Release Notes for Cisco Identity Services Engine, Release 3.4

2025-11-04

General availability of Cisco ISE release 3.4 cumulative patch 4.

2025-08-05

General availability of Cisco ISE release 3.4 cumulative patch 3.

2025-06-20

General availability of Cisco ISE release 3.4 cumulative patch 2.

2024-12-18

General availability of Cisco ISE release 3.4 cumulative patch 1.

2024-08-04

General availability of Cisco ISE release 3.4.

Ease of use

TACACS+ support to prevent Active Directory user lockout

The Prevent Active Directory User Lockout option helps reduce user lockouts caused by repeated failed login attempts with incorrect passwords. This feature is supported for both RADIUS and TACACS+ protocols. Cisco ISE uses these protocols to manage authentication requests and limit excessive failed logins, thereby minimizing account lockouts in Active Directory.

Workload Connector Endpoints dashboard

The Workload Connector Endpoints dashboard in the Context Visibility page enables you to efficiently gather, analyze, and report data related to workload connectors. This dashboard displays endpoint attribute information collected from the Workload Connectors page. Click an endpoint's IP address to access or download detailed attribute information for endpoint analysis.

New alarms for slow external resources and excessive TACACS+ activity

New alarms are introduced to enhance system monitoring and troubleshooting in Cisco ISE. These new alarms detect issues such as delays in accessing external systems or excessive traffic communication from TACACS+ devices, helping you identify and address them. These alarms detect:

●     high ping or communication latency between Cisco ISE nodes.

●     slow Active Directory (AD) connections.

●     slow Lightweight Directory Access Protocol (LDAP) connections.

●     slow Open Database Connectivity (ODBC) connections.

●     excessive TACACS communications.

User and device authorization using Entra ID EAP-TLS and TEAP-TLS

Cisco ISE allows you to authorize devices and users through EAP or TEAP chaining. This enables secure network access control by combining certificate-based authentication with real-time information from Microsoft Entra ID.

During authentication, Cisco ISE evaluates the certificate presented by the user or device without directly accessing Microsoft Entra ID. For authorization, you can configure a REST ID Store Attribute condition or REST ID Store Group in the policy. During authorization, Cisco ISE queries Microsoft Entra ID to retrieve relevant user, group, and device attributes. This information is then used by Cisco ISE to make informed authorization decisions.

OAuth support for SMTP 

You can enable or disable authentication settings for your Simple Mail Transfer Protocol (SMTP) servers in the Cisco ISE GUI. This release adds support for Microsoft OAuth authentication, in addition to basic password authentication.

Hardware reliability

Support for Cisco Secure Network Server 3800 series appliance

The Cisco Secure Network Server (Cisco SNS) 3800 series appliances are based on the Cisco Unified Computing System (Cisco UCS) C225 M8 Rack Server and are configured specifically to support Cisco ISE. Cisco SNS 3800 series appliances are designed to deliver high performance and efficiency for a wide range of workloads.

The Cisco SNS 3800 series appliances are available in these models:

●     Cisco SNS 3815 (SNS-3815-K9)

●     Cisco SNS 3855 (SNS-3855-K9)

●     Cisco SNS 3895 (SNS-3895-K9)

The Cisco SNS 3815 appliance is ideal for small deployments. Cisco SNS 3855 and Cisco SNS 3895 appliances have several redundant components such as hard disks and power supplies and are suitable for larger deployments that require highly reliable system configurations. Cisco SNS 3895 is recommended for PAN and MnT personas.

You must use only these ISO and upgrade bundle files for Cisco SNS 3800 appliances:

●     ise-3.4.0.608b.SPA.x86_64.iso

●     ise-upgradebundle-3.1.x-3.3.x-to-3.4.0.608b.SPA.x86_64.tar.gz

●     ise-urtbundle-3.4.0.608b-1.0.0.SPA.x86_64.tar.gz

Cisco SNS 3800 appliances are supported from Cisco ISE release 3.4 patch 4 onwards.

Note: Cisco SNS 3855 appliances can be configured with one hard disk or four hard disks. We recommend that you enable only the PSN or pxGrid persona if your Cisco SNS 3855 appliance is configured with only one hard disk.

