Introduction to Cisco Identity Services Engine

Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure access to network resources. Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices. An administrator can then use this information to make proactive governance decisions by creating access control policies for the various network elements, including access switches, wireless controllers, Virtual Private Network (VPN) gateways, 5GaaS networks, and data center switches. Cisco ISE acts as the policy manager in the Cisco TrustSec solution and supports TrustSec software-defined segmentation.

Cisco ISE is available on secure network server appliances with different performance characterizations, and also as software that can be run on a virtual machines (VMs). Note that you can add more appliances to a deployment for better performance.

Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also enables the configuration and management of distinct personas and services, thereby giving you the ability to create and apply services, where needed, in a network, but operate the Cisco ISE deployment as a complete and coordinated system.

For detailed Cisco ISE ordering and licensing information, see the Cisco Identity Services Engine Ordering Guide.

For information on monitoring and troubleshooting the system, see the "Monitoring and Troubleshooting Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.

What is New in Cisco ISE, Release 3.1?

This section lists the new and changed features in Cisco ISE 3.1.


Note

Cisco ISE 3.1 OVA, ISO, and upgrade bundle files have been replaced on the Software Download site. For more information, see Cisco ISE 3.1 Files Replaced on Software Download Site.


Android Settings for Native Supplicant Profile

Android settings are added for native supplicant profile. You can select one of the following options for Certificate Enrollment Protocol:

  • Enrollment over Secure Transport (EST)

  • Simple Certificate Enrollment Protocol (SCEP)

If you choose the EST protocol, Cisco ISE will ask for additional password inputs from Android users while issuing certificates.

For more information, see "Native Supplicant Profile Settings" in the Chapter "Compliance" in the Cisco ISE Administrator Guide, Release 3.1.

Enhancements in Audit Logs

The following audit logs have been enhanced to include more details about relevant events:

  • Posture audit logs now include information regarding:

    • Creation and deletion of posture policies.

    • Changes made to existing posture policies, such as changes in fields such as Conditions, Rule Name, and so on.

    • Addition, deletion, or modification in posture configurations such as Conditions, Remediation Actions, Requirements, and so on.

  • RBAC audit logs now include information regarding creation and deletion of existing menu access and data access content.

  • Network Access and Admin Users audit logs now include information regarding creation, edition, and deletion of Network Access and Admin Users.

Bidirectional Posture Flow

You can configure AnyConnect to probe Cisco ISE at specified intervals when the posture status is not compliant. This helps prevent a client from being stuck in pending state.

The bidirectional posture flow is supported for Windows, Linux, and MacOS clients.

For more information, see "Bidirectional Posture Flow" in the Chapter "Compliance" in the Cisco ISE Administrator Guide, Release 3.1.

Obtain Configuration Backup Using Cisco Support Diagnostics Connector

You can use Cisco Support Diagnostics Connector to trigger configuration backup and upload the backup files to the Cisco Support Diagnostics folder. After uploading the backup files to the Cisco Support Diagnostics folder, you can delete the backup files from the Cisco ISE local disk. To use this feature, you must enable smart licensing and Cisco Support Diagnostics in Cisco ISE.

For more information, see "Obtain Configuration Backup Using Cisco Support Diagnostics Connector" in the Chapter "Troubleshoot" in the Cisco ISE Administrator Guide, Release 3.1.

Configuration of Authorization Result Alarm

You can configure alarms based on the results of authorization policies. This allows you to monitor the impact of any networking, infrastructure, or application changes on endpoint authorizations. You can define the scope of your alarms by choosing specific Network Device Groups (NDGs). For each NDG you choose, a new Authorization Result alarm is created.

You can filter the authorization logs to be monitored for an alarm by choosing specific authorization profiles and Security Group Tags (SGTs). Only endpoints that have met authorization policy sets with the specified authorization profiles and SGTs are monitored by the alarm.

For more information, see "Configure Authorization Result Alarm" in the Chapter "Troubleshoot" in the Cisco ISE Administrator Guide, Release 3.1.

Configuration of Preferred Domain Controllers

You can specify the domain controllers that you want to use in case of domain failover. If a domain fails, Cisco ISE compares the priority scores of the domain controllers that are added to the preferred list and selects the one with the highest priority score. If that domain controller is offline or is not reachable because of an issue, the next one in the preferred list with the highest priority score is used. If all the domain controllers in the preferred list are down, a domain controller outside the list is selected based on the priority score. When the domain controller that was used before the failover is restored, Cisco ISE switches back to that domain controller.

For more information, see "Configure Preferred Domain Controllers" in the Chapter "Asset Visibility" in the Cisco ISE Administrator Guide, Release 3.1.

Context Visibility Enhancements

  • In the Export Endpoints dialog box, you can now check the Importable Only check box if you want to export only the attributes that can be imported to Cisco ISE without any modification to the CSV file. Using this option prevents the need to modify the columns or metadata in the exported CSV file before importing it to Cisco ISE.

  • While using the Quick Filter or Advanced Filter option, you can use the Export Filtered option to export only the filtered endpoints.

For more information, see "Export Endpoints Using CSV File" in the Chapter "Asset Visibility" in the Cisco ISE Administrator Guide, Release 3.1.

Full Upgrade and Split Upgrade Options Added to Cisco ISE GUI

In the Administration > System > Upgrade> Upgrade Selection window, you can choose one of the following options based on your requirements:

  • Full Upgrade: Full upgrade is a multistep process that enables a complete upgrade of your Cisco ISE deployment sequentially. This upgrades all the nodes in parallel and in lesser time compared to the split upgrade process. Because all the nodes are upgraded parallelly, services will be down during the upgrade process.

  • Split Upgrade: Split upgrade is a multistep process that enables the upgrade of your Cisco ISE deployment while allowing services to remain available during the upgrade process for users. With the split upgrade option, you will be able to choose the nodes to be upgraded.

For more information, see "Upgrade a Cisco ISE Deployment from the GUI" in the Chapter "Upgrade Method" in Cisco Identity Services Engine Upgrade Journey, Release 3.1.

Cisco ISE on Amazon Web Services

You can launch a Cisco ISE instance on the Amazon Web Services (AWS) platform using a Cloud Formation Template (CFT) or an Amazon Machine Image (AMI).

For more information, see the Chapter "Install Cisco ISE with AmazonWeb Services" in Cisco ISE Installation Guide, Release 3.1.

Virtual Appliance Licenses

Cisco ISE Release 3.1 and later supports the ISE VM license, which replaces the VM Small, VM Medium, and VM Large licenses that were supported in releases prior to Release 3.1. The new ISE VM license covers the Cisco ISE VM nodes in both on-premises and cloud deployments.

For more information, see "Cisco ISE Licenses" in the Chapter "Licensing" in the Cisco ISE Administrator Guide, Release 3.1.

Download or Upload Files from Local Disk

You can easily add, download, or delete the files that are used for local disk management.

For more information, see "Download and Upload Files from Local Disk" in the Chapter "Maintain and Monitor" in the Cisco ISE Administrator Guide, Release 3.1.

MacOS Versions in Posture Policy Configurations

In Cisco ISE 3.0 and earlier, you could configure posture policies and requirements with minor MacOS versions such as MacOS 11.1, MacOS 11.2, and so on. In Cisco ISE 3.1, you can only choose major MacOS versions such as MacOS 11 (All) to configure posture policies and requirements.

When you upgrade to Cisco ISE 3.1, any posture condition that includes a minor MacOS version is automatically updated to the corresponding major MacOS version. For example, a posture condition that was configured for MacOS 11.1 will be updated to MacOS 11 (All).

OpenAPI Service

OpenAPIs are REST APIs based on HTTPS operating over port 443. From Cisco ISE 3.1 onwards, newer APIs are available in the OpenAPI format. For more information on Cisco ISE OpenAPIs, see https://<ise-ip>/api/swagger-ui/index.html.

The following OpenAPIs have been introduced in Cisco ISE 3.1:

  • Repository Management

  • Configuration Data Backup and Restore

  • Certificate Management

  • Policy Management

    • RADIUS Policy

    • TACACS+ Policy

For more information, see "Enable API Service" in the Chapter "Basic Setup" in Cisco ISE Administrator Guide, Release 3.1.

Posture Support for Linux Operating System

Posture is a service in Cisco ISE that allows you to check the state of all the endpoints that are connecting to a network for compliance with corporate security policies. Cisco ISE 3.1 supports the following Linux operating system versions, in addition to Windows and Mac operating systems:

  • Ubuntu

    • 18.04

    • 20.04

  • Red Hat

    • 7.5

    • 7.9

    • 8.1

    • 8.2

    • 8.3

  • SUSE

    • 12.3

    • 12.4

    • 12.5

    • 15.0

    • 15.1

    • 15.2

The following posture conditions are supported for Linux operating system:

  • File Condition

  • Application Condition

  • Antimalware Condition

  • Patch Management Condition

You can configure agent profiles for Linux clients. You can add client-provisioning resources for AnyConnect Linux clients.

For more information, see the Chapter "Compliance" in Cisco ISE Administrator Guide, Release 3.1.

ERS Service Auto Enabled on VMware Cloud Environment

The External RESTful Services (ERS) API service is enabled by default when the Amazon Machine Image (AMI) version of Cisco ISE is deployed on a VMware Cloud environment. This helps in easy integration of Cisco ISE with other Cisco products and third-party applications, without the need to enable the ERS service from the Cisco ISE GUI.

For more information, see "Enable API Service" in the Chapter "Basic Setup" in the Cisco ISE Administrator Guide, Release 3.1.

pxGrid Client Auto Approval API

pxGrid can be used to share context-sensitive information from the Cisco ISE session directory with other network systems such as Cisco ISE ecosystem partner systems and other Cisco platforms. The pxGrid Client Auto Approval API can be used to:

  • Enable automatic approval of certificate-based connection requests from new pxGrid clients. Enable this option only when you trust all the clients in your environment.

  • Enable username or password-based authentication for the pxGrid clients. When this option is enabled, pxGrid clients cannot be automatically approved. A pxGrid client can register itself with the pxGrid controller by sending the username through a REST API. The pxGrid controller generates a password for the pxGrid client during client registration. An administrator can approve or deny the connection request.

For more information about the PxGrid Client Auto Approval API, see the “pxGrid Settings” section in the ERS SDK. You can access the ERS SDK with the following URL:

https://<ISE-Admin-Node>:9060/ers/sdk


Note

Only users with ERS Admin role can access the ERS SDK.


Configuration of Maximum Password Attempts for Active Directory Account

You can configure the badPwdCount attribute to prevent Active Directory account lockout due to too many bad password attempts. Before authenticating the user, Cisco ISE compares the maximum bad password attempts configured in Cisco ISE with the current value of the badPwdCount attribute on Active Directory. When the maximum bad password attempts configured in Cisco ISE is equal to the value of the badPwdCount attribute, the authentication is dropped and not sent to Active Directory.

For more information, see "Configure Maximum Password Attempts for AD Account" in the Chapter "Asset Visibility" in the Cisco ISE Administrator Guide, Release 3.1.

Handle Random and Changing MAC Addresses with Mobile Device Management Servers

As a privacy measure, mobile devices and some desktop operating systems increasingly use random and changing MAC addresses for each SSID that they connect to. In Cisco ISE, you can now work around this problem by configuring Cisco ISE to use a unique device identifier called GUID instead of MAC addresses. When an endpoint enrolls with a Mobile Device Management (MDM) server, the MDM server sends a certificate with a GUID value to the endpoint. The endpoint uses this certificate for authentication with Cisco ISE. Cisco ISE receives the GUID for the endpoint from the certificate. All communications between Cisco ISE and the MDM server now use the GUID to identify the endpoint, ensuring accuracy and consistency between the two systems.

