PDF(866.4 KB) View with Adobe Reader on a variety of devices
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Release Notes for Cisco Identity Services Engine, Release 2.3
Revised: February 18, 2021
Contents
These release notes supplement the Cisco ISE documentation that is included with the product hardware and software release, and cover the following topics:
Note The documentation set for this product strives to use bias-free language. For purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product.
Introduction
The Cisco ISE platform is a comprehensive, next-generation, contextually-based access control solution. It offers authenticated network access, profiling, posture, BYOD device onboarding (native supplicant and certificate provisioning), guest management, device administration (TACACS+), and security group access services along with monitoring, reporting, and troubleshooting capabilities on a single physical or virtual appliance. Cisco ISE is available on two physical appliances with different performance characterization, and also as software that can be run on a VMware server. You can add more appliances to a deployment for performance, scale, and resiliency.
Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also allows for configuration and management of distinct personas and services. This feature gives you the ability to create and apply services where they are needed in the network, but still operate the Cisco ISE deployment as a complete and coordinated system.
Note We have recalled ISE 2.3 patch 1 due to an issue we found after posting. An updated patch file has been reposted, and the new file name is ise-patchbundle-2.3.0.298-Patch1-221754.SPA.x86_64.tar.gz. If you already installed the previously posted patch, you MUST uninstall that patch, and install the new one.
The examples and screenshots provided in the ISE Community resources might be from earlier releases of Cisco ISE. Check the GUI for newer or additional features and updates.
Some Dashlets Removed to Resolve Performance Issues
The following dashlets have been decommissioned to prevent performance issues when displaying large datasets:
Context Visibility > Endpoint > Compliance: Status Trend
Home > Endpoints > Endpoint Capacity
A large number of endpoints caused performance problems with some dashlets.
CoA Logging Enhancements
The following attributes are additionally displayed for the CoA events in the Authentication details report that is launched from the Live Logs page:
CoASourceComponent—The component requesting the CoA, for example, profiler, posture, BYOD onboard (NSP), and so on.
CoAReason—The reason for the CoA to be triggered, for example, change in endpoint profile.
CoAType—Shows the type of CoA event, for example, reauthentication, terminate, and so on.
Context Visibility Enhancements
The Application dashboard in the Context Visibility page helps you to identify the number of endpoints that have a specified application installed. The results are displayed in graphical and tabular formats. The graphical representation helps you make a comparative analysis. Applications are classified into 13 categories. Applications that do not fall into any of these categories are termed Unclassified.
Enable MAR Cache Distribution
Cisco ISE allows you to add or update the MAR cache distribution for the node groups. You must ensure that MAR is enabled in the AD page before enabling this option.
Export Command Sets and Syslog Messages
You can export the command sets and syslog messages in CSV format.
Guest Enhancements
Guests can select a social login provider as a way to provide credentials as a self-registered guest, instead of entering username and password in the guest portal. To enable this, you can configure a social media site as an external identity source, and configure a portal that allows users to use that external identity source (social login provider). Facebook is the social login provider supported by this release.
IPv6 Support for External ID Store Attributes
Cisco ISE allows you to configure the AD and LDAP server with IPv4 or IPv6 address when you manually add the attribute type IP and authenticate the user.
Key Type for Certificate Public Key
You can specify the algorithm to be used for creating the public key (RSA or ECDSA). You can also specify the bit size for the public key. The following options are available for RSA:
512
1024
2048
4096
The following options are available for ECDSA:
256
384
Migration Tool Enhancements
The migration tool provides options to migrate ACS 4.x/ACS 5.x supported objects. The migration tool lists the data objects based on the selection. The migration tool supports:
Migration of users, identity groups, network devices, network device groups, and user-defined attributes from ACS 4.x/5.x to Cisco ISE.
Migration of policy rules having AND/OR conditions.
Migration of network devices configured with IP address ranges in all the octets.
Migration of date and time policies into multiple objects if the time table is configured with different timings and days.
The migration tool now supports additional endpoint custom attributes, such as Date, IP Address, Unsigned Integer 32, and Enumeration.
Network Device IP Address Range Support in all the Octets
You can configure the network devices with IP address ranges in all the octets. You can use a hyphen (-) or asterisk (*) as wildcard to specify a range of IP addresses. You can specify single IP address, subnet address, or IP address range in all the octets for the network device. Cisco ISE reports a validation error if you provide invalid IP address/range in the External REST interface.
Node Registration Made Easy
If the node uses a self-signed certificate that is not trusted, a certificate warning message is displayed. The certificate warning message displays details about the certificate (such as, Issued-to, Issued-by, Serial number, and so on), which can be verified against the actual certificate on the node. You can select the Import Certificate and Proceed option to trust this certificate and proceed with registration. Cisco ISE imports the default self-signed certificate of that node to the trusted certificate store of Primary PAN. If you do not want to use the default self-signed certificate, you can click Cancel Registration and manually import the relevant certificate chain of that node to the trusted certificate store of Primary PAN.
Policy Sets
Network access policies have now been consolidated together under Policy Sets, which can be accessed from Policy > Policy Sets. Each policy set is a container defined on the top level of the policy hierarchy, under which all relevant Authentication and Authorization policy and policy exception rules for that set are configured. Multiple rules can be defined for both authentication and authorization, all based on conditions. Conditions and additional related configurations can now also be easily accessed and reused directly from the new Policy Set interface.
For more information about the new policy model, see New Policy Model
Posture Enhancements
Default policies added for anti-malware, application visibility, and firewall conditions.
Default requirements added for application visibility, firewall, and USB conditions.
Cisco Temporal Agent—By default, this temporal agent resides in the Cisco ISE ISO image, and is uploaded to Cisco ISE during installation.
Posture and client provisioning policies allow the matching of users and endpoints, including Endpoint ID groups and endpoint custom attributes.
