiMalware check -


ISE 3.0 Can't deselect the 'location' settings as part of the guest self registration portal


Version pre-check fails for 3.2 full upgrade.


ISE Health Check I/O bandwidth performance check false Alarm


Unsupported message code 91104 and 91105 Alarms


All NADs got deleted due to one particular NAD deletion


live log/session not showing latest data due to "too many files open" error


AD users in Super Admin group can't create/edit admin user with error "Operation is not permitted"


Radius reports older than 7 days are empty (regression of CSCvw78289)


Oracle process are increasing and gettingTNS:connection closed

Open Caveats in Cisco ISE Release 3.1 - Cumulative Patch 1

Caveat ID Number



Single Byod Flow with Internal CA failing "12557 User Auth failed because OCSP status is unknown"

Cisco ISE 3.1 Files Replaced on Software Download Site

Cisco ISE 3.1 OVA, ISO, and upgrade bundle files have been replaced on the Cisco ISE Software Download site.

What Changes are Made?

  • The following bugs are resolved in this build:

    • CSCwa04370: ISE 3.1 shows incorrect outgoing interface for the default interface if two interfaces are configured with IP addresses and the default gateway references the subnet on eth1

    • CSCwa82553: ISE 3.1 default route is on the incorrect interface if bonding is configured

  • Option to skip ICMP, DNS, and NTP checks in the ZTP tool. For more information, see "Zero Touch Provisioning" in the Chapter "Additional Installation Information" in Cisco ISE Installation Guide, Release 3.1.


  • The filenames of the new files will have "b" appended to the build number (for example, ise-

  • If you want to import the SNS 3695 OVA template to the VMware vCenter content library, you can use the template. This OVA template is similar to the template, except for the reserved disk size, which has been reduced from 2400 GB to 1800 GB to workaround a limitation in the Vmware vCenter content library that prevents import of OVAs with disk size larger than 2 TB.

  • You will see the following ISE version in the output of show tech-support command:


  • Existing Cisco ISE 3.1 patches will work fine with this build.

Resolved Caveats in Cisco ISE Release 3.1

Caveat ID Number



ISE 3.1 shows incorrect outgoing interface for the default interface if two interfaces are configured with IP addresses and the default gateway references the subnet on eth1


ISE 3.1 default route is on the incorrect interface if bonding is configured


RADIUS maximum session-timeout value restricted to 65535


ERS Create/Update for "Authorization Profile" failing XML schema validation


Blank guest portal window seen in portal created in portal builder


Customization for support information in Client Provisioning portal is missing


No logo in guest approval email when portal is set to Sponsored-Guest Portal


Guest Remember Me RADIUS accounting and access accept not sending guest username


Account used for AD join may become locked after passive-id service is enabled


Unable to see complete list of AD groups when using scrollbar


Problem with renaming the reports


Unable to configure grace period for more than 1 day because of posture lease


MnT API call with admin credentials disables the account


Ability to suppress session information pop up when logging in to GUI


Profiling and conditions studio not loading or taking up to 30 minutes


Error when attempting to change ISE-PIC GUI admin user settings


When running a report for endpoint purge, no reports are shown if the purged endpoint count is 0


Bad Request error when refreshing My Devices portal


Incorrect DNS configuration can lead to TACACS or RADIUS authentication failure


Show running-config fails to complete


Import NAD is failing with an error when shared secret key has special character


Changes to Network Device Groups not reflected in Change Audit logs


Unable to manage ISE internal network access users without an Identity Group


RADIUS Authentication Troubleshooting window not filtering properly


Cisco ISE 2.4 patch 5 crashing frequently and generating core files


PassiveID alarms should be triggered for inactivity for each DC separately


PSN should be capable of identifying delays in mappings from PassiveID agent


Application server takes more time to initialize


While updating the Profile Description field in Client Provisioning Resources window, if Enter is used to create a new line, "Fail to receive server response due to the network error" message is displayed


Posture Condition failed with "Check vc_visInst_v4_CiscoAnyConnectSecureMobility Client_4_x is not found" error


"Plus License is out of compliance" message seen while regenerating the ISE Root CA


Suspected memory leak in io.netty.buffer.PoolChunk


Guest email not sent after changing SMTP server


Sponsor group membership removed when adding or removing AD group


ISE with DUO as External RADIUS Proxy drops access-reject


ISE 2.4 patch 6: REST API MnT query to get device by MAC address taking more than 2 minutes


Change Configuration Audit report missing IP Address and modified properties in CSV export