For more information, see "Handle Random and Changing MAC Addresses With Mobile Device Management Servers" in the Chapter "Secure Wired Access" in Cisco ISE Administrator Guide, Release 3.1

MAC Randomization for BYOD

Android and iOS devices increasingly use random and changing MAC addresses for each SSID that they connect to. Cisco ISE and MDM systems see different MAC addresses for the same device depending on which SSID they use to connect to the service. Therefore, a unique identifier is generated by the Cisco ISE Provisioning service to identify these endpoints.

For more information, see "MAC Randomization for BYOD" in the Chapter "Basic Setup" in Cisco ISE Administrator Guide, Release 3.1.

Endpoint API Enhancement

The logicalProfileName filter can be used to get endpoints that belong to a specific Logical Profile. The supported operator for logicalProfileNamefilter is EQ (equal to). The syntax to invoke the API with this filter is:

/ers/config/endpoint?filter={filter name}.{operator}.{logical profile name}

For more information, see Cisco ISE API Reference Guide.

Posture Script Remediation

You can create and upload posture remediation scripts to Cisco ISE to resolve non-compliance issues in endpoints.

For more information, see "Add a Script Remediation" in the Chapter "Compliance" in Cisco ISE Administrator Guide, Release 3.1.

RHEL 8.2 Support

Cisco ISE runs on the Cisco Application Deployment Engine Operating System (ADEOS), which is based on Red Hat Enterprise Linux (RHEL). For Cisco ISE 3.1, ADEOS is based on RHEL 8.2.

RHEL 8.2 supports the following VMware ESXi versions:

  • VMware ESXi 6.5

  • VMware ESXi 6.5 U1

  • VMware ESXi 6.5 U2

  • VMware ESXi 6.5 U3

  • VMware ESXi 6.7

  • VMware ESXi 6.7 U1

  • VMware ESXi 6.7 U2

  • VMware ESXi 6.7 U3

  • VMware ESXi 7.0

  • VMware ESXi 7.0 U1

  • VMware ESXi 7.0 U2

For more information, see the Chapter "Overview" in Cisco Identity Services Engine Upgrade Journey, Release 3.1.

SAML-Based Admin Login

SAML-based admin login adds a single sign on capability to Cisco ISE using the SAML 2.0 standard. You can use an external Identity Provider such as Okta or any Identity Provider that implements SAML 2.0.

For more information, see "SAML-based Admin Login" in the Chapter "‘Asset Visibility" in Cisco ISE Administrator Guide, Release 3.1.

Specific License Reservation

Specific License Reservation is a smart licensing method that helps you manage your smart licensing when your organization's security requirements do not allow a persistent connection between Cisco ISE and the Cisco Smart Software Manager (CSSM). Specific License Reservation allows you to reserve specific license entitlements on a Cisco ISE node.

You can create a Specific License Reservation by defining the type and number of licenses you need to reserve, and then activate the reservation on a Cisco ISE node. The Cisco ISE node on which you register and enable the reservation then tracks license usage and enforces license consumption compliance.

For more information, see "Specific License Reservation" in the Chapter "Licensing" in Cisco ISE Administrator Guide, Release 3.1.

Upgrade to pxGrid 2.0

From Cisco ISE Release 3.1, all pxGrid connections must be based on pxGrid 2.0. pxGrid 1.0-based (XMPP-based) integrations will cease to work on Cisco ISE from Release 3.1 onwards.

pxGrid Version 2.0, which is based on WebSockets, was introduced in Cisco ISE Release 2.4. We recommend that you plan and upgrade your other systems to pxGrid 2.0-compliant versions in order to prevent potential disruptions, if any, to integrations.

For more information, see the Chapter "pxGrid" in Cisco ISE Administrator Guide, Release 3.1.


Note

The output of show application status ise command reflects only the status of pxGrid 1.0 services.


Zero Touch Provisioning

Zero Touch Provisioning (ZTP) refers to the uninterrupted provisioning mechanism that helps to automate Cisco ISE installation, infrastructure service enablement, patching, and hot patching without manual intervention.

For more information, see "Zero Touch Provisioning" in the Chapter "Additional Installation Information" in Cisco ISE Installation Guide, Release 3.1.

Cisco Secure Access Control System-to-Cisco ISE Migration Tool

The Cisco Secure Access Control System-to-Cisco ISE Migration Tool is not supported for Cisco ISE 3.1 and later. End-of-Life dates have been announced for Cisco Secure Access Control System. For more information, see End-of-Life Notice.

System Requirements

For an uninterrupted Cisco ISE configuration, ensure that the following system requirements are fulfilled.

For more details on hardware platforms and installation of this Cisco ISE release, see the Cisco Identity Services Engine Hardware Installation Guide.

Supported Hardware

Cisco ISE 3.1 can be installed on the following platforms:

Table 1. Supported Platforms

Hardware Platform

Configuration

Cisco SNS-3595-K9 (large)

For appliance hardware specifications, see the Cisco Secure Network Server Appliance Hardware Installation Guide.

Cisco SNS-3615-K9 (small)

Cisco SNS-3655-K9 (medium)

Cisco SNS-3695-K9 (large)

After installation, you can configure Cisco ISE with specific component personas such as Administration, Monitoring, or pxGrid on the platforms that are listed in the above table. In addition to these personas, Cisco ISE contains other types of personas within Policy Service, such as Profiling Service, Session Services, Threat-Centric NAC Service, SXP Service for TrustSec, TACACS+ Device Admin Service, and Passive Identity Service.


Note

  • Cisco ISE 3.1 does not support the Cisco Secured Network Server (SNS) 3515 appliance.

  • Memory allocation of less than 16 GB is not supported for VM appliance configurations. In the event of a Cisco ISE behavior issue, all the users are required to change the allocated memory to at least 16 GB before opening a case with the Cisco Technical Assistance Center.


Supported Virtual Environments

Cisco ISE supports the following virtual environment platforms:

    • VMware version 9 for ESXi 6.5

    • VMware version 14 for ESXi 6.7 and later

    You can deploy Cisco ISE on VMware cloud solutions on the following public cloud platforms:

    • VMware cloud in Amazon Web Services (AWS): Host Cisco ISE on a software-defined data centre provided by VMware Cloud on AWS.

    • Azure VMware Solution: Azure VMware Solution runs VMware workloads natively on Microsoft Azure. You can host Cisco ISE as a VMware virtual machine.

    • Google Cloud VMware Engine: Google Cloud VMware Engine runs software defined data centre by VMware on the Google Cloud. You can host Cisco ISE as a VMware virtual machine on the software defined data centre provided by the VMware Engine.

  • Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later

  • KVM on QEMU 2.12.0-99

  • Nutanix AHV 20201105.2096


Note

From Cisco ISE 3.1, you can use the VMware migration feature to migrate virtual machine (VM) instances (running any persona) between hosts. Cisco ISE supports both hot and cold migration. Hot migration is also called live migration or vMotion. Cisco ISE need not be shutdown or powered off during the hot migration. You can migrate the Cisco ISE VM without any interruption in its availability.


For information about the virtual machine requirements, see the Cisco Identity Services Engine Installation Guide for your version of Cisco ISE.

Federal Information Processing Standard (FIPS) Mode Support

Cisco ISE uses embedded Federal Information Processing Standard (FIPS) 140-2-validated cryptographic module, Cisco FIPS Object Module Version 7.2 (Certificate #3790). For details about the FIPS compliance claims, see Global Government Certifications.

When FIPS mode is enabled on Cisco ISE, consider the following:

  • All non-FIPS-compliant cipher suites will be disabled.

  • Certificates and private keys must use only FIPS-compliant hash and encryption algorithms.

  • RSA private keys must be 2048 bits or greater.

  • Elliptical Curve Digital Signature Algorithm (ECDSA) private keys must be 224 bits or greater.

  • Diffie–Hellman Ephemeral (DHE) ciphers work with Diffie–Hellman (DH) parameters of 2048 bits or greater.

  • SHA1 is not allowed to generate ISE local server certificates.

  • The anonymous PAC provisioning option in EAP-FAST is disabled.

  • The local SSH server operates in FIPS mode.

  • The following protocols are not supported in FIPS mode for RADIUS:

    • EAP-MD5

    • PAP

    • CHAP

    • MS-CHAPv1

    • MS-CHAPv2

    • LEAP

Validated Browsers

Cisco ISE 3.1 has been validated with the following browsers:

  • Mozilla Firefox 102 and earlier versions from version 82

  • Mozilla Firefox ESR 91.3 and earlier versions

  • Google Chrome 103 and earlier versions from version 86

  • Microsoft Edge, the latest version and one version earlier than the latest version

Validated External Identity Sources


Note

The supported Active Directory versions are the same for both Cisco ISE and Cisco ISE-PIC.


Table 2. Validated External Identity Sources

External Identity Source

Version

Active Directory

1

Microsoft Windows Active Directory 2012

Windows Server 2012

Microsoft Windows Active Directory 2012 R2

2

Windows Server 2012 R2

Microsoft Windows Active Directory 2016

Windows Server 2016

Microsoft Windows Active Directory 2019

3

Windows Server 2019

LDAP Servers

SunONE LDAP Directory Server

Version 5.2

OpenLDAP Directory Server

Version 2.4.23

Any LDAP v3 compliant server

Any version that is LDAP v3 compliant

Token Servers

RSA ACE/Server

6.x series

RSA Authentication Manager

7.x and 8.x series

Any RADIUS RFC 2865-compliant token server

Any version that is RFC 2865 compliant

Security Assertion Markup Language (SAML) Single Sign-On (SSO)

Microsoft Azure

Latest

Oracle Access Manager (OAM)

Version 11.1.2.2.0

Oracle Identity Federation (OIF)

Version 11.1.1.2.0

PingFederate Server

Version 6.10.0.4

PingOne Cloud

Latest

Secure Auth

8.1.1

Any SAMLv2-compliant Identity Provider

Any Identity Provider version that is SAMLv2 compliant

Open Database Connectivity (ODBC) Identity Source

Microsoft SQL Server

Microsoft SQL Server 2012

Oracle

Enterprise Edition Release 12.1.0.2.0

PostgreSQL

9.0

Sybase

16.0

MySQL

6.3

Social Login (for Guest User Accounts)

Facebook

Latest

1

You can only add up to 200 Domain Controllers on Cisco ISE. On exceeding the limit, you will receive the following error:

Error creating <DC FQDN> - Number of DCs Exceeds allowed maximum of 200
2

Cisco ISE supports all the legacy features in Microsoft Windows Active Directory 2012 R2. However, the new features in Microsoft Windows Active Directory 2012 R2, such as Protective User Groups, are not supported.

3

Cisco ISE 2.6 Patch 4 and later support all the legacy features in Microsoft Windows Active Directory 2019.

See the Cisco Identity Services Engine Administrator Guide for more information.

Validated OpenSSL Version

Cisco ISE 3.1 is validated with OpenSSL 1.1.1k.

OpenSSL Update Requires CA:True in CA Certificates

For a certificate to be defined as a CA certificate, the certificate must contain the following property:

basicConstraints=CA:TRUE

This property is mandatory to comply with recent OpenSSL updates.

Known Limitations and Workarounds

This section provides information about the various known limitations and the corresponding workarounds.

Authentication Might Fail for SNMP Users After Upgrade due to Wrong Hash Value

If you are upgrading from Cisco ISE 2.7 or earlier release to Cisco ISE 3.1, you must reconfigure the settings for SNMP users after the upgrade. Otherwise, authentication might fail for SNMP users because of wrong hash value.