Software reliability

Red Hat OpenShift platform support

Cisco ISE release 3.4 patch 4 supports Red Hat OpenShift platform. You can deploy Cisco ISE VMs on Red Hat OpenShift Virtualization platform. This enables you to run and manage VM and container workloads on a single platform.

Note: You must use only this ISO file for Red Hat OpenShift platform support: ise-3.4.0.608b.SPA.x86_64.iso.

Monitor profiler traffic probes

These enhancements improve the resiliency and stability of Cisco ISE profiler service:

●     Probe-related processing is paused for chatty endpoints for a predefined cool-off period, thereby reducing system load in high-traffic environments.

●     Profiler queue utilization is managed based on defined thresholds (moderate, high, and maximum load), thereby prioritizing critical tasks and maintaining system stability during peak loads.

USB disk encryption condition

You can use the All External USB Drives option (under Policy > Policy Elements > Conditions > Posture > Disk Encryption Condition) to check if external disk drives are encrypted with the selected product.

When a USB drive is inserted, Cisco ISE dynamically detects the drive insertion, immediately evaluates the USB drive condition, and checks the compliance status of the endpoint. This process ensures continuous monitoring and enforcement of posture policies related to USB devices while the endpoint remains within the Cisco ISE-controlled network.

Remote support authorization

The remote support authorization allows a Cisco ISE administrator to authorize a specific Cisco TAC specialist to remotely and securely access the Cisco ISE deployment through CLI, UI, or both to troubleshoot and gather information. This access must be explicitly authorized by the Cisco ISE administrator and can be provided for one or more nodes within the Cisco ISE deployment.

Time restricted debug enabling

From Cisco ISE release 3.4 patch 2, the time-restricted debug enabling feature allows you select a log level from a drop-down list and set a reset timer to revert to default settings. The selected node reverts to the default state once the timer expires.

Blast RADIUS vulnerability fix

To address the Blast RADIUS vulnerability reported in CSCwk67747, the Message Authenticator Required On Response check box has been introduced in External RADIUS Server, RADIUS Token ID Store, and Device Profile.

After an upgrade, the check box is not enabled by default, but it is automatically enabled when new resources are added. Once the checkbox is enabled, Cisco ISE will invalidate any packet that lacks a Message-Authenticator attribute in the response, causing the flow to fail.

Support for TACACS over TLS

You can enable TACACS over TLS authentication for the network devices to enforce additional security. Cisco ISE supports validating the IP address (iPAddress), DNS name (dNSName), and directory name (directoryname) attributes of the certificate.

If any of these attributes match, validation is successful, otherwise, validation fails. For each SAN attribute, multiple values are supported.

You can view whether TACACS or TACACS over TLS authentication is enabled for a network device in the Network Devices page.

API keys and certificate authentication support for Tenable Security Center

From Cisco ISE release 3.4 patch 2 onwards, these authentication methods are additionally supported for Tenable Security Center:

●     API Keys: Enter the Access key and Secret key of the user account that has access privileges in Tenable Security Center. API keys authentication is supported for Tenable Security Center 5.13.x and later releases. Before choosing this option in Cisco ISE, you must log in as an Admin user and enable API key authentication in Tenable Security Center.

●     Certificate Authentication: From the Authentication Certificate drop-down list, choose the required certificate. After successful authentication, Cisco ISE will retrieve the customer configured template from Tenable Security Center. Before enabling this option in Cisco ISE, you must configure Tenable Security Center to allow SSL client certificate authentication.

Ease of use

Use enhanced Endpoint Topics Settings to share Cisco ISE data

You can enhance network visibility and security by sharing endpoint attribute data with Cisco AI Endpoint Analytics and Cisco pxGrid Cloud using the enhanced Endpoint Topics Settings feature. You can use the Enable Endpoint Attributes to Topics option to forward endpoint attributes from Cisco ISE to analytic platforms through integration. You can also publish AI Endpoint Analytics profile data to Cisco ISE for network access authorization and endpoint control by using the Consume Endpoint Profiles from AI Endpoint Analytics option.

Support for osquery condition

From Cisco ISE release 3.4 patch 2, you can create an osquery condition to check the posture compliance status of an endpoint or fetch the required attributes from an endpoint.