Posture fails when primary PSN or PAN is unreachable


Certificate chain is not sent on the guest portal


Cisco Identity Services Engine Cross-Site Scripting Vulnerability


Guest password policy settings cannot be saved when set to ranges for alphabets or numbers


Time Vs Throughput chart in ISE Health Summary report using wrong units


ISE Radius Live Sessions window showing No Data Found


ISE not doing lookup for all MAC addresses causing redirectless Posture to fail


ISE should either allow IP only for syslog targets or provide DNS caching


ISE 2.4 Application server going to Initializing state on enabling endpoint debugs


Application server crashes while transitioning into stopping state


MAC 11 Big sur BYOD flow failed


Endpoint data not visible on secondary Admin node


GRUB2 Arbitrary Code Execution Vulnerability


Log Collection Error alarms appear


Guest API allows restricted sponsor to create guest accounts even for the unallowed guest type


Session cache for dropped session not getting cleared and causing High CPU on the PSNs


Authorization profile not saved with proper attributes when Security Group selected under common tasks


Max Sessions Limit is not working for Users and Groups


Going back to network list removes the applied filter


pxGrid internal client ping failed


Not able to see the guest identity in the DNAC Assurance window


Modify TCP settings to enhance TACACS+ and TCP on ISE


While renewing ISE certificate for HTTPS, EAP, DTLS, PORTAL, only Portal and Admin roles gets applied


BYOD Flow is broken in iOS 14 beta


DNA ACA Security Groups sync fails with JDBCException error


Discovery host description text is misleading


Live session details report show incorrect authorization profile and policy for VPN Posture scenario


Livelog sessions show incomplete authorization policy for VPN Posture scenario


Context Visibility shows incorrect authorization profile and policy for VPN Posture scenario


ISE Guest portal registration and expiration email need to maintain format entered in the portal


Cannot start CSV exporting for Selected User in internal ID Store


RADIUS passed-auth live logs not sent due to invalid IPv6 Address


Manual NMAP not working when only custom ports are enabled


Unable to create posture condition for LANDESK


PSK cisco-av-pair throws an error if the key contains < or > symbols


NFS repository is not working from GUI


Generate self-signed certificates and CSR default parameters doesn't match with pre-installed self-signed certificate


Internal CA Certificate not getting deleted when node is removed from deployment


Error storing the running-config lead to loss of startup config


Device admin service is getting disabled when updating TACACS configuration


TrustSec enabled NADs not showing in TrustSec Matrices when NDG column exceeds 255 characters


Mapped SGT entry cleared from Authorization Rules if Security Group name is modified in Cisco DNA Center


Heap Dump generation fails post reset-config of ISE node


ISE must allow Posture Grace Period more than 30 days


Can't get the download link of NetworkSetupAssistant.exe using Aruba dynamic URL redirect


ISE Hotspot guest portal flow broken


Application server marked as Initializing when ISE_EST_Local_Host RADIUS shared secret is empty


Export of current active session reports only shows sessions that has been updated since midnight


Context Visibility CSV exported from CLI not showing IP addresses


ISE 2.6/2.7 Repositories get deleted post ISE node reload


Suspended Guest User is not automatically removed from Endpoint Group


Saving command with parenthesis in TACACS command set gives an error


Group lookup failed as empty value was appended to the context


Certificate Authority Service initializing EST Service not running after upgrade to ISE 2.7 patch 2


ISE RADIUS Live Log details missing AD-Group-Names under Other Attributes section


Operational backup throws error if available free space in /opt folder is 1 TB or greater


Authentication summary report gets stuck if the total records are more than 5M


ISE SXP should have a mechanism to clear stale mappings learned from session


Need to add the ability to use a forward slash in the IP data type of internal user custom attribute


Unable to create unique community string for different SNMP servers


Proxy bypass settings does not allow upper characters


Custom Attribute from Culinda not showing in endpoint GUI page


Network Device API call throws error 500 if you query an non-existent network device


PSN rmi GC collection not working properly causing memory leak in PassiveID flow


Case sensitivity on User Identity Groups causes "Select Sponsor Group Members" window to not load


Memory Leak on PSN nodes


Radius Server Sequence window showing "no data available"


Cisco Identity Services Engine Untrusted File Upload Vulnerability


Posture Assessment by Condition report displays No Data with Condition Status filter


Security Group values in Authorization Profile disappear shortly after fetching


Can't modify AUP Text


ISE not consuming plus license when using local or global exceptions


ISE 3.0 REST ID log file not included in support bundle


ISE 3.0 Health Check License validation false Alarm


ISE constantly sending internal Super Admin user requests to external RADIUS token server