Use the following commands to reconfigure the settings for SNMPv3 users:

no snmp-server user <snmp user> <snmp version> <auth password> <priv password>

snmp-server user <snmp user> <snmp version> <auth password> <priv password>

Special Characters Usage Limitations in Name and Description Fields

  • These special characters cannot be used in the Description field for TACACS+ profiles and Device Administration Network conditions—[%\<>*^:"|',=/()$.@;&-!#{}.?]. Supported characters are alphanumeric, underscore, and space.

  • These special characters cannot be used in the Name and Description fields for Authorization profiles—%\<>*^:\"|',=. Supported characters for the Name and Description fields are alphanumeric, hyphen, dot, underscore, and space.

  • These special characters cannot be used in the Name and Description fields for Time and Date conditions—[%\#$&()~+*@{}!/?;:',=^`]"<>". Supported characters for the Name and Description fields are alphanumeric, hyphen, dot, underscore, and space.

Make a Wish Option not Available in Japanese

If you have configured your localization settings to enable Japanese in your Cisco ISE, note that the Make a Wish option will not be available in Japanese.

Radius Logs for Authentication

Details of an authentication event can be viewed in the Details field of the Radius Authentications window. The details of an authentication event are available only for 7 days, after which no data on the authentication event will be visible. All the authentication log data will be removed when a purge is triggered.

Server IP Update Under Trustsec AAA Server List

When the IP address of the Cisco ISE instance is changed using the CLI, Cisco ISE services are restarted. After the services are up, you must change the IP address of the Trustsec AAA server. In the Cisco ISE GUI, click the Menu icon () and choose Workcenters > TrustSec > Components > Trustsec Servers > Trustsec AAA Servers.

EAP-TLS Authentication Might Fail for Certificates Using TPM Module

In Cisco ISE Release 3.1, EAP-TLS authentication might fail for certificates using TPM module on Windows 10. This is an issue with the TPM module and not with Cisco ISE.

Upgrade Information

Upgrading to Release 3.1

You can directly upgrade to Release 3.1 from the following Cisco ISE releases:

  • 2.6

  • 2.7

  • 3.0

If you are on a version earlier than Cisco ISE, Release 2.6, you must first upgrade to one of the releases listed above, and then upgrade to Release 3.1.

We recommend that you upgrade to the latest patch in the existing version before starting the upgrade.

Cisco ISE 3.1 has parity with 2.6 Patch 9, 2.7 Patch 4​, and 3.0 Patch 2.

Upgrade Procedure Prerequisites

  • Run the Upgrade Readiness Tool (URT) before the upgrade to check whether the configured data can be upgraded to the required Cisco ISE version. Most upgrade failures occur because of data upgrade issues. The URT validates the data before the actual upgrade and reports the issues, if any. The URT can be downloaded from the Cisco ISE Download Software Center.

  • We recommend that you install all the relevant patches before beginning the upgrade.

For more information, see the Cisco Identity Services Engine Upgrade Guide.

Telemetry

After installation, when you log in to the Admin portal for the first time, the Cisco ISE Telemetry banner is displayed. Using this feature, Cisco ISE securely collects nonsensitive information about your deployment, network access devices, profiler, and other services that you are using. This data will be used to provide better services and more features in the forthcoming releases. By default, telemetry is enabled. To disable or modify the account information, choose Administration > Settings > Network Settings Diagnostics > Telemetry. The account is unique for each deployment. Each admin user need not provide it separately.

It may take up to 24 hours after the Telemetry feature is disabled for Cisco ISE to stop sharing telemetry data.

Types of data collected include Product Usage Telemetry and Cisco Support Diagnostics.

Cisco Support Diagnostics

The Cisco Support Diagnostics Connector enables Cisco Technical Assistance Center (TAC) and Cisco support engineers to obtain support information on the deployment through the primary administration node. By default, this feature is disabled. See the Cisco Identity Services Engine Administrator Guide for instructions on how to enable this feature.

Cisco ISE Live Update Portals

Cisco ISE Live Update portals help you to automatically download the Supplicant Provisioning wizard, AV/AS support (Compliance Module), and agent installer packages that support client provisioning and posture policy services. These live update portals are configured in Cisco ISE during the initial deployment to retrieve the latest client provisioning and posture software directly from Cisco.com to the corresponding device using Cisco ISE.

If the default Update portal URL is not reachable and your network requires a proxy server, configure the proxy settings. In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Settings > Proxy before you access the Live Update portals. If proxy settings allow access to the profiler, posture, and client-provisioning feeds, access to a Mobile Device Management (MDM) server is blocked because Cisco ISE cannot bypass the proxy services for MDM communication. To resolve this, you can configure the proxy services to allow communication to the MDM servers. For more information on proxy settings, see the "Specify Proxy Settings in Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.

Client Provisioning and Posture Live Update Portals

You can download Client Provisioning resources from:

In the Cisco ISE GUI, click the Menu icon () and choose Work Centers > Posture > Settings > Software Updates > Client Provisioning.

The following software elements are available at this URL:

  • Supplicant Provisioning wizards for Windows and Mac OS X native supplicants

  • Windows versions of the latest Cisco ISE persistent and temporal agents

  • Mac OS X versions of the latest Cisco ISE persistent agents

  • ActiveX and Java Applet installer helpers

  • AV/AS compliance module files

For more information on automatically downloading the software packages that are available at the Client Provisioning Update portal to Cisco ISE, see the "Download Client Provisioning Resources Automatically" section in the "Configure Client Provisioning" chapter in the Cisco Identity Services Engine Administrator Guide.

You can download Posture updates from:

In the Cisco ISE GUI, click the Menu icon () and choose Work Centers > Posture > Settings > Software Updates > Posture Updates

The following software elements are available at this URL:

  • Cisco-predefined checks and rules

  • Windows and Mac OS X AV/AS support charts

  • Cisco ISE operating system support

For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the "Download Posture Updates Automatically" section in the Cisco Identity Services Engine Administrator Guide.

If you do not want to enable the automatic download capabilities, you can choose to download updates offline.

Cisco ISE Offline Updates

This offline update option allows you to download client provisioning and posture updates, when direct internet access to Cisco.com from a device using Cisco ISE is not available or is not permitted by a security policy.

To download offline client provisioning resources:

Procedure


Step 1

Go to: https://software.cisco.com/download/home/283801620/type/283802505/release/3.1.0.

Step 2

Provide your login credentials.

Step 3

Navigate to the Cisco Identity Services Engine download window, and select the release.

The following Offline Installation Packages are available for download:

  • win_spw-<version>-isebundle.zip—Offline SPW Installation Package for Windows

  • mac-spw-<version>.zip—Offline SPW Installation Package for Mac OS X

  • compliancemodule-<version>-isebundle.zip—Offline Compliance Module Installation Package

  • macagent-<version>-isebundle.zip—Offline Mac Agent Installation Package

  • webagent-<version>-isebundle.zip—Offline Web Agent Installation Package

Step 4

Click either Download or Add to Cart.


For more information on adding the downloaded installation packages to Cisco ISE, see the "Add Client Provisioning Resources from a Local Machine" section in the Cisco Identity Services Engine Administrator Guide.

You can update the checks, operating system information, and antivirus and antispyware support charts for Windows and Mac operating systems offline from an archive in your local system, using posture updates.

For offline updates, ensure that the versions of the archive files match the versions in the configuration file. Use offline posture updates after you configure Cisco ISE and want to enable dynamic updates for the posture policy service.

To download offline posture updates:

Procedure


Step 1

Go to https://www.cisco.com/web/secure/spa/posture-offline.html.

Step 2

Save the posture-offline.zip file to your local system. This file is used to update the operating system information, checks, rules, and antivirus and antispyware support charts for Windows and Mac operating systems.

Step 3

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Settings > Posture.

Step 4

Click the arrow to view the settings for posture.

Step 5

Click Updates.

The Posture Updates window is displayed.
Step 6

Click the Offline option.

Step 7

Click Browse to locate the archive file (posture-offline.zip) from the local folder in your system.

Note 
The File to Update field is a mandatory field. You can select only one archive file (.zip) containing the appropriate files. Archive files other than .zip, such as .tar, and .gz are not supported.
Step 8

Click Update Now.


Cisco ISE Integration with Cisco Digital Network Architecture Center

Cisco ISE can integrate with Cisco DNA Center. For information about configuring Cisco ISE to work with Cisco DNA Center, see the Cisco DNA Center documentation.

For information about Cisco ISE compatibility with Cisco DNA Center, see the Cisco SD-Access Compatibility Matrix.

Cisco AI Endpoint Analytics

Cisco AI Endpoint Analytics is a solution on Cisco DNA Center that improves endpoint profiling fidelity. It provides fine-grained endpoint identification and assigns labels to various endpoints. Information gathered through deep-packet inspection, and probes from sources such as Cisco ISE, Cisco SD-AVC, and network devices, is analyzed for endpoint profiling.

Cisco AI Endpoint Analytics also uses artificial intelligence (AI) and machine learning capabilities to intuitively group endpoints with similar attributes. IT administrators can review such groups and assign labels to them. These endpoint labels are then available in Cisco ISE if your Cisco ISE account is connected to on-premises Cisco DNA Center.

These endpoint labels from Cisco AI Endpoint Analytics can be used by Cisco ISE administrators to create custom authorization policies. You can provide the right set of access privileges to endpoints or endpoint groups through such authorization policies.

Install a New Patch

For instructions on how to apply the patch to your system, see the "Install a Software Patch" section in the Cisco Identity Services Engine Administrator Guide.

For instructions on how to install a patch using CLI, see the "Patch Install" section in the Cisco Identity Services Engine CLI Reference Guide.


Note

If you have installed a hot patch on Cisco ISE 3.1, you must roll back the hot patch before installing a patch. Otherwise, the services might not be started due to integrity check security issue.


Caveats

The Caveats section includes the bug ID and a short description of the bug. For details on the symptoms, conditions, and workaround for a specific caveat, use the Cisco Bug Search Tool (BST). The bug IDs are sorted alphanumerically.


Note

The Open Caveats sections lists the open caveats that apply to the current release and might apply to releases earlier than Cisco ISE 3.1. A caveat that is open for an earlier release and is still unresolved applies to all future releases until it is resolved.


The BST, which is the online successor to the Bug Toolkit, is designed to improve the effectiveness of network risk management and device troubleshooting. You can search for bugs based on product, release, or keyword, and aggregate key data such as bug details, product, and version. For more details on the tool, see the Help page located at http://www.cisco.com/web/applicat/cbsshelp/help.html.

New Features in Cisco ISE, Release 3.1 - Cumulative Patch 4

Enhancement to the Groups tab in the REST Identity Store

You can now retrieve, filter, and delete REST identity store groups while configuring Resource Owner Password Credentials in Cisco ISE.

While adding the groups, click Retrieve Groups to import the user groups from the connected identity source. Check the check boxes next to the groups that you want to select and click Save. You can also select all the groups, if needed. The selected groups are listed in the Groups tab.

You can filter the results using the filter option.

To delete a user group, check the check box next to the group that you want to delete and click Delete.

For more information, see "Configure Resource Owner Password Credentials Flow" in the Chapter "Asset Visibility" in the Cisco ISE Administrator Guide, Release 3.1

.

Changes to IP Default Gateway Require Restart

Cisco ISE 3.1 Patch 4 onwards, when you add or change a gateway, the CLI warns the administrator that service restart may be required, and proceeds to execute the comand only if the Yes option is selected.

For more information, see the Cisco ISE CLI Commands in Configuration Mode chapter in the Cisco ISE CLI Reference Guide, Release 3.1

Resolved Caveats in Cisco ISE Release 3.1 - Cumulative Patch 4

The following table lists the resolved caveats in Release 3.1 cumulative patch 4.

Caveat ID Number

Description

CSCwb22662

64-character limit is not enough to accommodate external user identities, such as user principal name

CSCwb32244

Unable to edit certificates imported to ISE Trusted Certificate

CSCwa88954

CIAM: python-pip 9.0.3

CSCwb64656

When Essential License is disabled on the Cisco ISE GUI, the Smart Licensing Portal does not report license consumption.