Note: For osquery condition support, you must use compliance module 4.3.3394 or later and Cisco Secure Client 5.1.7 or later versions.

Ease of use

Preview portal customization

After making the changes in the Portal Page Customization page, you must click Render Preview to preview your content. You must click Refresh Preview every time to view the updated content. Rendering portal customizations with active content or scripts might pose a security risk. We strongly recommend that you review the scripts carefully before rendering.

Cisco pxGrid Cloud new region support

Cisco pxGrid Cloud is now supported in Europe, Asia Pacific, and Japan in addition to the U.S.

Integrate Cisco pxGrid Cloud applications using Integration Catalog

From Cisco ISE release 3.4 patch 1, you can use a native integration catalog interface in Cisco ISE to integrate with Cisco pxGrid Cloud applications for a simplified integration experience. Cisco pxGrid Cloud apps can be integrated with Cisco ISE using the Integration Catalog (Administration > System > Deployment > Integration Catalog). You can integrate both single-instance and multi-instance Cisco pxGrid Cloud apps.

TrustSec policy matrix GUI enhancements

The TrustSec policy matrix in Cisco ISE has been significantly optimized for deployments with large numbers of SGTs. Performance enhancements include more efficient data fetching and rendering, backend query optimization for faster handling of large SGT sets, and improvements to the Cisco ISE GUI for smoother scrolling and navigation. These enhancements increase scalability and responsiveness, providing a more efficient and seamless experience when managing extensive policy matrices.

Software reliability

Dynamic reauthorization scheduler

Starting with Cisco ISE release 3.4 patch 1 release, you can enhance access control by setting a predetermined expiration date and time for each session, ensuring sessions remain active only until the specified expiration, thereby preventing unauthorized access.

Assign dedicated resources for join points

From Cisco ISE release 3.4 patch 1, you can reserve resources for the join points in each PSN. This resource segmentation will help reduce the performance impact caused by resource sharing among the join points.

Change of Authorization for dictionary attributes using pxGrid Direct

From Cisco ISE release 3.4 patch 1, you can enable Change of Authorization (CoA) for dictionary attributes using pxGrid Direct. When the value of a CoA-enabled dictionary attribute changes, a CoA Port Bounce or Reauthentication is performed on the impacted endpoint.

Inbound and outbound SGT domain rules

You can create inbound SGT domain rules to map incoming SGT bindings with specific SGT domains. If no rules are defined, bindings received from workload connectors are sent to the default SGT domain.

You can create outbound SGT domain rules to designate target destinations for specific SGT bindings.

SSHD service cryptographic algorithms enhancement

From Cisco ISE release 3.4 patch 1, you can use the new algorithms under service sshd to manage a service using the Cisco ISE CLI. These algorithms are newly added:

●     MAC-algorithm

●     Hostkey

●     Hostkey-algorithm

●     Key-exchange-algorithm

●     SSH-client-hostkey-algorithm

Workload classification rules

Workload classification rules can be used to classify the workloads and to assign primary and secondary SGTs to the workloads. The primary SGT is marked as “Security Group” in the pxGrid session topic and is used to publish IP-to-SGT mappings via SXP. Secondary SGTs are included in the pxGrid session topic as an ordered array named “Secondary Security Groups”.

You can specify the order of classification rule execution. You can drag and drop the rules to change the order of priority.

Workload connectors

Common Policy is a framework for building and enforcing consistent access and segmentation policies, regardless of the domain. Workload Connectors are used in this framework to build secure connections with on-premises and cloud data centers, import application workload context, normalize that context into SGTs, and share the context with other domains for building policies.

Workloads Live Session

The Workloads Live Session page displays the details about the live workload sessions. To view this page, in the Cisco ISE GUI, click the Menu icon and choose Operations > Workloads > Workloads Live Session.

Security Identifiers in certificates will not be used for authentication

Cisco ISE supports a new certificate format that includes Security Identifiers (SID) in the Subject Alternative Name (SAN) fields. SIDs in the SAN field will not be used for authentication, helping to prevent authentication failures caused by incorrect SID parsing.