Unable to retrieve LDAP Groups/Subject Attributes when % character is used twice or more in bind password


Client Provisioning window does not show current settings properly


Bulk certificate generation failed with "An unexpected error occurred" message after primary PAN failure


Missing local disk utilization information


ISE generating CSR with hostname-x in SAN gives an error


Posture auto-update not running


Need DigitCert Global Root G2 in CTL for ROPC


Network Device IP filter does not match IPs that are inside subnets


Upgrade failing at RuleResultsSGTUpgradeService step


High memory usage on the PSN nodes with PassiveID flow


Smart Licensing Entitlement tab gets stuck at "Refreshing" if there is connection failure


ISE 2.6 scheduled reports are not working when primary MnT is down


ISE collection filters not displayed in GUI


"NetworkAuthZProfile with entered name already exists" message seen while trying to create an SGT with name "Employees"


Users that do not belong to the sponsor group are able to login in the sponsor portal


Cannot configure scheduled config and operational backup with start date same as current day


Double Slash "//" added in File Path for SFTP servers


GBAC configuration not synced between DNAC and ISE


Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability


ISE PIC Licensing window is not loading


Maximum time difference not specified for "thisUpdate of OCSP response"


ISE nodes intermittently trigger Queue Link alarms


Unable to load Context Visibility window for custom view in ISE 2.7 patch 2


ISE configuration restore fails at 40% with "DB Restore using IMPDP failed" error


ISE GUI login page shows error while using Chrome version 85/86


Memory leak after adding AD Groups for PassiveID flow


NTP does not work because internal user 'chrony' not created


Sponsor is unable to view the list of created guest users


ACI mappings are not being deleted after a delete message


Posture does not work with dynamic redirection on third party NADs


Not throwing error for IP overlap case


High CPU on PSN node


Scheduled operational data backups not being triggered after Primary MnT reload


Pushing IP to SGT mapping from ISE to switch doesn't work if default route is tagged


Editing external data source posture condition is showing always the wrong AD


NAD Location is not updated in Context Visibility ElasticSearch


Agent marks DC as down if agent service comes up before windows network interface


Authorization Profiles showing "No data available" after NAD profile is deleted


Endpoints not purged due to an exception


Cisco Identity Services Engine Untrusted File Upload Vulnerability


PassiveID is not working stable with multi-connect syslog clients


ISE 3.0 not importing certificates missing CN and SAN into Trusted Certificate Store


International Phone Number dropdown box not working in ISE 2.7


NADs shared secrets are visible in the logs while using APIs


Internal User custom attributes are not sent in CoA-Push


SAML groups do not work if they are applied in the Sponsor Portal Groups


ISE MnT Live Session status is not changing to Postured in VPN use case


Enabling Essentials licenses only block access to Network Devices tab


GUI not accessible after applying IP Access restrictions


ISE Service Account Locked and WMI not established due to special characters in password


ANC CoA not working as ISE uses hostname for internal calls


Exception shown in ise-psc.log for repository while loading Backup and Restore window


Sophos 10.x definition missing from Anti-malware condition for MAC OSX


Guest portal creation failure with ISE 3.0


ISE 3.0 Syslog provider cannot apply configuration


Cisco ADE-OS Local File Inclusion Vulnerability


ISE is not processing gathered SNMP information for endpoint


API IP SGT mapping not returning result for [No Devices]


No TACACS Command Accounting report for third party device with a space before TACACS command


CoA-disconnect is not issued by ISE for Aruba WLC when grace access is expired


AD security groups cannot have their OU end with dot character on RBAC policies


ISE is not allowing to import CA signed certificate on top of self-signed certificate


Session which was previously having Postured Live Session state is moving to Started upon receiving Accounting Interim Update from NAD


SB should collect Hibernate.log


ISE does not display Full Authorization rules if it has 50 rules or more in Japanese GUI


ISE fails to send CoA from PSNs with "Identifier Allocation Failed" error


RADIUS requests dropped after deleting policy sets


All Processes need to be stopped before dropping schema objects


ISE 3.0 policy condition studio GUI bug


RADIUS server sequence gets corrupted when selected external server list is modified


Total mappings not displayed properly when using multiple SXP nodes in ISE deployment


Guest user is created with incorrect lifetime


Sponsor portal shows wrong week information on setting date while using Chinese language