RADIUS DTLS Client Identity Check
You can choose the Enable RADIUS/DTLS Client Identity Verification option under RADIUS settings if you want Cisco ISE to verify the identity of the RADIUS/DTLS clients during the DTLS handshake. Cisco ISE fails the handshake if the client identity is not valid. Identity check is skipped for the default devices, if configured. Identity check is performed in the following sequence:
1. If the client certificate contains the subject alternative name (SAN) attribute:
– If SAN contains the DNS name, the DNS name specified in the certificate is compared with the DNS name that is configured for the network device in Cisco ISE.
– If SAN contains the IP address (and does not contain the DNS name), the IP address specified in the certificate is compared with all the device IP addresses configured in Cisco ISE.
2. If the certificate does not contain SAN, subject CN is compared with the DNS name that is configured for the network device in Cisco ISE. Cisco ISE fails the handshake in the case of mismatch.
Read-only Administrator Support
Cisco ISE allows you to create read-only administrative users who can view the configurations on Cisco ISE GUI, but cannot create, update, or delete data.
Reports Export Summary
You can view the summary of the reports that are exported by the users in the last 48 hours along with the status.
Schedule Policy Export
Cisco ISE allows you to schedule authentication and authorization policy export. This can be scheduled to run once, daily, weekly, or monthly.
Security Settings Page Enhancements
The following options are added in the Security Settings page (Administration > System > Settings > Protocols > Security Settings) :
Allow TLS 1.0—Allows TLS 1.0 for communication with legacy peers for the following workflows:
– Cisco ISE is configured as EAP server
– Cisco ISE downloads CRL from HTTPS or secure LDAP server
– Cisco ISE is configured as secure syslog client
– Cisco ISE is configured as secure LDAP client
NoteAllow TLS 1.0 option is disabled by default in Cisco ISE 2.3 and above. TLS 1.0 is not supported for TLS based EAP authentication methods (EAP-TLS, EAP-FAST/TLS) and 802.1X supplicants when this option is disabled. If you want to use the TLS based EAP authentication methods in TLS 1.0, check the Allow TLS 1.0 check box in the Security Settings page (Administration > System > Settings > Protocols > Security Settings).
Allow TLS 1.1—Allows TLS 1.1 for communication with legacy peers for the following workflows:
– Cisco ISE is configured as EAP server
– Cisco ISE downloads CRL from HTTPS or secure LDAP server
– Cisco ISE is configured as secure syslog client
– Cisco ISE is configured as secure LDAP client
NoteAllow TLS 1.1 option is disabled by default in Cisco ISE 2.3 and above. TLS 1.1 is not supported for TLS based EAP authentication methods (EAP-TLS, EAP-FAST/TLS) and 802.1X supplicants when this option is disabled. If you want to use the TLS based EAP authentication methods in TLS 1.1, check the Allow TLS 1.1 check box in the Security Settings page (Administration > System > Settings > Protocols > Security Settings).
Allow SHA-1 ciphers—Allows SHA-1 ciphers for communication with legacy peers for the following workflows:
– Cisco ISE is configured as EAP server
– Cisco ISE is configured as RADIUS DTLS server
– Cisco ISE is configured as RADIUS DTLS client
– Cisco ISE downloads CRL from HTTPS or secure LDAP server.
– Cisco ISE is configured as secure TCP syslog client.
– Cisco ISE is configured as secure LDAP client.
This option is enabled by default.
Note It is recommended to use SHA-256 or SHA-384 ciphers for enhanced security.
Allow ECDHE-RSA ciphers—Allows ECDHE-RSA ciphers for communication with peers for the following workflows:
– Cisco ISE is configured as EAP server
– Cisco ISE is configured as RADIUS DTLS server
– Cisco ISE is configured as RADIUS DTLS client
– Cisco ISE downloads CRL from HTTPS server
– Cisco ISE downloads CRL from secure LDAP server
– Cisco ISE is configured as secure TCP syslog client
– Cisco ISE is configured as secure LDAP client
It is recommended that you enable this option for enhanced security. This option is enabled by default.
Allow 3DES ciphers—Allows 3DES ciphers for communication with peers for the following workflows:
– Cisco ISE is configured as EAP server
– Cisco ISE is configured as RADIUS DTLS server
– Cisco ISE is configured as RADIUS DTLS client
– Cisco ISE downloads CRL from HTTPS server
– Cisco ISE downloads CRL from secure LDAP server
– Cisco ISE is configured as secure TCP syslog client
– Cisco ISE is configured as secure LDAP client
This option is enabled by default. Uncheck this check box for enhanced security.
Accept certificates without validating purpose—When ISE acts as an EAP or RADIUS DTLS server, client certificates are accepted without checking whether the Key Usage extension contains keyAgreement bit for ECDHE-ECDSA ciphers or keyEncipherment bit for other ciphers. This option is enabled by default.
Allow DSS ciphers for ISE as a client—Allows DSS ciphers for communication with server for the following workflows:
– Cisco ISE is configured as RADIUS DTLS client
– Cisco ISE downloads CRL from HTTPS server
– Cisco ISE downloads CRL from secure LDAP server
– Cisco ISE as secure TCP syslog client
– Cisco ISE as secure LDAP client
This option is enabled by default. Uncheck this check box for enhanced security.
Allow legacy unsafe TLS renegotiation for ISE as a client—Allows communication with legacy TLS servers that do not support safe TLS renegotiation for the following workflows:
– Cisco ISE downloads CRL from HTTPS server
– Cisco ISE downloads CRL from secure LDAP server
– Cisco ISE as secure TCP syslog client
– Cisco ISE as secure LDAP client
Support for Network Device with IPv6 Address
Cisco ISE allows you to configure the network devices with IPv4 or IPv6 address. You can also export and import the network devices with IPv4 or IPv6 address.
You can also add IPv4 or IPv6 address for the Device IP address attribute in the conditions and rules used in the authentication and authorization policies.
Support for Network Device IP Address Range with Exclude Option
Cisco ISE allows you to exclude an IP address or IP address ranges from the specified range of IP addresses during authentication.
Upgrade Enhancements
Cisco ISE offers an Upgrade Readiness Tool (URT) that you can run to detect and fix any data upgrade issues before you start the upgrade process. Most of the upgrade failures occur because of data upgrade issues. The URT is designed to validate the data before upgrade to identify, and report or fix the issue, wherever possible. The URT is available as a separate downloadable bundle that can be run on a Secondary Policy Administration Node or Standalone Node. There is no downtime needed to run this tool.