Cisco ISE supports these SAN_URI field formats in certificates:

●     SID and ID or GUID separated by a comma (in either order):

◦    <tag,sid>,<ID><GUID>

◦    <ID><GUID>,<tag,sid>

●     SID and ID or GUID separated by a colon (in either order):

◦    <tag,sid>:<ID><GUID>

◦    <ID><GUID>:<tag,sid>

●     Only SID present:

◦    <tag,sid>

●     Only ID and GUID present:

◦    <ID><GUID>

All newer Microsoft certificates include the SID in the SAN_URI with the format:

tag:microsoft.com,2022-09-14:sid:<SID>.

Enable PAP/ASCII in FIPS mode

From Cisco ISE release 3.4 patch 1, Cisco ISE allows configuration of the PAP/ASCII protocol in FIPS mode. You can enable RADIUS DTLS settings when configuring network devices to support the PAP/ASCII protocol in FIPS mode.

Support ACI for global security group

The naming convention for External EPGs (EEPGs) has changed from Cisco ISE release 3.4 to Cisco ISE release 3.4 patch 1. In Cisco ISE release 3.4, EEPGs are named "ISE_SGT_<SGT_TAG>", with "ISE_SGT_" as a constant prefix followed by the Security Group Tag (SGT). In Cisco ISE Release 3.4 Patch 1, the format changes to "ISE_<SG_NAME>", using "ISE_" as the constant prefix followed by the Security Group (SG) name.

This update lacks migration support, so EFT customers must disable outbound rules before installing Cisco ISE release 3.4 patch 1 and re-enable them after completing the patch installation.

API experience

New pxGrid API: Endpoint topic

The Endpoint topic provides access to endpoints connected to a Cisco ISE-managed network device.

Upgrade

Full and split upgrade support for patches

You can upgrade to a new Cisco ISE release with or without a patch for that release. If you have already installed a patch for your Cisco ISE release, you can use the Patch option to upgrade only the patch in your current release.

You can choose the full upgrade or split upgrade option for a patch upgrade.

●     Full Upgrade: Full upgrade is a multistep process that enables a complete patch upgrade of all the nodes in your Cisco ISE deployment at the same time.

●     Split Upgrade: Split upgrade is a multistep process that enables the patch upgrade of your Cisco ISE deployment while allowing services to remain available during the upgrade process.

Software reliability

Cisco ISE resiliency use cases

From Cisco ISE release 3.4, the Excessive RADIUS Network Device Communication and Excessive Endpoint Communication alarms have been added to maintain the resiliency of Cisco ISE.

Configure Virtual Tunnel Interfaces with Native IPsec

From Cisco ISE release 3.4, you can configure Virtual Tunnel Interfaces (VTIs) using the Native IPse configuration page. You can use this to establish security associations between Cisco ISE PSNs and NADs across an IPsec tunnel using IKEv1 and IKEv2 protocols. Native IPsec configuration ensures that Cisco ISE is FIPS 140-3 compliant.

Debug log settings

You can configure the maximum file size, and the maximum number of files allowed for each debug log component. You can view the current disk space usage, and the estimated space usage based on the values set for Max File Size and File Count in the Debug Level Configuration page. You can also specify the date and time after which these values must be reset to default.

Add identity sync after creating a Duo connection

If you do not want to configure user data synchronization between Active Directory and Duo while creating a Duo connection, click Skip in the Identity Sync page. You will be taken to the Summary page directly.

After you create a Duo connection, you can add identity sync configurations at any time.

Support for multiple Cisco Application Centric Infrastructure connectors

Cisco ISE enables you to create and enforce consistent access policies across multiple domains. Cisco ISE can share the SGTs and SGT bindings with Cisco Application Centric Infrastructure (Cisco ACI). Cisco ISE can also learn the endpoint groups (EPGs), endpoint security groups (ESGs), and endpoint information from Cisco ACI. You can add multiple Cisco ACI connections to Cisco ISE.

You can configure rules to manage the learned context in Cisco ISE and to optimize the context flows between Cisco ISE and Cisco ACI connectors.

Cisco ISE supports Cisco ACI Multi-Tenant, and Multi-Virtual Routing and Forwarding deployments. You can define multi-fabrics through multiple connections. This integration supports multi-pod and individual Cisco ACI fabrics.