CSCwb39638

Unable to import network device configured with SNMPv3 SHA2 authorization

CSCwb77915

Toggle to enable or disable RSA PSS cipher based on policy under Allowed Protocols

CSCvy77475

CIAM: libcurl 7.61.1

CSCwa61347

Cisco ISE-PIC does not forward live sessions beginning with special characters

CSCwb09824

CIAM: libjpeg-turbo 1.5.3

CSCwa96229

Cisco ISE does not allow user to change the admin password without validating current password

CSCwc00162

Certificate based admin login does not work when the client or browser send more than one certificate

CSCwb09881

CIAM: sqlite 3.26.0

CSCwa80499

CIAM: ncurses 6.1

CSCwb33727

Special characters are not supported in Attributes

CSCwc30811

Underscore is vulnerable in Guest Portals

CSCvy66496

REST ID does not filter groups based on name or SID for Azure AD groups

CSCwb92006

Having a single quote (') in the middle of the password on Proxy settings causes the page to become un-editable

CSCwb56878

No Replication Stopped Alarm triggered

CSCwb55232

Create a nested endpoint group using ERS API

CSCwb82814

OpenAPI Error 400 while fetching Nested Conditions

CSCvv87286

Failure to import Internal CA and key from ISE 2.7P2 to 3.0

CSCwb92643

ADE-OS CLI TCP parameters fail to make changes and are no longer relevant

CSCwb88360

Disable temporary management persona on upgraded node fails in split upgrade

CSCwb14106

CIAM: cyrus-sasl 2.1.27

CSCwb75964

Unable to edit PAN Auto Failover alarms

CSCvz71874

CIAM: libdnf 0.39.1

CSCwb19256

Ping-node call causes application server to crash (OOM exception) during CRL validation

CSCwc12303

PGA memory used by the instance exceeds PGA_AGGREGATE_LIMIT on MNT node

CSCwa97123

NTP Sync Failure Alarms with more than 2 NTP Servers Configured.

CSCwa40040

Session Directory Write failed, SQLException: String Data right truncation on ISE3.0P4

CSCwb95433

"File path field must contain a valid file name" error when file conditions are configured for posture

CSCwa80710

CIAM: jszip 2.5.0

CSCwa06912

High latency observed for TACACS+ requests with date or time condition in authorization policies

CSCwb29498

High Operations DB Usage Alarm percentage needs to be configurable

CSCwb61614

Guest users (AD or internal) cannot delete or add their own devices on a specific node

CSCwb82141

Context Visibility Endpoints And NADs from an existing deployment are not removed after Restore

CSCvx08772

Frequent Insufficient Virtual Machine Resources alarms

CSCwb42924

Unable to get message option in Posture remediation actions

CSCwc18751

Unable to download a created support bundle from GUI if logged in using the DomainName\UserName format

CSCwb25789

Inconsistent behaviour on handling of SSH host keys

CSCwb52396

ISE PRA failover

CSCwa85010

SAML certificates should not be marked as Stale if PAN is removed from deployment

CSCwb59170

SHA-2 option is not available for NAD creation using REST API

CSCwb91645

TrustSec Dashboard Refresh Call causes High CPU on MNT

CSCwb35304

Race condition causes registration or sync failure in Cisco ISE 3.1

CSCwa95892

$ui_time_left$ variable shows the wrong duration

CSCwa60903

Cisco ISE adds six additional hours to nextUpdate date for CRL

CSCwc06638

System summary does not get updated post Patch RollBack and Patch Install

CSCwa83517

Guest portal registration page shows "error loading page" error when the email address contains apostrophe

CSCwa89443

DNA Center - ISE Integration: ISE shows an old DNAC certificate for pxGrid endpoint

CSCvz57222

Admin access is allowed for ISE GUI with secondary interfaces GigabitEthernet 1 and Bond 1

CSCwb05059

P1 Stale nodes in TCPDump Menu

CSCwb97579

Compatibility problems with Hyper-V Gen-2

CSCwb26965

Error when network device groups are created using REST APIs

CSCwb21669

Unable to enter ipv6 address for on-premise SSM server

CSCwb79056

ERS call /ers/config/sgmapping/{id} does not return SGT value for custom SGT's

CSCwa80488

CIAM: openssh 7.6

CSCvy91805

Max Sessions are not enforced with EAP-FAST-Chaining

CSCwa80480

CIAM: bind 9.11.4

CSCwb34910

Multiline issues for guest SMS notification in Cisco ISE Portal

CSCwb55979

NTP Service Failure

CSCwa95889

Unable to host SSH/SFTP with newer HostKeyAlgorithms (e.g. RSA-SHA2-512)

CSCwb26227

CIAM: jackson-databind 2.9.8

CSCwa73860

After ppgrade, the files in the rabbitmq certificate directory show incorrect permissions

CSCwb85456

CIAM: openssl upgrade to 1.0.2ze and 1.1.1o

CSCwc12693

ISE ERS Validation Error - [validDays] mandatory field is missing

CSCwb91392

BH Healthcheck and full upgrade pre-check times out when third party CA certificate is used for admin

CSCwb70401

Patch 2 - Services do not start due to "Integrity check failed" error

CSCwc09104

Guest redirect with authentication virtual LAN no longer works on ISE 3.1

CSCwa17925

After fixing failed pre-upgrade check, Proceed button is still not available

CSCwb86283

ISE Deployment : All nodes throw OUT_OF_SYNC error as a result of incorrect certificate expiry check

CSCwb09861

CIAM: glib 2.56.4

CSCwb09860

CIAM: openssl 1.1.1g

CSCvy69483

CIAM: libgcrypt 1.5.3

CSCwa79799

PermSize attribute on sysodbcini file is missing

CSCwa97357

Cisco ISE does not send $mobilenumber$ value in the SMTP API body

CSCwb37760

Sponsor Portal shows error 500 when "Allow kerberos SSO" portal setting is enabled

CSCwb94890

Key Performance Metrics report has no entries for 8 AM and 9 AM every day

CSCwb09045

ISE PSN nodes crash due to incorrect cryptoLib initialization

CSCwa90930

Queue size needs to be capped on RMQ in 3.x

CSCvz24558

Spring Hibernate TPS upgrade (Hibernate 5.5.2, Spring 5.3.8)

CSCwa75348

ODBC Behavior Failover Issues

CSCwb04898

Unable to restore CFG backup from linux SFTP repository if the file is owned by a group name without space

CSCwb57665

ISE Evaluation for Struts2 CVE-2021-31805

CSCwb43007

Posture policy page does not load for SAML login

CSCvz94133

Configuration backup fails due to "EDF_DB_LOG"

CSCwc41697

Data dump transfer between nodes fail during upgrade due to connection error

CSCwa76896

Duplicated column "Failure Reasons" is found in RADIUS Authentications Report

CSCwa47133

ISE Evaluation log4j CVE-2021-44228

CSCwb05532

Location of "Location" and "Device Type" fields keep changing whenever Network Devices tab is clicked

CSCvz42996

CIAM: glibc 2.17

CSCwa91335

Default domain configuration in Passive-Syslog provider does not work in ISE 3.1

CSCwb81416

Cisco ISE GUI does not load after login

CSCwb01854

Upgrade External Radius Server List does not show up after upgrading to Cisco ISE 3.0 or above

CSCwb27857

Unable to login into GUI of MnT nodes using RSA 2FA in distribusted deployment

CSCwc09737

CIAM: cups 1.6.3

CSCwb02129

SSH to Cisco ISE fails on maually imported SSH Public Keys

CSCwb36849

Cisco ISE must avoid sending Empty Cisco AV-Pairs in access-accept packets

CSCwb41741

Invalid character error in Admin Groups

CSCwb32466

Unable to delete endpoint identity group created via REST API if no description is set

CSCwb57675

Cannot disable "Dedicated MnT" Option from GUI after it is enabled

CSCwa82553

Default route is on the incorrect interface if bonding is configured

CSCwa04370

Default route is removed or tied to the wrong interface after upgrading

CSCvw90778

T+ ports (49) are still open if disable Device admin process under deployment page

CSCwb11147

Improvement to logs needed with Conflict handling SGT-IP mapping with Virtual Networks

CSCwb40942

From address to send email is invalid if it does not end with .com or .net

CSCwb96942

Application Server is stuck in the initializing state after configuration backup is restored

CSCwb98854

Cisco ISE does not update expiry date after SLR license is updated

CSCvz43125

CIAM: nettle 3.4.1

CSCwb40349

Invalid Characters in External RADIUS Token Shared Secret.

CSCwb38069

Services fail to start after backup from old ISE vrsion 2.6 is restored

CSCwb01843

Timezone update should happen automatically

CSCwb29357

AD User SamAccountName parameter is null for user sessions

CSCwb80572

Application Server stays in Initializing state after installing Cisco ISE 3.1 Patch 3 on Cisco ISE Patch 2

CSCwb39964

Cisco ISE can login to GUI with disabled shadow admin accounts with external identity source

CSCwb07504

Sorting internal users based on User Identity Groups does not work in Identities under Identity Mangement tab

CSCwb88129

CIAM: samba 4.13.3

CSCwc39844

Services auto restart fail with an internal error during IP address change in eth 1

CSCwa80553

CIAM: samba 4.8.3

CSCwb23028

Inaccurate dictionary word evaluation for passwords

CSCvk25808

Unable to edit or remove Scheduled Reports if the admin who created them is no longer available

CSCwa88948

CIAM: cryptography 2.3

CSCwb93156

TrustCertQuickView gives the same information for all trusted certificates

CSCwb40131

400 Bad Request error is thrown when Internal User is enabled with external password type using Rest API.

CSCwb32492

Application server restart on all nodes after changing the Primary PAN Admin certificate

CSCvv02086

Add ability to disable TLS 1.0 and 1.1 on ISE PIC node

CSCwc03220

Removing an IP Access list from ISE destroys the distributed deployment

New Features in Cisco ISE, Release 3.1 - Cumulative Patch 3

Support for Cisco pxGrid Cloud

Cisco ISE 3.1 patch 3 supports Cisco pxGrid Cloud. Cisco pxGrid Cloud is a new Cisco cloud offer that extends pxGrid and ERS access to cloud-based applications. To allow connectivity between a Cisco ISE deployment and Cisco pxGrid Cloud, pxGrid Cloud service must be enabled on one or more pxGrid nodes in the Cisco ISE deployment. For more information on Cisco pxGrid Cloud, see Cisco pxGrid Cloud Solution Guide.

Automatic Renewal of OSCP Certificates

From Cisco ISE Release 3.1 Cumulative Patch 2 onwards, the following rules are applicable for the renewal of OCSP certificates:

  • For a multi-node Cisco ISE deployment, OCSP certificates are renewed automatically if you install the patch through the Cisco ISE GUI. If you install the patch through the Cisco ISE CLI, we recommend you to renew the OCSP certificate manually.

  • For a standalone Cisco ISE deployment, OCSP certificates are renewed automatically irrespective of whether you install the patch through the Cisco ISE GUI or the Cisco ISE CLI.

  • If you uninstall Patch 2, you have to renew the OCSP certificate manually.

Microsoft Intune Integration Changes Due to Microsoft Graph Updates

Microsoft is deprecating Azure Active Directory (Azure AD) Graph and will not support Azure AD Graph-enabled integrations after June 30, 2022. You must migrate any integrations that use Azure AD Graph to Microsoft Graph. Cisco ISE typically uses the Azure AD Graph for integration with the endpoint management solution Microsoft Intune.