See the Cisco Identity Services Engine Upgrade Guide, Release 2.3 for more information.
Wireless Setup
ISE Wireless Setup provides a very intuitive workflow to quickly set up common wireless use cases, such as, 802.1X, Guest, BYOD. In just a few steps, the setup workflow configures both ISE and a Cisco wireless controller, for a working end-to-end flow.
Wireless Setup is supported only for new installations. The Wireless Setup menu does not appear, if you upgrade to Cisco ISE 2.2 from an earlier release or restore ISE from a backup.
NoteISE Wireless Setup is beta software - please do not use Wireless Setup in production networks.
Note The Wireless Setup feature is disabled by default in Cisco Identity Services Engine, Release 2.2 cumulative patch 2.
Note For more details on Cisco ISE hardware platforms and installation, see the Cisco Identity Services Engine Hardware Installation Guide, Release 2.3.
Supported Hardware
Cisco ISE software is packaged with your appliance or image for installation. Cisco ISE, Release 2.3 is shipped on the following platforms. After installation, you can configure Cisco ISE with specified component personas (Administration, Policy Service, Monitoring, and pxGrid) on the platforms that are listed in Table 1.
Cisco ISE-VM-K9 (VMware, Linux KVM, Microsoft Hyper-V)
For CPU and memory recommendations, refer to the “VMware Appliance Sizing Recommendations” section in the Cisco Identity Services Engine Hardware Installation Guide, Release 2.3.1
For hard disk size recommendations, refer to the “Disk Space Requirements” section in the Cisco Identity Services Engine Hardware Installation Guide, Release 2.3.
NIC—1 GB NIC interface required. You can install up to 6 NICs.
Supported virtual machine versions include:
ESXi 5. x (5.1 U2 and later support RHEL 7), 6. x
Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later
KVM on RHEL 7.0
Note If you are installing or upgrading Cisco ISE on an ESXi 5.x server, to support RHEL 7 as the Guest OS, update the VMware hardware version to 9 or later. RHEL 7 is supported with VMware hardware version 9 and later.
1.Memory allocation of less than 16 GB is not supported for any VM appliance configuration. In the event of a Cisco ISE behavior issue, all users will be required to change allocated memory to at least 16 GB before opening a case with the Cisco Technical Assistance Center.
Note Legacy ACS and NAC appliances (including the Cisco ISE 3300 series) are not supported with Cisco ISE, Release 2.0 and later releases.
FIPS Mode Support
Cisco ISE uses embedded FIPS 140-2 validated cryptographic module, Cisco FIPS Object Module Version 6.0 (Certificate #2505). For details of the FIPS compliance claims, see the FIPS Compliance Letter.
Supported Virtual Environments
Cisco ISE supports the following virtual environment platforms:
VMware ESXi 5. x (5.1 U2 and later support RHEL 7), 6. x
Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later
KVM on RHEL 7.0
Note If you are installing or upgrading Cisco ISE on an ESXi 5.x server, to support RHEL 7 as the Guest OS, update the VMware hardware version to 9 or later. RHEL 7 is supported with VMware hardware version 9 and later.
Supported Browsers
Supported browsers for the Admin portal include:
Mozilla Firefox 69 and earlier versions
Mozilla Firefox ESR 60.9 and earlier versions
Google Chrome 77 and earlier versions
Microsoft Internet Explorer 10.x and 11.x
– If you are using Internet Explorer 10.x, enable TLS 1.1 and TLS 1.2, and disable SSL 3.0 and TLS 1.0 (Internet Options > Advanced).
– If you use Chrome 65.0.3325.189, you may be unable to view guest account details in the print preview section.
– You might see a warning message while downloading an executable (EXE) file in Google Chrome 76 or later. To resolve this issue:
a. In your browser, click the Settings menu at the top-right corner.
b. At the bottom of the Settings window, click Advanced.
c. Under Downloads, check the Ask Where to Save Each File before Downloading check box.
Support for Microsoft Active Directory
Cisco ISE, Release 2.3 works with Microsoft Active Directory servers 2003, 2003 R2, 2008, 2008 R2, 2012, 2012 R2, and 2016 at all functional levels.
Note Microsoft has ended support for Windows Server 2003 and 2003 R2. We recommend that you upgrade Windows Server to a supported version.
Microsoft Active Directory version 2000 or its functional level is not supported by Cisco ISE.
Cisco ISE 2.3 supports Multi-Forest/Multi-Domain integration with Active Directory infrastructures to support authentication and attribute collection across large enterprise networks. Cisco ISE 2.3 supports up to 50 domain join points.
Supported Anti-Virus and Anti-Malware Products
For more information on the products supported by the ISE posture agent, see the Cisco AnyConnect ISE Posture Support Charts in the following link:
Cisco ISE 2.3 supports TLS versions 1.0, 1.1, and 1.2. Cisco ISE supports RSA and ECDSA server certificates. Cisco ISE supports the following elliptic curves:
secp256r1
secp384r1
secp521r1
The following table lists the supported Cipher Suites for Cisco ISE 2.3.
Table 2 Supported Cipher Suites
Cipher suite
EAP server
RADIUS DTLS server
Download CRL from HTTPS
Download CRL from LDAPS
Secure TCP syslog client
Secure LDAP client
RADIUS DTLS client for CoA
TLS 1.0 support
When TLS 1.0 is allowed
(DTLS server supports only DTLS 1.2)
Note Allow TLS 1.0 option is disabled by default in Cisco ISE 2.3 and above. TLS 1.0 is not supported for TLS based EAP authentication methods (EAP-TLS, EAP-FAST/TLS) and 802.1X supplicants when this option is disabled. If you want to use the TLS based EAP authentication methods in TLS 1.0, check the Allow TLS 1.0 check box in the Security Settings page (Administration > System > Settings > Protocols > Security Settings).