Support for multiple Cisco Application Infrastructure (Cisco ACI) connectors is a controlled introduction (Beta) feature. We recommend that you thoroughly test this feature in a test environment before using it in a production environment. For best use of this Beta feature, install this hot patch.

Enforcing domain controller selection with priority

You can now choose to override Cisco ISE's selection of domain controllers in case of a preferred domain controller failover. To do this, choose Administration > Identity Management > External Identity Sources > Active Directory > Advanced Tools > Advanced Tuning. Enter the name of the registry key in the Name field and 1 in the Value field.

When the registry key is enabled, you can also choose to set the failback interval (in seconds).

This ensures that in the case of a domain controller failover, Cisco ISE overrides the existing priority values and selects the next domain controller in the preferred list in the order of input from left to right. The value of this registry key is set to 0 by default.

When registry key is enabled, you can also choose to set the failback interval (in seconds). The failback interval value can be between 60 and 86400. The default failback interval is 180 seconds. This feature works only for direct domains that the domain controllers were configured on, and not for trust relationship domains.

Enhanced password security

Cisco ISE now improves password security through these enhancements:

●     You can choose to hide the Show button for these field values, to prevent them from being viewed in plaintext during editing:

Under Network Devices,

●     RADIUS Shared Secret

●     Radius Second Shared Secret

Under Native IPsec,

●     Pre-shared Key

To do this, choose Administration > Settings > Security Settings and uncheck the Show Password in Plaintext checkbox.

●     To prevent the RADIUS Shared Secret and Second Shared Secret from being viewed in plaintext during network device import and export, a new column with the header    PasswordEncrypted:Boolean(true|false)    has been added to the Network Devices Import Template Format. No field value is required for this column.

If you are importing network devices from Cisco ISE Release 3.3 patch 1 or earlier releases, you must add a new column with this header to the right of the Authentication:Shared Secret:String(128) column, before import. If you do not add this column, an error message is displayed, and you will not be able to import the file. Network devices with encrypted passwords will be rejected if a valid key to decrypt the password is not provided during import.

Localized ISE installation

While reinstalling Cisco ISE, you can use the Localized ISE Install option (option 25) in the application configure ise command to reduce the installation time. Though this option can be used for both Cisco Secure Network Server and virtual appliances, it significantly reduces the reinstallation time for Cisco Secure Network Servers.

pxGrid filtering

From Cisco ISE release 3.4, pxGrid supports filtering of information based on the specific requirements of the clients. The pxGrid filtering feature enables clients to receive relevant information from the publisher on a per-subscription basis. The filtering of information is achieved using the filtering API on the pxGrid server

RADIUS suppression and reports enhancement

From Cisco ISE release 3.4, the RADIUS suppression and reports feature has been enhanced to facilitate easier RADIUS (Administration > System > Settings > Protocols > RADIUS > RADIUS Settings) configurations.

PAC-less RADIUS communication for TrustSec integrations

From Cisco ISE release 3.4, Cisco ISE supports PAC-less RADIUS communication for TrustSec integrations. This PAC-less enforcement replaces PAC-based RADIUS authentications wherever supported and is enforced through a shared secret ensuring secure communication between Cisco ISE and the TrustSec device. This feature does not require configuration changes in Cisco ISE. The network devices in the deployment may require a change in configuration. PAC-less RADIUS communication is only supported on network devices with IOS-XE version 17.15.1 or higher.

Ease of setup

Create a URL pusher pxGrid Direct connector

You can now configure Cisco ISE using an IPv6 address, enabling an IPv6-only setup. This enhancement is available in addition to existing IPv4 and dual-stack configuration options. You can easily switch between IPv4 and IPv6 configurations by using the reset-config command. Additionally, the newly introduced ipv6 default-gateway command allows you to specify a default gateway using an IPv6 address.

You can create a pxGrid Direct connector using the Cisco ISE GUI and OpenAPI (REST API). From Cisco ISE Release 3.4, you can choose between a URL Fetcher pxGrid Direct connector type or a URL Pusher pxGrid Direct connector type. You can use the URL Pusher pxGrid Direct connector to push JSON data into the Cisco ISE database using pxGrid Direct Push APIs. You can use the URL Pusher pxGrid Direct connector type to push data without a server or a CMDB. This data remains in the Cisco ISE database and can be used in the authorization policy.