For more information on the migration from Azure AD Graph to Microsoft Graph, see the following resources:

Cisco ISE Release 3.1 Patch 3 supports Microsoft Intune integrations that use Microsoft Graph. To avoid any disruption in the integration between Cisco ISE and Microsoft Intune, update your Cisco ISE to Cisco ISE Release 3.1 Patch 3. Then, update your Cisco ISE integration in Microsoft Azure to use Microsoft Graph instead of Azure AD Graph, before June 30, 2022. In Cisco ISE, you must update your Microsoft Intune integrations to update the Auto Discovery URL field—Replace https://graph.windows.net<Directory (tenant) ID> with https://graph.microsoft.com.

See Connect Microsoft Intune to Cisco ISE as a Mobile Device Management Server for more information on the configuration steps.

Opening TAC Support Cases in Cisco ISE

You can now open TAC Support Cases for Cisco ISE and other Cisco products from the Cisco ISE GUI.

For more information, see "Open TAC Support Cases in Cisco ISE" in the Chapter "Troubleshoot" in Cisco ISE Administrator Guide, Release 3.1.

SHA1 Ciphers Disabled by Default

From Cisco ISE Relase 3.1 Patch 2, SHA1 ciphers on port 443 are disabled by default.

Resolved Caveats in Cisco ISE Release 3.1 - Cumulative Patch 3

The following table lists the resolved caveats in Release 3.1 cumulative patch 3.

Caveat ID Number

Description

CSCwb70401

After installing patch 2 services are stuck due to "Integrity check failed" error

CSCwa55996

New objects do not exist in the condition studio

CSCwa51150

WLC failed to validate EAPOL Key M2 with ISE 3.1

CSCvz91603

Unable to fetch the attributes from ODBC after upgrading to ISE 3.0 patch 3

CSCwa07580

Could not create Identity User if username includes $

CSCwa09113

Single Byod Flow with Internal CA failing with "12557 User Auth failed because OCSP status is unknown" error

CSCvy99582

Upgrade from ISE 2.4 patch 13 to ISE 2.7 fails if external RADIUS server is configured

CSCwa37040

backup-logs using public key encryption on the ISE CLI does not allow for caputure of core files

CSCvz67479

Local Log Settings tooltip on all fields shows irrelevant and unuseful Trust Certificates

CSCwa17470

ISE 3.1 SAML admin authentication fails when user assertion contains multiple values in the "Groups" claim

CSCwa35293

ISE 2.7 Authentication success settings shows success/success url

CSCvz88188

TACACS authorization policy querying for username fails because username from session cache is null

CSCwa26210

nextPage field is missing from the json response of API 'GET /ers/config/radiusserversequence'

CSCwa88845

Device Port Network Conditions does not validate interface ID

CSCwa11658

CIAM: gnutls 3.6.14

CSCwa11659

CIAM: libx11 1.6.8

CSCwa11657

CIAM: python 3.6.8

CSCwa11654

CIAM: file 5.33

CSCwa11655

CIAM: sysstat 11.7.3

CSCwa78479

Cisco Identity Services Engine Assessment of CVE-2021-4034 Polkit

CSCwa20354

Node database utilization information is not properly displayed in Operational Data Purging > Database Utilization window

CSCvz79665

Microsoft Intune Graph Url change from graph.windows.net/tenant to graph.microsoft.com

CSCwa16401

Get-By-Id server sequence returns empty server list after first change made on the sequence via GUI

CSCwa48465

Reports are unusable due to misshandling fields with multiple values

CSCvx54894

Sponsor Portal admin unable to create random guest accounts with 1 hour duration or less

CSCvz71872

CIAM: nss - multiple versions

CSCvz37241

Queue Link Error:WARN:{socket_closed_unexpectedly;'connection.start'}

CSCvv04957

GRUB2 Arbitrary Code Execution Vulnerability

CSCvz78841

CIAM: openssh 7.6

CSCvz90468

Internal users using External Password Store are getting disabled if we create users using API flow

CSCvy84989

Enabling cookies for POST /ers/config/internaluser/ causes Identity Group(s) does not exist error

CSCvz56358

ISE 3.0 checks only the first SAN entry

CSCwa57705

IP-SGT mapping does not link with new network access device group

CSCvx23375

ISE authorization profiles option get truncated during editing/saving (Chrome only)

CSCwa32312

RCM and MDM flows fail because of session cache not being populated

CSCvz65576

Full upgrade not working with patch when CLI or disk repository is used

CSCwa33462

CSV NAD import is rejected due to special symbol @ at the beginning of RADIUS shared secret

CSCvz85074

Fix for CSCvu35802 breaks AD group retrieval with certificate attribute as identity in EAP-Chaining

CSCwa13696

ISE 3.1 Guest Username/Password Policy is not modifiable

CSCwa23207

Multiple runtime crashes seen due to memory allocation inconsistency

CSCwa47190

AD security groups cannot have their OU end with dot character in Posture Policy

CSCwa11678

CIAM: binutils 2.30

CSCwa11679

CIAM: json-c 0.13.1

CSCwa57955

Posture firewall remediation action unchangeable

CSCwa41166

RegEx expressions in TACACS Command Sets malformed

CSCwa17718

Session service unavailable for pxGrid Session Directory with dedicated MnT

CSCvz18627

PEAP session timeout value restricted to max 604800

CSCwa78042

ISE 3.1 is requesting ISE-PIC licenses from Smart account

CSCwa53231

CIAM: nss - multiple versions

CSCwa08802

ISE 3.1 on AWS gives a false negative on the DNS check for Health Checks

CSCwa49859

Attribute value dc-opaque causing issues with Live Logs

CSCwa03126

ISE CPP not loading correctly for some languages

CSCvz83204

ISE unable to fetch the url attribute value from improper index during posture flow

CSCvz74457

ERS API does't allow for use of dot character in "Network Device Group" name or create / update

CSCvy45345

Eap-chaining authorization failure due to machine authentication flag set to true incorrectly

CSCvz36192

GET for dacls using /ers/config/downloadableacl does not return a value for nextPage or previousPage

CSCwa04454

ISE 3.0 & 3.1: Device Admin License alone should allow access to all TACACS menus

CSCwa11662

CIAM: lz4 1.8.3

CSCwa11661

CIAM: glibc 2.28

CSCvy76328

IPv6 changes the Subnet to /128 when using the duplicate option from Network device tab

CSCwa20309

Unknown NAD and Misconfigured Network Device Detected alarms

CSCwa56934

Inconsistent sorting on ERS APIs for endpoint group

CSCwa45316

MDM intune integration broken for vpn user on ISE 3.1

CSCvz63405

ISE client pxGrid certificate is not delivered to DNAC

CSCvn27270

Unable to create network device group with name Location or Device Type

CSCwa15191

Endpoint stuck in posture unknown state

CSCwa13877

ISE displays an alarm stating an invalid response from licensing cloud

CSCwa46758

Deleted Root Network Device groups are still referenced in the Network Devices exported CSV report

CSCvz71284

SNMPv3 COA request is not issued by ISE 2.7

CSCwa94984

ISE API add user operation with long custom attribute string takes around 4 minutes using Curl

CSCvw09460

Updated fields list for PUT on /erc/config/authorizationprofile/{id} usually empty

CSCvw90586

Unable to change network Device group Name and Description at the same time

CSCvs55875

Existing routes are not installed in routing table after MTU change

CSCwa47566

ISE Conditions Studio - Identity Groups Drop-down limited to 1000

CSCvz34849

DELETE /ers/config/networkdevicegroup/{id} not working; CRUD exception

CSCvy71309

CIAM: tcp-dump 4.9.3

CSCvy16894

Authorization profile throws an error when special characters are used

CSCwa47133

ISE Evaluation log4j CVE-2021-44228

CSCwa20152

CoA was not initiated for switches for which matrix was not changed, hence Policy sync failed

CSCvz83753

Empty User Custom attribute included in Authorization Advanced Attributes Settings results in incorrect AVP

CSCvz75902

ISE replacing pxGrid certificate when generating ISE internal CA

CSCwa43187

"Queue Link Error: Message=From Node1 To Node2; Cause=Timeout" error seen when NAT is used

CSCwa59924

ISE 3.1 Patch 1: Unable to connect to ISE via SSH when FIPS is enabled

CSCwa19573

Catalina.out file is huge because of SSL audit events

CSCwa52114

CIAM: sqlite 3.18.2

CSCwa52110

When SNMP config is set on the network device, a delay of 20 seconds is introduced while processing SNMP record

CSCwa59237

Deployment-RegistrationPoller causing performance issues on PAN node with 200+ internal certificates

CSCwa38023

ISE 3.1: Unable to generate pxGrid certificates with Active Directory superadmin

CSCwa32814

ISE configured with 15 Collection filters hides the 15th filter

CSCwa60873

Optimize bouncy-castle class to improve performance on PAN

CSCvz79518

Serviceability: "DNS Resolution Failure" alarm should show ISE server

CSCvy96761

Session cache must be updated during EAP chaining flow to handle relevant identities

CSCwa16291

Guest Portal fields causing words to be repeated for Apple VoiceOver

CSCvz90852

Success page is blank and Done button not enabled in Hotspot Guest Portals

CSCwa05404

Sessions are not removed when the Tacacs+ requests resulted in "Could not find selected service" error

CSCvz95326

Unable to add more than one ACI IP address/hostname when trying to enable ACI integration in ISE

CSCwa08018

ISE 3.1 - GUI is not working when IPv6 disabled globally

CSCwa11682

CIAM: pcre 8.41

CSCvz93230

Guest portal does not load if hosted on a different interface from Gig0

CSCwa53499

REST ID is fetching the groups from Cloud when the connector settings page is opened

CSCwa56771

ISE 3.0p2 - Monitor All setting displays incorrectly with multiple matrices and different views

CSCwa47221

AD security groups cannot have their OU end with dot character in Client Provisioning Policy

CSCwa52133

CIAM: libsolv 0.7.16

CSCvz60870

High Active Directory latency during high TPS causes HOL Blocking on ADRT

CSCvs95495

Reauthentication issue seen in third party devices

CSCwa11633

ISE 3.0 APIC Integration: Failed to create security groups

CSCwa18443

Need to handle Posture expiry when 8 octet MAC is present in endpoint on the deployment node

CSCwa67433

Cannot export SAML provider info xml file from ISE GUI

CSCwa59621

Inconsistent sorting on ERS API for identity groups

Open Caveats in Cisco ISE Release 3.1 - Cumulative Patch 3

Caveat ID Number

Description

CSCwb30989

SXP service is not starting after restart from ISE UI

CSCwb36873

Getting "Page not accessible" pop-up message in ISE-PIC node

CSCwb09045

ISE PSN nodes crashing due to incorrect cryptoLib initialization

New Features in Cisco ISE, Release 3.1 - Cumulative Patch 1

Cisco ISE on AWS

  • The software version Cisco ISE 3.1 Patch 1 is available on Amazon Web Services.

  • You can now install Cisco ISE in evaluation mode in the AWS instance named t3.xlarge. For more information about using Cisco ISE in evaluation mode in AWS, see the section "Cisco ISE Evaluation Instance on AWS" in the Cisco ISE Installation Guide, Release 3.1.

    t3.xlarge instances only support Cisco ISE Release 3.1 Patch 1 and later releases.

Signed SAML Authentication Request for Cisco ISE

Cisco ISE now only accepts signed SAML requests and assertions for authentication.

For more information, see "Configure SAML ID Provider" in the Chapter "Asset Visibility" in Cisco ISE Administrator Guide, Release 3.1.

Resolved Caveats in Cisco ISE Release 3.1 - Cumulative Patch 1

The following table lists the resolved caveats in Release 3.1 cumulative patch 1.

Caveat ID Number

Description

CSCvo39514

MnT log processor is not running because collector log permission.