"All SXP Mapping" table contains terminated sessions on ISE


NTP sync failure alarms that are not relevant need to be changed


MnT node name set to NULL when IP access enabled


HotSpot Guest portal displays Error Loading Page when passcode field contains special characters


ISE Conditions Library corruption during Pen test


Dot1x authentication failed due to duplicate manager


NTP out of sync after upgrade to ISE 2.7


CWE-20: Improper input validation for Create Node Group


Authentication Passed live logs are not seen when using a profile name with more than 50 characters


"Radius Authentication Details" report takes time when ISE Messaging Service is disabled


Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities


Sorting based on username doesn't work in User Identity Groups


TACACS+ Endstation Network Conditions scrollbar not working


Authorization profile CWA option does not work correctly with some network device profiles


Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities


Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities


Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities


Configuration Audit detail does not show which Policy Set was modified


TACACS+ Device Network Conditions and Device Port Network Conditions tabs scrollbar not working


ISE pxGrid exceptions should have ERROR log level instead of DEBUG


Live session is not showing correct active session


MAB authorization is failing if AD object representing the MAC address is in disabled state


MAB authentication via Active Directory passes with AD object disabled


DB Clean up hourly cron acquiring DB lock causing deployment registration failure


For PKI based SFTP, exporting GUI key for MnT node is only possible when it is promoted as PAN


Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities


RBAC rules not enforced in ISE 2.7


Unable to edit, duplicate, or delete guest portals.


Change in Polling interval not taking effect for external MDM server (Microsoft_intune)


Static policy and group assignment are lost from EP when updating custom attributes from API


Internal user export feature shows no error for invalid characters in password


Itune integration throws error while Test Connection works fine in MDM window


Unable to fetch Azure AD groups


Generate bulk certificates do not include ISE self-signed certificate


Adding a network device gives "Unable to load NetworkDevices" error


Admin access with certificate based authentication can be bypassed by going directly to login.jsp


Creating a node group named "None" breaks replication


Error seen when trying to sort endpoint's Applications by "Running process" in Context Visibility


ISE remains in eval expire state even after registering with Smart Licensing


Latency in loading certain pages due to stale certificate entries in ISE TrustCert Store


DNS Resolvability in Health Checks: False failures with ISE FQDN as CNAME


Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021


"ipv6 address autoconfig" gets removed when changing IP address of bond interface


Authorization should look up MAC address in format configured in ODBC Stored-Procedures window


Support bundle does not capture ise-jedis.log files on ISE 2.7 and later


On recreating Root CA, Jedis DB connection pool is not recreated


Authentication Method conditions not matching in Policy Set entry evaluation


SGA value under-provisioned for SNS 3515 running all personas on same node


Error 400 while authenticating to Sponsor portal with Single Sign-on/Kerberos user account


Sponsor portal gives "Invalid Input" if the "mobile number" field is unchecked in portal settings


Unable to get all tenable adapter repositories with Tenable SC 5.17


No login fail log when using external username and wrong password


Receiving acct stop without NAS-IP address keeps session in started state


ISE AD runtime should support rewrite a1-a2-a3-a4-a5-a6 to a1a2a3a4a5a6


CoA failure upon endpoint change to a new switch-port and Endpoint Identity Group change


In EAP chaining scenario, posture policy failed to retrieve machine AD group membership


Session Directory topic does not update user SGT attribute after a dynamic authorization


AMP events for new endpoints are not correctly mapped


Memory leak on TACACS flow


NIC bonding prevents MAR cache replication


Authorization policy conditions are not correctly formatted


Default Network Devices window requires Plus license to allow configuration


TrustSec policy matrix allows limited scrolling in ISE 3.0


isedailycron temp1 tracking is causing delay in AWR reports


Clicking a network device in Top N Authentication by Network Device report is redirecting to TACACS Authentication instead of RADIUS Authentication


ERS self-registration portal update is not deleting fields as expected in PSN


ISE Log Collection error "Session directory write failed"


ISE not updating the Json file information in the AnyConnect output config file


"Invalid phone number format" error seen on mobile devices using the Country-code drop-down option


Deployment went out of sync due to unavailabiltiy of database connections


ISE does not accept % in EXEC or Enable Mode password in network device trustsec configuration


REST authentication service is disabled when backup interface is configured


Emails sent for all system alarms using legacy data even when there is no email address configured in current deployment


Qualys integration is failing with ISE


MacOS Big Sur 11.x BYOD failing EAP-TLS when using a CA signed certificate


Increase the maximum allowable value of the posture grace period from 30 to 90 days