TLS 1.3 support for Cisco ISE workflows

Cisco ISE release 3.4 allows TLS 1.3 to communicate with peers for these workflows:

●     Cisco ISE is configured as an EAP-TLS server

●     Cisco ISE is configured as a TEAP server

●     Cisco ISE is configured as a secure TCP syslog client

TLS 1.3 support for Cisco ISE configured as a TEAP server has been tested under internal test conditions because at the time of Cisco ISE release 3.4, TEAP with TLS 1.3 is not supported by any available client OS.

Ease of use

Certificate authority diagnostic tool

To diagnose certificate management related issues, use the CA Diagnostic Tool option in the application configure ise command. This tool suggests the possible reasons and remediations for the identified issues, helps to fix the issues, and provides related logs for troubleshooting.

Hotpatch details added to show version command

The show version CLI command now includes hotpatch details, if any, for a specific Cisco ISE release.

To view hotpatch details on the Cisco ISE GUI, click the  icon and choose About ISE and Server.

On-demand pxGrid Direct data synchronization using Sync Now

You can use the Sync Now feature to perform on-demand synchronization of data for pxGrid Direct URL Fetcher connectors. You can perform both full and incremental syncs on-demand. On-demand data synchronization can be performed through the Cisco ISE GUI or using OpenAPI.

Opening TAC support cases in Cisco ISE

From Cisco ISE release 3.4, you can open TAC support cases for Cisco ISE directly from the Cisco ISE GUI.

Per-user dynamic access control list behavior change

While evaluating authorization profiles with per-user dynamic access control lists (DACLs), if a DACL does not exist in Cisco ISE configuration, authorization will fail, and Cisco ISE will send an Access-Reject response to that user. You can view this information in the Live Log Details page and the AAA Diagnostics report. From Cisco ISE Release 3.4 onwards, an authorization failure alarm is also displayed in the Alarms dashlet in the Cisco ISE dashboard.

pxGrid Direct support for arrays in dictionary groups for authorization policies

From Cisco ISE release 3.4, you can also use pxGrid Direct Connector data with arrays as dictionary attributes to configure an authorization policy. The operators “Contains” or “Matches” (in case of REGEX) must be used while configuring the policy. The operators ”Equals” and “In” will not work when there are arrays. Multiple attributes can be nested using "AND" or "OR" conditions.

GUI enhancements in Cisco ISE release 3.4

In Cisco ISE release 3.4, the Cisco ISE GUI has these enhancements to make the user experience more intuitive.

●     Single Click Access to Endpoint Information

Objects in the Context Visibility page, such as the attribute details of endpoints in the Cisco ISE GUI, now have detailed information available to users with a single click.

All endpoint attributes now appear on a single tab for ease-of-use and better visibility.

You can click:

●     the MAC address of an endpoint to view all endpoint attributes on a single page.

●     the See full detail option on the top right corner of this page to view all endpoint details in a new browser tab, which you can also share.

●     the link icon next to the MAC address of an endpoint to open a full-page view of all endpoint details.

These pages have been updated to include these enhancements:

●     Context Visibility > Endpoints.

●     Work Center > Guest Access > Identities > Endpoints.

●     Work Center > BYOD > Identities > Endpoints.

●     Work Center > Network Access > Identities > Endpoints.

●     Work Center > Profiler > Endpoint Classification.

Retention of user preferences for column displays: When you change the column display of a table (adjust column width, hide or show columns, reorder columns, and so on) in the Cisco ISE GUI, your preferences are retained.

API experience

New session directory topic available using pxGrid

You can subscribe to the sessionTopicAll topic using pxGrid. The sessionTopicAll is like the existing sessionTopic (which continues to be supported), with one key difference. The sessionTopicAll also publishes events for sessions without IP addresses.

Upgrade

Automatic log bundle generation on upgrade

From Cisco ISE release 3.4, a mini log bundle, which contains only debug logs specific to the upgrade, is generated automatically during the upgrade process. This log bundle is copied to the repository from where the upgrade was started and can be used to troubleshoot the upgrade in case of failure. Automatic log bundle generation is available for all three upgrade options in Cisco ISE - full upgrade, split upgrade, and upgrade using CLI.