CSCvq53373

/ers/config/<obj>/bulk/submit returning invalid Location URI /ers/config/<obj>/bulk/submit/<bulkID>

CSCvs04091

Blanket bug for code enhancements for MnT component

CSCvt25277

2.4p12 patch install stuck forever

CSCvu47280

A race condition was found in the mkhomedir tool shipped with the oddjo

CSCvu94544

ISE 3.0 BH : TACACS live logs do not give an option select Network Device IP

CSCvv96532

DOC: unknown maximum time difference for thisUpdate of OCSP response

CSCvw65181

CIAM found poi vulnerable

CSCvw78289

Auth Passed live logs are not seen when using a profile name with more than 50 characters

CSCvx14400

Multiple Vulnerabilities in glibc

CSCvx43866

3.0P2:Accounting Report Export is taking more time to complete.

CSCvx55668

CIAM found netty vulnerable

CSCvy14905

CTS-SXP-CONN : ph_tcp_close from device to ISE SXP connection - Hawkeye

CSCvy43246

[CFD] User unable to create a guest SSID during Portal Creation step - ISE is busy error

CSCvy53842

Certificate Validation Syslog Message Sent During Specific Certificate Audits--ISE

CSCvy69539

CIAM: openjdk - multiple versions

CSCvy71229

CIAM: libx11 1.6.8

CSCvy71232

CIAM: glibc 2.28

CSCvy71238

CIAM: gnupg 2.2.9

CSCvy71239

CIAM: systemd 219

CSCvy71240

CIAM: vim 8.0.1763

CSCvy71261

CIAM: nettle 3.4.1

CSCvy71292

CIAM: unbound 1.7.3

CSCvy71296

CIAM: pcre2 10.32

CSCvy71313

CIAM: cpio 2.12

CSCvy71322

CIAM: libarchive 3.3.2

CSCvy71345

CIAM: network-manager 1.22.8

CSCvy71690

Customer fields in guest portal contains & - $ #

CSCvy75191

Cisco Identity Services Engine XML External Entity Injection Vulnerability

CSCvy77472

CIAM: librepo 1.11.0

CSCvy81435

ISE Guest SAML authentication fails with "Access rights validated" HTML page

CSCvy82023

Incorrect Posture Compound Condition Hotfixes

CSCvy88092

CTS PAC not activating on Switch: via ISE 3.1 build 3.1.0.477

CSCvy88764

CIAM: go 1.15.7 CVE-2021-33194

CSCvy92040

ISE restore popup menu displays wrong text

CSCvy92536

ISE 3.0 Device Admin License alone should allow access to Administration > System > Logging menu

CSCvy93847

Possible to choose SPAN without Policy persona in NAD Send configuration changes to device CoA

CSCvy94427

posture lease breaks for eap chaining from 2.7

CSCvy94511

TACACs report showing duplicate entries due to EPOCH time being null

CSCvy94553

TACACS Authentication report shows duplicate entries

CSCvy94818

EP's incorreclty profiled as "cisco-router" due to nmap performing aggressive guesses

CSCvz00258

SessionCache not cleared for Tacacs AuthZ failures results in high heap usage and auth latency

CSCvz00659

Special characters in Banner blocking SFTP repo

CSCvz01485

ISE 2.7 patch 4 unable to upload .json file for Umbrella security profile.

CSCvz05383

P1PNSBaseline: SuperMnT: on last 30days Radius Auth report takes ~5mins with filter

CSCvz05966

ISE 2.6 p 9, Default permissions can't go back to default group Internal after adding a new group

CSCvz07191

ISE GUI stuck at loading if AD group does not exist when using cert based auth for GUI access

CSCvz07823

ise 2.7 Failed to add endpoint to group

CSCvz08813

Not able to scroll to different pages in Issued certficates page

CSCvz17020

ISE GUI shows all the licenses as Out of Compliance - Smart Licensing

CSCvz18848

Agentless posture breaks for locale

CSCvz20020

Okta redirection fails for first ID store and works when second ID store is assigned

CSCvz20770

Unable to see the UI pxgrid pages, if we enabled&disabled pxgrid at deployment tab on secondary node

CSCvz27791

ISE: Application server stuck initializing after backup restore due to mdm configuration

CSCvz28133

User unable to generate support bundle

CSCvz33839

menu access customization is not working

CSCvz35550

ISE Health Check MDM Validation false alarm

CSCvz37623

NTP (' - ') source state description missing in ISE CLI

CSCvz43038

CIAM: libxml 2.9.1

CSCvz43123

CIAM: jspdf 2.3.0

CSCvz43126

CIAM: systemd - multiple versions

CSCvz43154

CIAM: podman 1.6.4

CSCvz43183

Sponsor Permissions are not passed to Guest REST API for "By Name" calls.

CSCvz44655

ISE manage account selection issue

CSCvz45150

ISE PIC 3.1 Request traditional license

CSCvz46933

CIAM: jsoup 1.10.3

CSCvz49086

ISE 3.0 TimesTen connection closed when an SQLException is encountered

CSCvz49871

ISE GUI : net::ERR_ABORTED 404 : /admin/ng/nls/fr-fr/

CSCvz50255

CIAM: bind 9.11.20

CSCvz55258

Cisco:cisco-av-pair AuthZ conditions stopped working

CSCvz57267

Inability to import ISE certificates issued for PAN to other nodes in spite of the SAN field fqdn.

CSCvz61191

ISE3.1 No response when click "choose file" on import Endpoints from CSV file page.

CSCvz63643

ISE 2.7: EndpointPersister thread getting stopped

CSCvz64833

CIAM: libgcrypt 1.5.3

CSCvz65182

If we set mtu greater than 1500 then the mtu value is not setting persistently across reboot.

CSCvz66289

Local disk management UI for uploading file is broken

CSCvz67479

Local Log Settings tooltip on all fields shows irrelevant and unuseful 'Trust Certificates'

CSCvz68091

Configuration changes to Guest types is not updated in audit reports

CSCvz72034

ISE 3.1:While updating Network Device from DNAC, Shared Secret/password is empty or masked

CSCvz72069

Pxgrid shown disabled on Summary page for ISE-PIC

CSCvz72208

ISE 3.1 : Authentication tab shows blank result in Context Visivility

CSCvz72225

adding FQDN in discovery host, Discovery host: invalid ip address or host name

CSCvz73445

Agentless Posture for Windows 10 devices not passing AntiMalware check -

CSCvz77482

ISE 3.0 Can't deselect the 'location' settings as part of the guest self registration portal

CSCvz80829

Version pre-check fails for 3.2 full upgrade.

CSCvz85117

ISE Health Check I/O bandwidth performance check false Alarm

CSCvz87476

Unsupported message code 91104 and 91105 Alarms

CSCwa00729

All NADs got deleted due to one particular NAD deletion

CSCvz86020

live log/session not showing latest data due to "too many files open" error

CSCwa12273

AD users in Super Admin group can't create/edit admin user with error "Operation is not permitted"

CSCvz66279

Radius reports older than 7 days are empty (regression of CSCvw78289)

CSCvz91116

Oracle process are increasing and gettingTNS:connection closed

Open Caveats in Cisco ISE Release 3.1 - Cumulative Patch 1

Caveat ID Number

Description

CSCwa09113

Single Byod Flow with Internal CA failing "12557 User Auth failed because OCSP status is unknown"

Cisco ISE 3.1 Files Replaced on Software Download Site

Cisco ISE 3.1 OVA, ISO, and upgrade bundle files have been replaced on the Cisco ISE Software Download site.

What Changes are Made?

  • The following bugs are resolved in this build:

    • CSCwa04370: ISE 3.1 shows incorrect outgoing interface for the default interface if two interfaces are configured with IP addresses and the default gateway references the subnet on eth1

    • CSCwa82553: ISE 3.1 default route is on the incorrect interface if bonding is configured

  • Option to skip ICMP, DNS, and NTP checks in the ZTP tool. For more information, see "Zero Touch Provisioning" in the Chapter "Additional Installation Information" in Cisco ISE Installation Guide, Release 3.1.


Note

  • The filenames of the new files will have "b" appended to the build number (for example, ise-3.1.0.518b.SPA.x86_64.iso).

  • If you want to import the SNS 3695 OVA template to the VMware vCenter content library, you can use the ISE-3.x.x.xxx-virtual-SNS3695-1800.ova template. This OVA template is similar to the ISE-3.x.x.xxx-virtual-SNS3695-2400.ova template, except for the reserved disk size, which has been reduced from 2400 GB to 1800 GB to workaround a limitation in the Vmware vCenter content library that prevents import of OVAs with disk size larger than 2 TB.

  • You will see the following ISE version in the output of show tech-support command:

    ZTPBUNDLE

  • Existing Cisco ISE 3.1 patches will work fine with this build.


Resolved Caveats in Cisco ISE Release 3.1

Caveat ID Number

Description

CSCwa04370

ISE 3.1 shows incorrect outgoing interface for the default interface if two interfaces are configured with IP addresses and the default gateway references the subnet on eth1

CSCwa82553

ISE 3.1 default route is on the incorrect interface if bonding is configured

CSCuo73496

RADIUS maximum session-timeout value restricted to 65535

CSCvf61114

ERS Create/Update for "Authorization Profile" failing XML schema validation

CSCvf88737

Blank guest portal window seen in portal created in portal builder

CSCvg75448

Customization for support information in Client Provisioning portal is missing

CSCvg77872

No logo in guest approval email when portal is set to Sponsored-Guest Portal

CSCvh04231

Guest Remember Me RADIUS accounting and access accept not sending guest username

CSCvi53134

Account used for AD join may become locked after passive-id service is enabled

CSCvi59005

Unable to see complete list of AD groups when using scrollbar

CSCvk11224

Problem with renaming the reports

CSCvm47584

Unable to configure grace period for more than 1 day because of posture lease

CSCvn25548

MnT API call with admin credentials disables the account

CSCvn38371

Ability to suppress session information pop up when logging in to GUI

CSCvo02275

Profiling and conditions studio not loading or taking up to 30 minutes

CSCvo56767

Error when attempting to change ISE-PIC GUI admin user settings

CSCvo75723

When running a report for endpoint purge, no reports are shown if the purged endpoint count is 0

CSCvp88242

Bad Request error when refreshing My Devices portal

CSCvq44063

Incorrect DNS configuration can lead to TACACS or RADIUS authentication failure

CSCvq58506

Show running-config fails to complete

CSCvr22065

Import NAD is failing with an error when shared secret key has special character

CSCvr76539

Changes to Network Device Groups not reflected in Change Audit logs

CSCvs24459

Unable to manage ISE internal network access users without an Identity Group

CSCvs27232

RADIUS Authentication Troubleshooting window not filtering properly

CSCvs29611

Cisco ISE 2.4 patch 5 crashing frequently and generating core files

CSCvs81248

PassiveID alarms should be triggered for inactivity for each DC separately

CSCvs81264

PSN should be capable of identifying delays in mappings from PassiveID agent

CSCvt64739

Application server takes more time to initialize

CSCvt65332

While updating the Profile Description field in Client Provisioning Resources window, if Enter is used to create a new line, "Fail to receive server response due to the network error" message is displayed

CSCvt85370

Posture Condition failed with "Check vc_visInst_v4_CiscoAnyConnectSecureMobility Client_4_x is not found" error

CSCvt94587

"Plus License is out of compliance" message seen while regenerating the ISE Root CA

CSCvu04874

Suspected memory leak in io.netty.buffer.PoolChunk

CSCvu05121

Guest email not sent after changing SMTP server

CSCvu14215

Sponsor group membership removed when adding or removing AD group

CSCvu22058

ISE with DUO as External RADIUS Proxy drops access-reject

CSCvu33861

ISE 2.4 patch 6: REST API MnT query to get device by MAC address taking more than 2 minutes