When TLS 1.0 is allowed
(DTLS client supports only DTLS 1.2)
TLS 1.1 support
When TLS 1.1 is allowed
Note Allow TLS 1.1 option is disabled by default in Cisco ISE 2.3 and above. TLS 1.1 is not supported for TLS based EAP authentication methods (EAP-TLS, EAP-FAST/TLS) and 802.1X supplicants when this option is disabled. If you want to use the TLS based EAP authentication methods in TLS 1.1, check the Allow TLS 1.1 check box in the Security Settings page (Administration > System > Settings > Protocols > Security Settings).
When TLS 1.1 is allowed
ECC DSA ciphers
ECDHE-ECDSA-AES256-GCM-SHA384
Yes
Yes
ECDHE-ECDSA-AES128-GCM-SHA256
Yes
Yes
ECDHE-ECDSA-AES256-SHA384
Yes
Yes
ECDHE-ECDSA-AES128-SHA256
Yes
Yes
ECDHE-ECDSA-AES256-SHA
When SHA-1 is allowed
When SHA-1 is allowed
ECDHE-ECDSA-AES128-SHA
When SHA-1 is allowed
When SHA-1 is allowed
ECC RSA ciphers
ECDHE-RSA-AES256-GCM-SHA384
When ECDHE-RSA is allowed
When ECDHE-RSA is allowed
ECDHE-RSA-AES128-GCM-SHA256
When ECDHE-RSA is allowed
When ECDHE-RSA is allowed
ECDHE-RSA-AES256-SHA384
When ECDHE-RSA is allowed
When ECDHE-RSA is allowed
ECDHE-RSA-AES128-SHA256
When ECDHE-RSA is allowed
When ECDHE-RSA is allowed
ECDHE-RSA-AES256-SHA
When ECDHE-RSA/SHA-1 is allowed
When ECDHE-RSA/SHA-1 is allowed
ECDHE-RSA-AES128-SHA
When ECDHE-RSA/SHA-1 is allowed
When ECDHE-RSA/SHA-1 is allowed
DHE RSA ciphers
DHE-RSA-AES256-SHA256
No
Yes
DHE-RSA-AES128-SHA256
No
Yes
DHE-RSA-AES256-SHA
No
When SHA-1 is allowed
DHE-RSA-AES128-SHA
No
When SHA-1 is allowed
RSA ciphers
AES256-SHA256
Yes
Yes
AES128-SHA256
Yes
Yes
AES256-SHA
When SHA-1 is allowed
When SHA-1 is allowed
AES128-SHA
When SHA-1 is allowed
When SHA-1 is allowed
3DES ciphers
DES-CBC3-SHA
When 3DES/SHA-1 is allowed
When 3DES/DSS and SHA-1 are enabled
DSS ciphers
DHE-DSS-AES256-SHA
No
When 3DES/DSS and SHA-1 are enabled
DHE-DSS-AES128-SHA
No
When 3DES/DSS and SHA-1 are enabled
EDH-DSS-DES-CBC3-SHA
No
When 3DES/DSS and SHA-1 are enabled
Weak RC4 ciphers
RC4-SHA
When “Allow weak ciphers” option is enabled in the Allowed Protocols page and when SHA-1 is allowed
No
RC4-MD5
When “Allow weak ciphers” option is enabled in the Allowed Protocols page
No
EAP-FAST anonymous provisioning only:
ADH-AES-128-SHA
Yes
No
Peer certificate restrictions
Validate KeyUsage
Client certificate should have KeyUsage=Key Agreement and ExtendedKeyUsage=Client Authentication for the following ciphers:
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA384
Validate ExtendedKeyUsage
Client certificate should have KeyUsage=Key Encipherment and ExtendedKeyUsage=Client Authentication for the following ciphers:
AES256-SHA256
AES128-SHA256
AES256-SHA
AES128-SHA
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
EDH-RSA-DES-CBC3-SHA
DES-CBC3-SHA
RC4-SHA
RC4-MD5
Server certificate should have ExtendedKeyUsage=Server Authentication
Installing Cisco ISE Software
To install Cisco ISE, Release 2.3 software on Cisco SNS-3415, SNS-3495, SNS-3515, and SNS-3595 hardware platforms, turn on the new appliance and configure the Cisco Integrated Management Controller (CIMC). You can then install Cisco ISE, Release 2.3 over a network using CIMC or a bootable USB.
Note When using virtual machines (VMs), we recommend that the guest VMs have the correct time set using an NTP server before installing the.ISO image or OVA file on the VMs.
Perform Cisco ISE initial configuration according to the instructions in the Cisco Identity Services Engine Hardware Installation Guide, Release 2.3. Before you run the setup program, ensure that you know the configuration parameters listed in Table 3.
Table 3 Cisco ISE Network Setup Configuration Parameters
Prompt
Description
Example
Hostname
Must not exceed 19 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). The first character must be a letter.
isebeta1
(eth0) Ethernet interface address
Must be a valid IPv4 address for the Gigabit Ethernet 0 (eth0) interface.
10.12.13.14
Netmask
Must be a valid IPv4 netmask.
255.255.255.0
Default gateway
Must be a valid IPv4 address for the default gateway.
10.12.13.1
DNS domain name
Cannot be an IP address. Valid characters include ASCII characters, any numerals, the hyphen (-), and the period (.).
mycompany.com
Primary name server
Must be a valid IPv4 address for the primary name server.
10.15.20.25
Add/Edit another name server
(Optional) Allows you to configure multiple name servers. Must be a valid IPv4 address for an additional name server.
Enter y to add additional name server or n to configure the next parameter.
Primary NTP server
Must be a valid IPv4 address or hostname of a Network Time Protocol (NTP) server.
clock.nist.gov
Add/Edit another NTP server
(Optional) Allows you to configure multiple NTP servers. Must be a valid IPv4 address or hostname.
Enter y to add additional NTP server or n to configure the next parameter.
System Time Zone
Must be a valid time zone. For details, see Cisco Identity Services CLI Reference Guide, Release 2.3, which provides a list of time zones that Cisco ISE supports. For example, for Pacific Standard Time (PST), the System Time Zone is PST8PDT (or UTC-8 hours).