Backup log improvements from the Cisco ISE CLI

The backup-logs CLI command has now been updated to include all backup log options that are available on the Cisco ISE GUI such as core-files, date-from, date-to, db-logs, debug-logs, local-logs, mnt-report-logs, policy-cache-logs, policy-conf-logs, and system-logs. If no output options are included, all backup logs are generated.

End of support for Legacy IPsec (ESR)

From Cisco ISE release 3.4, Legacy IPsec (ESR) is not supported on Cisco ISE. All IPsec configurations on Cisco ISE will be Native IPsec configurations. We recommend that you migrate to native IPsec from legacy IPsec (ESR) before upgrading to Cisco ISE release to avoid any loss of tunnel and tunnel configurations.

Configuring RSA or RADIUS external databases for API authentication

From Cisco ISE release 3.4, configuring RSA or RADIUS external databases for API authentication is no longer supported.

Support for Transport Gateway removed

Cisco ISE no longer supports Transport Gateway. These Cisco ISE features used Transport Gateway as a connection method:

●     Cisco ISE Smart Licensing -If you use Transport Gateway as the connection method in your smart licensing configuration, you must edit the setting before you upgrade to Cisco ISE release    3.4. You must choose a different connection method as Cisco ISE release    3.4    does not support Transport Gateway. If you upgrade to Cisco ISE release    3.4    without updating the connection method, your smart licensing configuration is automatically updated to use the Direct HTTPS connection method during the upgrade process. You can change the connection method at any time after the upgrade.

●     Cisco ISE Telemetry -Transport Gateway is no longer available as a connection method when using Cisco ISE Telemetry. The telemetry workflow is not impacted by this change.

GUI deprecations

These pages have been removed from the Cisco ISE GUI in Cisco ISE release 3.4:

●     Location Services (Administration > Network Resources > Location Services).

●     NAC Managers (Administration > Network Resources > NAC Managers).

CSCwp97554

Secure Network Analytics integration with Cisco ISE release 3.4 fails after installing Cisco ISE release patch 1 or patch 2.

CSCwq14019

Cisco ISE release 3.4 patch 2 crashes due to ASN1_get_object.

CSCwp22511

Cisco ISE converts periods to commas, causing a filename mismatch.

CSCwh77618

Cisco ISE RMQ Full: High latency exists between ISE nodes when EPO is enabled.

CSCwn97980

The cell in the TrustSec policy matrix is intermittently unresponsive.

CSCwo05386

Cisco ISE is receiving alarms about the expiration of the internal certificate ‘Baltimore CyberTrust Root’.

CSCwo99311

In Cisco ISE Release 3.4 Patch 2, no endpoints are onboarded in the EPO PSN1 unreachable scenario.

CSCwp22511

New Patch Upload UI converts periods to commas, causing filename mismatches.

CSCwp60343

During certificate-based authentication, ERS post-operation for internal users fails due to client validation failure.

Cisco ISE on cloud vulnerability fix

When upgrading to Cisco ISE release 3.4 patch 4 from patch 1, patch 2, or any other Cisco ISE release, Cisco ISE will perform a mandatory restart of internal services upon login. This restart is required to address the vulnerability identified in CSCwn63400. This fix is applicable only to cloud deployments. To fully apply the fix, you must synchronize all the nodes in your deployments with the PAN using one of these options:

●     Proceed with Auto Sync: All nodes will be restarted to ensure immediate synchronization and application of the fix. You can verify the synchronization status of nodes in your deployment in the Deployment Nodes page (Administration > System > Deployment). We recommend this option to ensure automatic synchronization across all nodes.

●     Proceed with Manual Sync: After the restart, you must manually synchronize all nodes as soon as possible to prevent desynchronization. If nodes are desynchronized, you must deregister, reset the configuration, and then register the nodes again to resolve the issue.

●     Decide Later: Options for fixing the vulnerability will be available to you at your next login.

Note: This requirement does not apply if you have installed the latest Cisco ISE release 3.4 patch 3 AMI before upgrading to Cisco ISE release 3.4 patch 4.

Usage of IPv6 addresses in ACI connections

You must suspend the ACI connections before installing Cisco ISE release 3.4 patch 1 to ensure that the IPv6 addresses are maintained in the same format across the integrations.