CSCvu47779

Change Configuration Audit report missing IP Address and modified properties in CSV export

CSCvu62938

Posture fails when primary PSN or PAN is unreachable

CSCvu84184

Certificate chain is not sent on the guest portal

CSCvu84773

Cisco Identity Services Engine Cross-Site Scripting Vulnerability

CSCvu87758

Guest password policy settings cannot be saved when set to ranges for alphabets or numbers

CSCvu89715

Time Vs Throughput chart in ISE Health Summary report using wrong units

CSCvu90761

ISE Radius Live Sessions window showing No Data Found

CSCvu91039

ISE not doing lookup for all MAC addresses causing redirectless Posture to fail

CSCvu94025

ISE should either allow IP only for syslog targets or provide DNS caching

CSCvu97657

ISE 2.4 Application server going to Initializing state on enabling endpoint debugs

CSCvv00951

Application server crashes while transitioning into stopping state

CSCvv02998

MAC 11 Big sur BYOD flow failed

CSCvv04416

Endpoint data not visible on secondary Admin node

CSCvv04957

GRUB2 Arbitrary Code Execution Vulnerability

CSCvv08466

Log Collection Error alarms appear

CSCvv09127

Guest API allows restricted sponsor to create guest accounts even for the unallowed guest type

CSCvv10683

Session cache for dropped session not getting cleared and causing High CPU on the PSNs

CSCvv14001

Authorization profile not saved with proper attributes when Security Group selected under common tasks

CSCvv14390

Max Sessions Limit is not working for Users and Groups

CSCvv15060

Going back to network list removes the applied filter

CSCvv16401

pxGrid internal client ping failed

CSCvv19065

Not able to see the guest identity in the DNAC Assurance window

CSCvv25102

Modify TCP settings to enhance TACACS+ and TCP on ISE

CSCvv27690

While renewing ISE certificate for HTTPS, EAP, DTLS, PORTAL, only Portal and Admin roles gets applied

CSCvv29190

BYOD Flow is broken in iOS 14 beta

CSCvv29737

DNA ACA Security Groups sync fails with JDBCException error

CSCvv30133

Discovery host description text is misleading

CSCvv30161

Live session details report show incorrect authorization profile and policy for VPN Posture scenario

CSCvv30226

Livelog sessions show incomplete authorization policy for VPN Posture scenario

CSCvv30274

Context Visibility shows incorrect authorization profile and policy for VPN Posture scenario

CSCvv31500

ISE Guest portal registration and expiration email need to maintain format entered in the portal

CSCvv35921

Cannot start CSV exporting for Selected User in internal ID Store

CSCvv36189

RADIUS passed-auth live logs not sent due to invalid IPv6 Address

CSCvv38249

Manual NMAP not working when only custom ports are enabled

CSCvv39000

Unable to create posture condition for LANDESK

CSCvv41935

PSK cisco-av-pair throws an error if the key contains < or > symbols

CSCvv43383

NFS repository is not working from GUI

CSCvv44401

Generate self-signed certificates and CSR default parameters doesn't match with pre-installed self-signed certificate

CSCvv45063

Internal CA Certificate not getting deleted when node is removed from deployment

CSCvv45340

Error storing the running-config lead to loss of startup config

CSCvv46034

Device admin service is getting disabled when updating TACACS configuration

CSCvv46958

TrustSec enabled NADs not showing in TrustSec Matrices when NDG column exceeds 255 characters

CSCvv47849

Mapped SGT entry cleared from Authorization Rules if Security Group name is modified in Cisco DNA Center

CSCvv50028

Heap Dump generation fails post reset-config of ISE node

CSCvv50168

ISE must allow Posture Grace Period more than 30 days

CSCvv50721

Can't get the download link of NetworkSetupAssistant.exe using Aruba dynamic URL redirect

CSCvv52637

ISE Hotspot guest portal flow broken

CSCvv53221

Application server marked as Initializing when ISE_EST_Local_Host RADIUS shared secret is empty

CSCvv54761

Export of current active session reports only shows sessions that has been updated since midnight

CSCvv54798

Context Visibility CSV exported from CLI not showing IP addresses

CSCvv55663

ISE 2.6/2.7 Repositories get deleted post ISE node reload

CSCvv57628

Suspended Guest User is not automatically removed from Endpoint Group

CSCvv57639

Saving command with parenthesis in TACACS command set gives an error

CSCvv57830

Group lookup failed as empty value was appended to the context

CSCvv58629

Certificate Authority Service initializing EST Service not running after upgrade to ISE 2.7 patch 2

CSCvv59233

ISE RADIUS Live Log details missing AD-Group-Names under Other Attributes section

CSCvv60014

Operational backup throws error if available free space in /opt folder is 1 TB or greater

CSCvv60353

Authentication summary report gets stuck if the total records are more than 5M

CSCvv60686

ISE SXP should have a mechanism to clear stale mappings learned from session

CSCvv60923

Need to add the ability to use a forward slash in the IP data type of internal user custom attribute

CSCvv61732

Unable to create unique community string for different SNMP servers

CSCvv62382

Proxy bypass settings does not allow upper characters

CSCvv62549

Custom Attribute from Culinda not showing in endpoint GUI page

CSCvv62729

Network Device API call throws error 500 if you query an non-existent network device

CSCvv63548

PSN rmi GC collection not working properly causing memory leak in PassiveID flow

CSCvv64190

Case sensitivity on User Identity Groups causes "Select Sponsor Group Members" window to not load

CSCvv65036

Memory Leak on PSN nodes

CSCvv67051

Radius Server Sequence window showing "no data available"

CSCvv67091

Cisco Identity Services Engine Untrusted File Upload Vulnerability

CSCvv67743

Posture Assessment by Condition report displays No Data with Condition Status filter

CSCvv67935

Security Group values in Authorization Profile disappear shortly after fetching

CSCvv68028

Can't modify AUP Text

CSCvv68293

ISE not consuming plus license when using local or global exceptions

CSCvv72418

ISE 3.0 REST ID log file not included in support bundle

CSCvv74361

ISE 3.0 Health Check License validation false Alarm

CSCvv77007

ISE constantly sending internal Super Admin user requests to external RADIUS token server

CSCvv77530

Unable to retrieve LDAP Groups/Subject Attributes when % character is used twice or more in bind password

CSCvv77914

Client Provisioning window does not show current settings properly

CSCvv77928

Bulk certificate generation failed with "An unexpected error occurred" message after primary PAN failure

CSCvv78097

Missing local disk utilization information

CSCvv79940

ISE generating CSR with hostname-x in SAN gives an error

CSCvv80113

Posture auto-update not running

CSCvv80297

Need DigitCert Global Root G2 in CTL for ROPC

CSCvv82806

Network Device IP filter does not match IPs that are inside subnets

CSCvv83510

Upgrade failing at RuleResultsSGTUpgradeService step

CSCvv85588

High memory usage on the PSN nodes with PassiveID flow

CSCvv91007

Smart Licensing Entitlement tab gets stuck at "Refreshing" if there is connection failure

CSCvv91234

ISE 2.6 scheduled reports are not working when primary MnT is down

CSCvv91684

ISE collection filters not displayed in GUI

CSCvv92203

"NetworkAuthZProfile with entered name already exists" message seen while trying to create an SGT with name "Employees"

CSCvv92613

Users that do not belong to the sponsor group are able to login in the sponsor portal

CSCvv92638

Cannot configure scheduled config and operational backup with start date same as current day

CSCvv93442

Double Slash "//" added in File Path for SFTP servers

CSCvv94791

GBAC configuration not synced between DNAC and ISE

CSCvv95150

Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability

CSCvv95516

ISE PIC Licensing window is not loading

CSCvv96532

Maximum time difference not specified for "thisUpdate of OCSP response"

CSCvv99093

ISE nodes intermittently trigger Queue Link alarms

CSCvw00375

Unable to load Context Visibility window for custom view in ISE 2.7 patch 2

CSCvw01225

ISE configuration restore fails at 40% with "DB Restore using IMPDP failed" error

CSCvw01829

ISE GUI login page shows error while using Chrome version 85/86

CSCvw02887

Memory leak after adding AD Groups for PassiveID flow

CSCvw03693

NTP does not work because internal user 'chrony' not created

CSCvw06722

Sponsor is unable to view the list of created guest users

CSCvw08292

ACI mappings are not being deleted after a delete message

CSCvw08330

Posture does not work with dynamic redirection on third party NADs

CSCvw08602

Not throwing error for IP overlap case

CSCvw09827

High CPU on PSN node

CSCvw16237

Scheduled operational data backups not being triggered after Primary MnT reload

CSCvw17908

Pushing IP to SGT mapping from ISE to switch doesn't work if default route is tagged

CSCvw19785

Editing external data source posture condition is showing always the wrong AD

CSCvw20021

NAD Location is not updated in Context Visibility ElasticSearch

CSCvw20060

Agent marks DC as down if agent service comes up before windows network interface

CSCvw20636

Authorization Profiles showing "No data available" after NAD profile is deleted

CSCvw24227

Endpoints not purged due to an exception

CSCvw24268

Cisco Identity Services Engine Untrusted File Upload Vulnerability

CSCvw25285

PassiveID is not working stable with multi-connect syslog clients

CSCvw26415

ISE 3.0 not importing certificates missing CN and SAN into Trusted Certificate Store

CSCvw26570

International Phone Number dropdown box not working in ISE 2.7

CSCvw28441

NADs shared secrets are visible in the logs while using APIs

CSCvw29490

Internal User custom attributes are not sent in CoA-Push

CSCvw31269

SAML groups do not work if they are applied in the Sponsor Portal Groups

CSCvw33115

ISE MnT Live Session status is not changing to Postured in VPN use case

CSCvw34491

Enabling Essentials licenses only block access to Network Devices tab

CSCvw36486

GUI not accessible after applying IP Access restrictions

CSCvw36743

ISE Service Account Locked and WMI not established due to special characters in password

CSCvw37844

ANC CoA not working as ISE uses hostname for internal calls

CSCvw38530

Exception shown in ise-psc.log for repository while loading Backup and Restore window

CSCvw38853

Sophos 10.x definition missing from Anti-malware condition for MAC OSX

CSCvw44120

Guest portal creation failure with ISE 3.0

CSCvw46096

ISE 3.0 Syslog provider cannot apply configuration

CSCvw48396

Cisco ADE-OS Local File Inclusion Vulnerability

CSCvw48403

ISE is not processing gathered SNMP information for endpoint

CSCvw48697

API IP SGT mapping not returning result for [No Devices]

CSCvw49938

No TACACS Command Accounting report for third party device with a space before TACACS command

CSCvw50381

CoA-disconnect is not issued by ISE for Aruba WLC when grace access is expired

CSCvw50829

AD security groups cannot have their OU end with dot character on RBAC policies

CSCvw51787

ISE is not allowing to import CA signed certificate on top of self-signed certificate

CSCvw51801

Session which was previously having Postured Live Session state is moving to Started upon receiving Accounting Interim Update from NAD

CSCvw53412

SB should collect Hibernate.log

CSCvw54878

ISE does not display Full Authorization rules if it has 50 rules or more in Japanese GUI

CSCvw55793

ISE fails to send CoA from PSNs with "Identifier Allocation Failed" error

CSCvw61589

RADIUS requests dropped after deleting policy sets

CSCvw61786

All Processes need to be stopped before dropping schema objects

CSCvw63264

ISE 3.0 policy condition studio GUI bug

CSCvw66483

RADIUS server sequence gets corrupted when selected external server list is modified

CSCvw68480

Total mappings not displayed properly when using multiple SXP nodes in ISE deployment

CSCvw68512

Guest user is created with incorrect lifetime

CSCvw68944

Sponsor portal shows wrong week information on setting date while using Chinese language