Internal user inactivity timer is not updated due to login letter case


ISE can't handle deletion/addition of SXP-IP mappings propagation due to race condition


Smart license of de-registration flow is not working in ISE and ISE-PIC


The instruction box should be removed when the login-page message is empty


UI issues on TrustSec window


RADIUS Token Identity Source Prompt vs Internal User prompt for TACACS authentication


EST service not running on ISE 2.7 patch 2 and above


Top Authorization report does not show filter in scheduled reports


PAN should not be listening on port 8905


ROPC authentication is failing with non Base64 characters in the password


Internal ERS user attempting to authenticate via external ID store causing REST delays


NAD IP definitions using - or * do not perform full IP comparison


MNT REST API for ReAuth fails when used in distributed deployment (with separate MnT)


TACACS Reports Advance filters not working when matching full numeric ID entries


All SXP Mappings window not displaying IPv6 mappings learned via Session


Manual Active Session report is empty


Agentless Posture doesn't install CA certificate chain in endpoint Trusted Store


Agentless Posture fails if ISE admin certificate CN is not equal to FQDN


Agentless posture breaks if Windows username includes a space


High CPU seen on PSN nodes from ISE 2.6 patch 3 onwards due to PIP query evaluation


Unable to update domains to be blocked/allowed via API


Cisco Identity Services Engine Self Cross-Site Scripting Issue


ISE REST API returns duplicate values for IP-SGT mappings


RADIUS Accounting Details report does not display Accounting details


Special characters allowed previously in Descriptions field for few objects no longer can be used


Maximum height of Description field in ISE authorization profile UI too small in FF 88


ISE not accepting more than 6 attributes to be modified in RADIUS server sequence configuration


"/opt/CSCOcpm/config/ 396:<ipv6>:command not found" error seen during CLI backup


ISE does not accept name of custom attribute for Framed-IPv6-Address in the authorization profile


LDAP groups disappear from Sponsor group when making other changes to options


Sponsor user cannot edit data when phone/email fields are filled


Application Server stuck on initializing state due to certificate template curve type P-192


ISE 2.3 and later version do not support "cariage return" <cr> character in command-set


ISE 2.7 patch 3 GUI doesn't show all device admin authorization policies


AAA requests without Framed-IP value will cause exception in SXP process


Updating a custom attribute through ERS request updates another attribute as well


TACACS custom AV pair as condition in policies is not working


ISE Application server crash/restart due to cancellation of configuration backup


ISE Guest Self-Registration error for duplicate user when "Use Phone number as username" option is enabled


Intermittent error on Cisco DNA Center while trying to deploy policy


ISE installation fails with Database Priming Failed error when All Numbers subdomain is used


ISE authorization profile ERS update ignores accessType attribute changes


While editing a NAD, wrong device profile is being mapped


Setup wizard password does not supports hyphen after reset of config via CLI


ISE 2.7 Patch 3 ERS call is not accepting RADIUS shared secret with 3 characters


Generate key pair accepts space but cannot export key


[ 400 ] Bad Request error with SAML SSO OKTA on Apple devices


REST API for CoA works with any server IP


Configuring WMI with an AD account password containing % results in an error


Customer fields in guest portal contains & - $ #


Authentication via ISE fails with "Invalid login credentials" error


ISE internal users are not getting disabled after hitting inactivity timer


ISE DACL Syntax validator does not comply with ASA's code requirements


Delete 'All' function showing incorrect number of endpoints on confirmation popup


Need the Select ALL device option with or without filter in NAD page


Incorrect Posture Compound Condition Hotfixes


First/Last name wrongly displayed as Unicode of Chinese in Network Access Users window after upgrade


Duplicated RADIUS vendor ID can cause PSN to crash


The log level for OcspClient must be changed to ERROR instead of WARN


Inconsistency between ISE syslog level and message level

Open Caveats in Cisco ISE Release 3.1

Caveat ID Number



Accounting report export is taking more time to complete

CSCwc83059 Post full upgrade VCS information is missing


Version negotiation fails as new SXP version is unrecognizable in ISE


Android BYOD flow with EST and StaticIP/Hostname/FQDN fails


Policy change doesn’t get pushed to the network device after ISE HA


Okta redirection happens only after the initially added SAML configuration is deleted and reconfigured


Unable to see the pxGrid pages in GUI, after pxGrid is enabled and disabled in Deployment tab on secondary node

Communications, Services, and Additional Information

  • To receive timely and relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you are looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure and validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.

  • To obtain information about general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.