Patch rollback flow with newly supported operators

From Cisco ISE release 3.4 patch 1, IP Equals, IP Not Equals, In, Not In, Contains, and Not Contains operators are supported for workload classification rules and inbound SGT domain rules. When you use the Patch Rollback option for Cisco ISE release 3.4 Patch 1, the workload classification rules and inbound SGT domain rules that contain these operators will be deleted during the patch rollback flow, because these operators are not supported in Cisco ISE release 3.4.

VMware

●     VMware 7.0.3 or later

●     In the case of vTPM devices, you must upgrade to VMware ESXi 7.0.3 or later releases.

●     OVA templates support VMware version 14 or later on ESXi 7.0, and ESXi 8.0.

●     ISO files support ESXi 7.0, and ESXi 8.0.

●     You can use the VMware migration feature to migrate VM instances (running any persona) between hosts. Cisco ISE supports both hot and cold migration. Hot migration is also called live migration or vMotion. Cisco ISE need not be shut down or powered off during the hot migration. You can migrate the Cisco ISE VM without any interruption in its availability.

VMware Cloud Solutions on public cloud platforms

●     AWS: Host Cisco ISE on a software-defined data center provided by VMware Cloud on AWS.

●     Azure VMware Solution: Runs VMware workloads natively on Microsoft Azure.

●     Google Cloud VMware Engine: Runs software-defined data center by VMware on Google Cloud.

Microsoft Hyper-V

●     Supports Microsoft Windows Server 2012 R2 and later.

●     Supports Azure Stack HCI 23H2 and later versions. The virtual machine requirements and the installation procedure for the Cisco ISE VMs in the Azure Stack HCI are the same as that of Microsoft Hyper-V.

KVM on QEM                  

●     Supports QEMU 2.12.0-99 and later.

●     Cisco ISE cannot be installed on OpenStack.

Nutanix

●     Supports Nutanix 20230302.100169 and later.

Public cloud platforms

●     Native support for Amazon Web Services (AWS), Microsoft Azure Cloud, and Oracle Cloud Infrastructure (OCI).

Red Hat OpenShift

●     Red Hat OpenShift container platform 4.19 and later.

●     Cisco ISE must be deployed on OpenShift platform using the standard Cisco ISE ISO image. Deploying Cisco ISE using OVA templates is not supported.

Active Directory

Microsoft Windows Active Directory 2012

Windows Server 2012

Microsoft Windows Active Directory 2012 R2

Windows Server 2012 R2

Note: Cisco ISE supports all the legacy features in Microsoft Windows Active Directory 2012 R2. However, the new features in Microsoft Windows Active Directory 2012 R2, such as Protected User Groups, are not supported.

Microsoft Windows Active Directory 2016

Windows Server 2016

Microsoft Windows Active Directory 2019

Windows Server 2019

Microsoft Windows Active Directory 2022

Windows Server 2022 with patch Windows10.0-KB5025230-x64-V1.006.msu

LDAP servers

SunONE LDAP Directory server

Version 5.2

OpenLDAP Directory server

Version 2.4.23

Any LDAP v3-compliant server

Any version that is LDAP v3 compliant

AD as LDAP

Windows Server 2022 with patch Windows10.0-KB5025230-x64-V1.006.msu

Token servers

RSA ACE/server

6.x series

RSA authentication manager

7.x and 8.x series

Any RADIUS RFC 2865-compliant token server

Any version that is RFC 2865 compliant

Security Assertion Markup Language (SAML) Single Sign-On (SSO)

Microsoft Azure MFA

Latest

Oracle Access Manager (OAM)

Version 11.1.2.2.0

Oracle Identity Federation (OIF)

Version 11.1.1.2.0

PingFederate server

Version 6.10.0.4

PingOne Cloud

Latest

Secure Auth

8.1.1

Any SAMLv2-compliant identity provider

Any SAMLv2-compliant identity provider version

Open Database Connectivity (ODBC) identity source

Microsoft SQL server

Microsoft SQL servers 2012 and 2022

Oracle

Enterprise Edition Release 12.1.0.2.0

PostgreSQL

9.0

Sybase

16.0

MySQL

6.3

Social Login (for Guest User Accounts)

Facebook

Latest