CSCvw69977

"All SXP Mapping" table contains terminated sessions on ISE

CSCvw73928

NTP sync failure alarms that are not relevant need to be changed

CSCvw75397

MnT node name set to NULL when IP access enabled

CSCvw75563

HotSpot Guest portal displays Error Loading Page when passcode field contains special characters

CSCvw76847

ISE Conditions Library corruption during Pen test

CSCvw77219

Dot1x authentication failed due to duplicate manager

CSCvw78019

NTP out of sync after upgrade to ISE 2.7

CSCvw78269

CWE-20: Improper input validation for Create Node Group

CSCvw78289

Authentication Passed live logs are not seen when using a profile name with more than 50 characters

CSCvw80520

"Radius Authentication Details" report takes time when ISE Messaging Service is disabled

CSCvw81454

Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities

CSCvw82774

Sorting based on username doesn't work in User Identity Groups

CSCvw82784

TACACS+ Endstation Network Conditions scrollbar not working

CSCvw82815

Authorization profile CWA option does not work correctly with some network device profiles

CSCvw82927

Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities

CSCvw83296

Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities

CSCvw83334

Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities

CSCvw84127

Configuration Audit detail does not show which Policy Set was modified

CSCvw85599

TACACS+ Device Network Conditions and Device Port Network Conditions tabs scrollbar not working

CSCvw85860

ISE pxGrid exceptions should have ERROR log level instead of DEBUG

CSCvw87147

Live session is not showing correct active session

CSCvw87173

MAB authorization is failing if AD object representing the MAC address is in disabled state

CSCvw87175

MAB authentication via Active Directory passes with AD object disabled

CSCvw88881

DB Clean up hourly cron acquiring DB lock causing deployment registration failure

CSCvw89326

For PKI based SFTP, exporting GUI key for MnT node is only possible when it is promoted as PAN

CSCvw89818

Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities

CSCvw90961

RBAC rules not enforced in ISE 2.7

CSCvw93570

Unable to edit, duplicate, or delete guest portals.

CSCvw94603

Change in Polling interval not taking effect for external MDM server (Microsoft_intune)

CSCvw96371

Static policy and group assignment are lost from EP when updating custom attributes from API

CSCvw97905

Internal user export feature shows no error for invalid characters in password

CSCvx00245

Itune integration throws error while Test Connection works fine in MDM window

CSCvx00345

Unable to fetch Azure AD groups

CSCvx01272

Generate bulk certificates do not include ISE self-signed certificate

CSCvx01798

Adding a network device gives "Unable to load NetworkDevices" error

CSCvx04512

Admin access with certificate based authentication can be bypassed by going directly to login.jsp

CSCvx04692

Creating a node group named "None" breaks replication

CSCvx09383

Error seen when trying to sort endpoint's Applications by "Running process" in Context Visibility

CSCvx10186

ISE remains in eval expire state even after registering with Smart Licensing

CSCvx11857

Latency in loading certain pages due to stale certificate entries in ISE TrustCert Store

CSCvx15427

DNS Resolvability in Health Checks: False failures with ISE FQDN as CNAME

CSCvx18730

Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021

CSCvx22229

"ipv6 address autoconfig" gets removed when changing IP address of bond interface

CSCvx27632

Authorization should look up MAC address in format configured in ODBC Stored-Procedures window

CSCvx28402

Support bundle does not capture ise-jedis.log files on ISE 2.7 and later

CSCvx30276

On recreating Root CA, Jedis DB connection pool is not recreated

CSCvx32666

Authentication Method conditions not matching in Policy Set entry evaluation

CSCvx37149

SGA value under-provisioned for SNS 3515 running all personas on same node

CSCvx37297

Error 400 while authenticating to Sponsor portal with Single Sign-on/Kerberos user account

CSCvx37467

Sponsor portal gives "Invalid Input" if the "mobile number" field is unchecked in portal settings

CSCvx41826

Unable to get all tenable adapter repositories with Tenable SC 5.17

CSCvx43566

No login fail log when using external username and wrong password

CSCvx43825

Receiving acct stop without NAS-IP address keeps session in started state

CSCvx44815

ISE AD runtime should support rewrite a1-a2-a3-a4-a5-a6 to a1a2a3a4a5a6

CSCvx45481

CoA failure upon endpoint change to a new switch-port and Endpoint Identity Group change

CSCvx46638

In EAP chaining scenario, posture policy failed to retrieve machine AD group membership

CSCvx47691

Session Directory topic does not update user SGT attribute after a dynamic authorization

CSCvx47891

AMP events for new endpoints are not correctly mapped

CSCvx48922

Memory leak on TACACS flow

CSCvx53205

NIC bonding prevents MAR cache replication

CSCvx53905

Authorization policy conditions are not correctly formatted

CSCvx54213

Default Network Devices window requires Plus license to allow configuration

CSCvx57433

TrustSec policy matrix allows limited scrolling in ISE 3.0

CSCvx57545

isedailycron temp1 tracking is causing delay in AWR reports

CSCvx58516

Clicking a network device in Top N Authentication by Network Device report is redirecting to TACACS Authentication instead of RADIUS Authentication

CSCvx60818

ERS self-registration portal update is not deleting fields as expected in PSN

CSCvx61462

ISE Log Collection error "Session directory write failed"

CSCvx61664

ISE not updating the Json file information in the AnyConnect output config file

CSCvx64247

"Invalid phone number format" error seen on mobile devices using the Country-code drop-down option

CSCvx69701

Deployment went out of sync due to unavailabiltiy of database connections

CSCvx70633

ISE does not accept % in EXEC or Enable Mode password in network device trustsec configuration

CSCvx72642

REST authentication service is disabled when backup interface is configured

CSCvx78643

Emails sent for all system alarms using legacy data even when there is no email address configured in current deployment

CSCvx79693

Qualys integration is failing with ISE

CSCvx82808

MacOS Big Sur 11.x BYOD failing EAP-TLS when using a CA signed certificate

CSCvx85355

Increase the maximum allowable value of the posture grace period from 30 to 90 days

CSCvx85391

Internal user inactivity timer is not updated due to login letter case

CSCvx85675

ISE can't handle deletion/addition of SXP-IP mappings propagation due to race condition

CSCvx85807

Smart license of de-registration flow is not working in ISE and ISE-PIC

CSCvx86571

The instruction box should be removed when the login-page message is empty

CSCvx86915

UI issues on TrustSec window

CSCvx86921

RADIUS Token Identity Source Prompt vs Internal User prompt for TACACS authentication

CSCvx94452

EST service not running on ISE 2.7 patch 2 and above

CSCvx96190

Top Authorization report does not show filter in scheduled reports

CSCvx97249

PAN should not be listening on port 8905

CSCvx97501

ROPC authentication is failing with non Base64 characters in the password

CSCvx99151

Internal ERS user attempting to authenticate via external ID store causing REST delays

CSCvx99176

NAD IP definitions using - or * do not perform full IP comparison

CSCvy04443

MNT REST API for ReAuth fails when used in distributed deployment (with separate MnT)

CSCvy04665

TACACS Reports Advance filters not working when matching full numeric ID entries

CSCvy05954

All SXP Mappings window not displaying IPv6 mappings learned via Session

CSCvy06719

Manual Active Session report is empty

CSCvy07088

Agentless Posture doesn't install CA certificate chain in endpoint Trusted Store

CSCvy10026

Agentless Posture fails if ISE admin certificate CN is not equal to FQDN

CSCvy11617

Agentless posture breaks if Windows username includes a space

CSCvy14342

High CPU seen on PSN nodes from ISE 2.6 patch 3 onwards due to PIP query evaluation

CSCvy15058

Unable to update domains to be blocked/allowed via API

CSCvy15172

Cisco Identity Services Engine Self Cross-Site Scripting Issue

CSCvy17893

ISE REST API returns duplicate values for IP-SGT mappings

CSCvy18560

RADIUS Accounting Details report does not display Accounting details

CSCvy20277

Special characters allowed previously in Descriptions field for few objects no longer can be used

CSCvy23354

Maximum height of Description field in ISE authorization profile UI too small in FF 88

CSCvy24370

ISE not accepting more than 6 attributes to be modified in RADIUS server sequence configuration

CSCvy25533

"/opt/CSCOcpm/config/cpmenv.sh:line 396:<ipv6>:command not found" error seen during CLI backup

CSCvy25550

ISE does not accept name of custom attribute for Framed-IPv6-Address in the authorization profile

CSCvy30119

LDAP groups disappear from Sponsor group when making other changes to options

CSCvy32461

Sponsor user cannot edit data when phone/email fields are filled

CSCvy34977

Application Server stuck on initializing state due to certificate template curve type P-192

CSCvy36868

ISE 2.3 and later version do not support "cariage return" <cr> character in command-set

CSCvy38459

ISE 2.7 patch 3 GUI doesn't show all device admin authorization policies

CSCvy38896

AAA requests without Framed-IP value will cause exception in SXP process

CSCvy40845

Updating a custom attribute through ERS request updates another attribute as well

CSCvy41066

TACACS custom AV pair as condition in policies is not working

CSCvy42885

ISE Application server crash/restart due to cancellation of configuration backup

CSCvy45015

ISE Guest Self-Registration error for duplicate user when "Use Phone number as username" option is enabled

CSCvy46504

Intermittent error on Cisco DNA Center while trying to deploy policy

CSCvy48766

ISE installation fails with Database Priming Failed error when All Numbers subdomain is used

CSCvy51073

ISE authorization profile ERS update ignores accessType attribute changes

CSCvy58771

While editing a NAD, wrong device profile is being mapped

CSCvy60752

Setup wizard password does not supports hyphen after reset of config via CLI

CSCvy61564

ISE 2.7 Patch 3 ERS call is not accepting RADIUS shared secret with 3 characters

CSCvy61894

Generate key pair accepts space but cannot export key

CSCvy62875

[ 400 ] Bad Request error with SAML SSO OKTA on Apple devices

CSCvy63778

REST API for CoA works with any server IP

CSCvy65786

Configuring WMI with an AD account password containing % results in an error

CSCvy71690

Customer fields in guest portal contains & - $ #

CSCvy74456

Authentication via ISE fails with "Invalid login credentials" error

CSCvy74919

ISE internal users are not getting disabled after hitting inactivity timer

CSCvy76262

ISE DACL Syntax validator does not comply with ASA's code requirements

CSCvy76601

Delete 'All' function showing incorrect number of endpoints on confirmation popup

CSCvy76617

Need the Select ALL device option with or without filter in NAD page

CSCvy82023

Incorrect Posture Compound Condition Hotfixes

CSCvy82114

First/Last name wrongly displayed as Unicode of Chinese in Network Access Users window after upgrade

CSCvy90691

Duplicated RADIUS vendor ID can cause PSN to crash

CSCvz00034

The log level for OcspClient must be changed to ERROR instead of WARN

CSCvx59893

Inconsistency between ISE syslog level and message level

Open Caveats in Cisco ISE Release 3.1

Caveat ID Number

Description

CSCvx43866

Accounting report export is taking more time to complete

CSCwc83059 Post full upgrade VCS information is missing

CSCvy14905

Version negotiation fails as new SXP version is unrecognizable in ISE

CSCvy76622

Android BYOD flow with EST and StaticIP/Hostname/FQDN fails

CSCvy88861

Policy change doesn’t get pushed to the network device after ISE HA

CSCvz20020

Okta redirection happens only after the initially added SAML configuration is deleted and reconfigured

CSCvz20770

Unable to see the pxGrid pages in GUI, after pxGrid is enabled and disabled in Deployment tab on secondary node

Communications, Services, and Additional Information

  • To receive timely and relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you are looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure and validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.

  • To obtain information about general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.