The time zones referenced are the most frequently used time zones. You can run the show timezones command from the Cisco ISE CLI for a complete list of supported time zones.
Note We recommend that you set all Cisco ISE nodes to the UTC time zone. This setting ensures that the reports, logs, and posture agent log files from the various nodes in the deployment are always synchronized with the time stamps.
UTC (default)
Username
Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default (admin), you must create a new username. The username must be three to eight characters in length and composed of valid alphanumeric characters (A–Z, a–z, or 0–9).
admin (default)
Password
Identifies the administrative password that is used for CLI access to the Cisco ISE system. You must create this password (there is no default). The password must be a minimum of six characters in length and include at least one lowercase letter (a–z), one uppercase letter (A–Z), and one numeral (0–9).
MyIseYPass2
Note For additional information on configuring and managing Cisco ISE, see Release-Specific Document.
Upgrading to Release 2.3
You can directly upgrade to Release 2.3 from the following Cisco ISE releases:
2.0
2.0.1
2.1
2.2
If you are on a version earlier than Cisco ISE, Release 2.0, you must first upgrade to one of the releases listed above and then upgrade to Release 2.3.
You can upgrade to Release 2.3 from the GUI or the CLI.
Note If you have installed a hot patch, roll back the hot patch before applying an upgrade patch.
Supported Operating System for Virtual Machines
Release 2.3 supports Red Hat Enterprise Linux (RHEL) 7.0.
If you are upgrading Cisco ISE nodes on VMware virtual machines, after you upgrade, ensure that you change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down the VM, change the Guest Operating System to RHEL 7, and power on the VM after the change.
Upgrade Considerations and Requirements
New Policy Model
All network access policies and policy sets, including authentication, authorization and exceptions, have now been consolidated together under the improved Policy Sets area, which can be accessed from Policy > Policy Sets. Each policy set is a container defined on the top level of the policy hierarchy, under which all relevant Authentication and Authorization policy and policy exception rules for that set are configured.
Multiple rules can be defined for both authentication and authorization, all based on conditions. Conditions and additional related configurations can now also be easily accessed and reused directly from the new Policy Set interface. The order by which the policy sets are matched is determined by the order in which they appear in the new interface, beginning from the first row of the Policy Set table and continuing to check until a match is found. If no match is found then the system default policy set is used. The same logic is used to match and select the correct authentication and then the correct authorization rules, beginning from the top of each table and checking each rule until a match is found. The default rule is used if no other rule is matched.
The new policy model represents all policies that could also have been added in previous versions by using the old user interface, but offering a much more simplified and improved interface from which you can logically manage network access.
Standalone Authentication and Authorization Policy Changes
The standalone authentication rules from ISE 2.2 and below versions are converted to the new policy model. There are two separate scenarios based on the allowed protocols that are assigned to the authentication rules.
1. If all the “outer parts” in the system are assigned the same allowed protocol, including the default part, then all original authentication rules are converted to ISE 2.3 as follows:
All the “outer parts” are converted to a single policy set in the new policy model. The new policy set will be called Default, and on the Policy Set level, no conditions are defined and the uniform Allowed Protocol will be assigned. All inner parts are converted to rules as part of the authentication policy within the new Default policy set.
The following table demonstrates the conversion for an old set of standalone authentication rules that use the same allowed protocol (Scenario -1). In the table, each line is in the following format:
Name (Condition/Results)
For example for Authentication outer part 1 (Outer Condition/Allowed Protocol A):
– Name—Authentication outer part 1
– Condition—Outer Condition
– Results—Allowed Protocol A
Table 4 Standalone Authentication Policies Using Same Allowed Protocol
Before Cisco ISE 2.3 - Default Authentication
After Upgrade to Cisco ISE 2.3 - Policy Sets
Authentication outer part 1 (Outer Condition 1/Allowed Protocol A)
Authentication inner part 1.1 (Inner Condition 1.1/Identity Store A)
Authentication inner part 1.2 (Inner Condition 1.2/Identity Store A)
Authentication inner part 1.3 (Inner Condition 1.3/Identity Store A)
Authentication inner 1 Default (No conditions/Identity Store B)
Authentication outer part 2 (Outer Condition 2/Allowed Protocol A)
Authentication inner part 2.1 (Inner Condition 2.1/Identity Store A)
Authentication inner part 2.2 (Inner Condition 2.2/Identity Store A)
Authentication inner part 2.3 (Inner Condition 2.3/Identity Store A)
Authentication inner 2 Default (No conditions/Identity Store B)
Authentication outer part 3 (Outer Condition 3/Allowed Protocol A)
Authentication inner 3 Default (No conditions/Identity Store B)
Default Authentication Outer Part (No conditions/Allowed Protocol A/Default Identity Store)
Exception 1
Authorization Rule 1
Authorization Rule 2
Default (No conditions/Allowed Protocol A)
Authentication Policy (container)
Authentication outer part 1 - Authentication inner part 1.1 (Outer Condition 1 + Inner Condition 1.1/Identity Store A)
Authentication outer part 1 - Authentication inner part 1.2 (Outer Condition 1 + Inner Condition 1.2/Identity Store A)
Authentication outer part 1 - Authentication inner part 1.3 (Outer Condition 1 + Inner Condition 1.3/Identity Store A)
Authentication outer part 1 - Authentication inner 1 Default (Outer Condition 1/Identity Store B)
Authentication outer part 2 - Authentication inner part 2.1 (Outer Condition 2 + Inner Condition 2.1/Identity Store A)
Authentication outer part 2 - Authentication inner part 2.2 (Outer Condition 2 + Inner Condition 2.2/Identity Store A)
Authentication outer part 2 - Authentication inner part 2.3 (Outer Condition 2 + Inner Condition 2.3/Identity Store A)
Authentication outer part 2 - Authentication inner 2 Default (Outer Condition 2/Identity Store B)
Authentication outer part 3 - Authentication inner 3 Default (Outer Condition 3/Identity Store B)
Default Authentication Outer Part (No conditions/Default Identity Store)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
2. If at least one of the “outer parts” in the system are assigned a different allowed protocol than the others, including the default part, then all original authentication rules are converted to 2.3 as follows:
Each of the “outer parts” is converted to a separate policy set in the new policy model. The new policy set will be named based on the name of the original outer part for that specific new set. On the Policy Set level for each policy set, the original outer part conditions and the Allowed Protocol will be assigned. All inner parts for each outer part are converted to authentication rules, one to one, as part of the authentication policy within their new policy set.
The following table demonstrates the conversion for an old set of standalone authentication rules that use different allowed protocols (Scenario -2). In the table, each line is in the following format:
Name (Condition/Results)
For example for Authentication outer part 1 (Outer Condition/Allowed Protocol A):
– Name—Authentication outer part 1
– Condition—Outer Condition
– Results—Allowed Protocol A
Table 5 Standalone Authentication Policies Using Different Allowed Protocols
Before Cisco ISE 2.3 - Default Authentication
After Upgrade to Cisco ISE 2.3 - Policy Sets
Authentication outer part 1 (Outer Condition 1/Allowed Protocol A)
Authentication inner part 1.1 (Inner Condition 1.1/Identity Store A)
Authentication inner part 1.2 (Inner Condition 1.2/Identity Store A)
Authentication inner part 1.3 (Inner Condition 1.3/Identity Store A)
Authentication inner 1 Default (No conditions/Identity Store B)
Authentication outer part 2 (Outer Condition 2/Allowed Protocol B)
Authentication inner part 2.1 (Inner Condition 2.1/Identity Store A)
Authentication inner part 2.2 (Inner Condition 2.2/Identity Store A)
Authentication inner part 2.3 (Inner Condition 2.3/Identity Store A)
Authentication inner 2 Default (No conditions/Identity Store B)
Authentication outer part 3 (Outer Condition 3/Allowed Protocol C)
Authentication inner 3 Default (No conditions/Identity Store B)
Default Authentication Outer Part (No conditions/Allowed Protocol A/Identity Store C)
Exception 1
Authorization Rule 1
Authorization Rule 2
Default Authentication outer part 1 (Outer condition 1/Allowed Protocol A)
Authentication Policy (container)
Authentication inner part 1.1 (Inner Condition 1.1/Identity Store A)
Authentication inner part 1.2 (Inner Condition 1.2/Identity Store A)
Authentication inner part 1.3 (Inner Condition 1.3/Identity Store A)
Authentication inner 1 Default (No conditions/Identity Store B)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
Default Authentication outer part 2 (Outer Condition 2/Allowed Protocol B)
Authentication Policy (container)
Authentication inner part 2.1 (Inner Condition 2.1/Identity Store A)
Authentication inner part 2.2 (Inner Condition 2.2/Identity Store A)
Authentication inner part 2.3 (Inner Condition 2.3/Identity Store A)
Authentication inner 2 Default (No conditions/Identity Store B)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
Default Authentication outer part 3 (Outer Condition 3/Allowed Protocol C)
Authentication Policy (container)
Authentication inner 3 Default (No conditions/Identity Store B)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
Default (No conditions/Allowed Protocol A)
Authentication Policy (container)
Default Authentication Rule (No conditions/Identity Store C)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
Policy Set Changes
When upgrading to ISE 2.3 from previous versions, the new policy sets appear differently than older ISE versions as described here, however, the behavior remains exactly the same.
The policies from ISE 2.2 and below versions are converted to the new policy model. There are two separate scenarios based on the allowed protocols that are assigned to the authentication rules.
1. If all the “outer parts” in a single policy set are assigned the same allowed protocol, all original policy sets are converted to ISE 2.3 as follows:
All the “outer parts” are converted to a single policy set in the new policy model. The new policy set will have the same name as that of the original policy set. For example, if the policy set was named “All Employees” in the old model, it will be called “All Employees” in the new model as well.
The following table demonstrates the conversion for an old policy set that contains authentication rules which use the same allowed protocol (Scenario -1). In the table, each line is in the following format:
Name (Condition/Results)
For example for Authentication outer part 1 (Outer Condition/Allowed Protocol A):
– Name—Authentication outer part 1
– Condition—Outer Condition
– Results—Allowed Protocol A
Table 6 Conversion of Policy Sets Using Same Allowed Protocol
Old policy set from Cisco ISE 2.2 or earlier
New policy sets after upgrade to Cisco ISE 2.3
Policy Set A (Condition A/No results)
Authentication outer part 1 (Outer Condition 1/Allowed Protocol A)
Authentication inner part 1.1 (Inner Condition 1.1/Identity Store A)
Authentication inner part 1.2 (Inner Condition 1.2/Identity Store A)
Authentication inner part 1.3 (Inner Condition 1.3/Identity Store A)
Authentication inner 1 Default (No conditions/Identity Store B)
Authentication outer part 2 (Outer Condition 2/Allowed Protocol A)
Authentication inner part 2.1 (Inner Condition 2.1/Identity Store A)
Authentication inner part 2.2 (Inner Condition 2.2/Identity Store A)
Authentication inner part 2.3 (Inner Condition 2.3/Identity Store A)
Authentication inner 2 Default (No conditions/Identity Store B)
Authentication outer part 3 (Outer Condition 3/Allowed Protocol A)
Authentication inner 3 Default (No conditions/Identity Store B)
Default Authentication Outer Part (No conditions/Allowed Protocol A/Identity Store C)
Exception 1
Authorization Rule 1
Authorization Rule 2
Policy Set A (Condition A/Allowed Protocol A)
Authentication Policy (container)
Authentication outer part 1 - Authentication inner part 1.1 (Outer Condition 1 + Inner Condition 1.1/Identity Store A)
Authentication outer part 1 - Authentication inner part 1.2 (Outer Condition 1 + Inner Condition 1.2/Identity Store A)
Authentication outer part 1 - Authentication inner part 1.3 (Outer Condition 1 + Inner Condition 1.3/Identity Store A)
Authentication outer part 1 - Authentication inner 1 Default (Outer Condition 1/Identity Store B)
Authentication outer part 2 - Authentication inner part 2.1 (Outer Condition 2 + Inner Condition 2.1/Identity Store A)
Authentication outer part 2 - Authentication inner part 2.2 (Outer Condition 2 + Inner Condition 2.2/Identity Store A)
Authentication outer part 2 - Authentication inner part 2.3 (Outer Condition 2 + Inner Condition 2.3/Identity Store A)
Authentication outer part 2 - Authentication inner 2 Default (Outer Condition 2/Identity Store B)
Authentication outer part 3 - Authentication inner 3 Default (Outer Condition 3/Identity Store B)
Default Authentication Outer Part (No conditions/Identity Store C)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
The newly upgraded policy set contains a list of authentication rules that are converted by combining the outer and inner conditions from the original policy set. Each new authentication rule that is created during conversion is named based on the name of the old outer part with the suffix including the inner part name. For example, as in the table above, if the old policy set is called "Policy Set A," one of its authentication "outer parts" is called Outer Part 1, and one of its authentication "inner parts" is called Inner Part 1, then the newly created authentication rule is called "Outer Part 1 – Inner Part 1" within Policy Set A. In the same manner, if the old policy set is called "All Employees" policy set, one of its authentication "outer parts" is called London, and one of its authentication "inner parts" is called Wired - MAB, then the newly created authentication rule is called "London – Wired-MAB" within the “All Employees” policy set. The Default outer part for the authentication policy is converted as the default authentication rule. The system default policy rule appears as the last rule in the entire authentication table, regardless of the other rules that were created or converted, and this rule cannot be moved or deleted.
The conditions defined on the outer part (based on which the authentication rules are matched) are combined with the inner part conditions (which indicate the identity store to be used for authentication). The new combined conditions are configured in a single authentication rule within the policy set in the new model. A new individual rule within the policy set is created for each separate outer part of the old policy set.
2. When there are two or more allowed protocols selected for the “outer parts” in a policy set, all original policy sets are converted to ISE 2.3 as follows:
Each “outer part” of each authentication rule within the old policy set is converted to a new, separate policy set in the new model. This new policy set places the “conditions” from the same original “outer part” under the Authentication Policy section in the new policy model.
The following table demonstrates the conversion for an old policy set from ISE 2.2 and previous versions to ISE 2.3 (Scenario - 2):
Old policy set from Cisco ISE 2.2 or earlier
New policy sets after upgrade to Cisco ISE 2.3
Policy Set A (Condition A/No results)
Authentication outer part 1 (Outer Condition 1/Allowed Protocol A)
Authentication inner part 1.1 (Inner Condition 1.1/Identity Store A)
Authentication inner part 1.2 (Inner Condition 1.2/Identity Store A)
Authentication inner part 1.3 (Inner Condition 1.3/Identity Store A)
Authentication inner 1 Default (No conditions/Identity Store B)
Authentication outer part 2 (Outer Condition 2/Allowed Protocol A)
Authentication inner part 2.1 (Inner Condition 2.1/Identity Store A)
Authentication inner part 2.2 (Inner Condition 2.2/Identity Store A)
Authentication inner 2 Default (No conditions/Identity Store B)
Authentication outer part 3 (Outer Condition 3/Allowed Protocol A)
Authentication inner 3 Default (No conditions/Identity Store B)
Default Authentication Outer Part (No conditions/Allowed Protocol A/Identity Store C)
Exception 1
Authorization Rule 1
Authorization Rule 2
Policy Set A - Authentication outer part 1 (Condition A + Outer condition 1/Allowed Protocol A)
Authentication Policy (container)
Authentication inner part 1.1 (Inner Condition 1.1/Identity Store A)
Authentication inner part 1.2 (Inner Condition 1.2/Identity Store A)
Authentication inner part 1.3 (Inner Condition 1.3/Identity Store A)
Authentication inner 1 Default (No conditions/Identity Store B)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
Policy Set A - Authentication outer part 2 (Condition A + Outer condition 2/Allowed Protocol B)
Authentication Policy (container)
Authentication inner part 2.1 (Inner Condition 2.1/Identity Store A)
Authentication inner part 2.2 (Inner Condition 2.2/Identity Store A)
Authentication inner 2 Default (No conditions/Identity Store B)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
Policy Set A - Default Authentication outer part 3 (Condition A + Outer Condition 3/Allowed Protocol C)
Authentication Policy (container)
Authentication inner 3 Default (No conditions/Identity Store B)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
Policy Set A - Default (Condition A/Allowed Protocol A)
Authentication Policy (container)
Default Authentication Rule (No conditions/Identity Store C)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
Each new policy set that is created during conversion is named based on the name of the old policy set from which it was extracted with the suffix including the outer part name. For example, as in the table above, if the old policy set is called “Policy Set A” and one of its authentication “outer parts” is called Outer Part 1, then the newly created policy set is called “Policy Set A – Outer Part 1.” In the same manner, if the old policy set is called “London” and one of its authentication “outer parts” is called Wired MAB, then the newly created policy set is called “London – Wired MAB.”
The Default outer part for each old policy set is also converted to a new policy set just as are all the other outer parts, for example “London – Default”. The system default policy set appears as the last policy set in the entire table, regardless of the other policy sets that were created or converted, and cannot be moved or deleted.
The conditions defined on the top level of the old policy set are combined with the outer authentication part conditions, designed to select the correct allowed protocol. The new combined conditions are configured in the top level rule for each new policy set in the new model. A new individual policy set is created for each outer part of each old policy set.
Authorization Rule/Exception Changes
Authorization rules, as well as global and local exceptions, are also maintained from within the policy sets now. All authorization rules and exceptions within the old policy set are applied to all of the new policy sets resulting from the authentication policy rule conversion as well. The authorization policy changes are applicable for all the policy sets that are upgraded, regardless of the allowed protocols configured on the outer parts.
Policy Sets Evaluation
The policy sets in the new interface are checked for matches according to the order in which they appear in the Policy Set table. For example, if the old “London” policy set has three outer parts with different statuses before conversion, and the old “New York” set contains only the Default outer part, then the table in the new Policy Set interface appears with the new policy sets and the system default policy set in the following order:
Policy Set Name
London – Wired MAB
London – Wireless MAB
London – Default
New York - Default
Default
If the first two sets don’t match, then the system checks “London –Default”. If “London – Default” does not match, then the system checks “New York – Default”. The system only uses “Default” as the policy if “New York – Default” also does not match.
The same logic is used to match and select the correct authentication and then the correct authorization rules, beginning from the top of each table and checking each rule until a match is found. The default rule is used, if no other rule is matched.
Status of the Newly Converted Policy Sets
While converting policy sets that use different Allowed Protocols for the authentication rules, the statuses of the newly converted policy sets are determined based on the status of old policy sets and the status of the “outer part” of the old policy sets, as follows:
Status of Old policy set
Status of “outer part” of old policy set
Status of new policy set
Disable
Disable
Disable
Disable
Monitor
Disable
Disable
Enable
Disable
Monitor
Disable
Disable
Monitor
Monitor
Monitor
Monitor
Enable
Monitor
Enable
Disable
Disable
Enable
Monitor
Monitor
Enable
Enable
Enable
Status of the Newly Converted Authentication Rules
While converting policy sets that use same Allowed Protocols for the authentication rules, the status of the newly converted authentication rule is determined based on the status of the "outer part" of the old authentication rule and the status of the “inner part” of the corresponding old authentication rule, as follows:
Status of "Outer Part" of Old Authentication Rule
Status of “Inner Part” of Corresponding Old Authentication Rule
Status of the Converted Authentication Rule
Disable
Disable
Disable
Disable
Monitor
Disable
Disable
Enable
Disable
Monitor
Disable
Disable
Monitor
Monitor
Monitor
Monitor
Enable
Monitor
Enable
Disable
Disable
Enable
Monitor
Monitor
Enable
Enable
Enable
Prepare for Upgrade
Before you start the upgrade process, ensure that you perform the following tasks:
Change VMware virtual machine guest operating system and settings
Open firewall ports for communication
Back up configuration and operational data
Back up system logs
Check the validity of certificates
Export certificates and private keys
Disable PAN automatic failover and backup schedules before upgrade
NTP server should be configured correctly and be reachable
Record profiler configuration
Obtain Active Directory and internal administrator account credentials
You can directly migrate to Cisco ISE, Release 2.3 only from Cisco Secure ACS, Release 4.2 and 5.5 or later. See Cisco Identity Services Engine Migration Tool Guide for more information.
You cannot migrate to Release 2.3 from Cisco Secure ACS 5.1, 5.2, 5.3, 5.4, 4.1, or earlier versions, or from Cisco Network Admission Control (NAC) Appliance. From Cisco Secure ACS, Releases 4.1, 5.1, 5.2, 5.3, or 5.4, you must upgrade to a supported version, and then migrate to Cisco ISE, Release 2.3.
Note If you are installing Cisco ISE, Release 2.3 on Cisco SNS-3500 series appliances with ACS PIDs (Cisco SNS-3515-ACS-K9 and Cisco SNS-3595-ACS-K9), you must update the BIOS and CIMC firmware on the hardware appliance before you install Cisco ISE, Release 2.3. Refer to the Cisco Identity Services Engine Hardware Installation Guide for information on how to update the BIOS and CIMC firmware.
Known Limitations
SXP Protocol Security Standards
SXP protocol transfers unencrypted data and uses weak hash algorithm for message integrity checking per draft-smith-kandula-sxp-06.
Radius Logging
Starting with ISE version 2.3, Radius logs are only kept for 7 days.
Profiler RADIUS Probe
When the RADIUS probe is disabled, endpoints are not profiled but are only authenticated and added to the database.
High Memory Utilization
Cisco ISE Version 1.3 and later use RHEL, version 6. You may experience high memory utilization after installing or upgrading to Cisco ISE Version 1.3 or later. Because of the way kernels manage cache memory, Cisco ISE might use more memory, which may trigger high memory usage (80 to 90%) and alarms. If the memory usage is consistently above 90% or if there is any performance impact, you can contact Cisco TAC for troubleshooting.
Diffie-Hellman Minimum Key Length
Connection to LDAP server will fail if the Diffie-Hellman minimum key length configured on the LDAP server is less than 1024.
Policy Hits Displayed in Policy Sets
The total hits counter that is displayed at the top of the policy set is updated whenever Cisco ISE receives interim accounting updates. However, the authentication and authorization policy hit counters are not refreshed based on interim accounting updates. Hence, you might see some difference between the total hits displayed in the policy set summary and the total number of authentication and authorization policies displayed in the Authentication Policy and Authorization Policy sections.
ECDSA Certificates
ECDSA certificates that are used for EAP authentication are supported only for the endpoints with Android version 6.x and later.
Cisco ISE supports ECDSA certificates with key length 256 and 384 only. You can select the key length in Administration > System > Certificates > Certificate Management > System Certificates page.
Cisco Temporal Agent
We recommend that you run the Cisco Temporal Agent within two minutes of downloading the agent from the Client Provisioning Portal, if not, you might encounter the “Posture Failed Due to Server Issues” error message.
Reverse DNS Lookup Configuration
Configure reverse DNS lookup for all Cisco ISE nodes in your distributed deployment in the DNS server(s). Otherwise, you may run into deployment-related issues after upgrade (“ISE Indexing Engine” status turns to “not running”). The secondary PAN cannot join the primary PAN to make a cluster for ISE Indexing engine if reverse DNS is not configured (displays error in VCS pages).
The ise-elasticsearch.log file on secondary PAN will include the SSL Exception “No subject alternative name present”, if reverse DNS is missing.
Alarm Message After Applying a Patch
After applying a patch, you may get an alarm, followed by a message that the patch application was successful. You can ignore the alarm.
Security Group Access Control List
In Cisco ISE, Release 2.3, patch 6, when you try to create a Security Group ACL (SGACL), the following error message is displayed:
Failed to create policy, CFS provision failed.
This is because creating and updating egress matrix cell flows are not supported for multiple matrixes in Cisco ISE.
The following ERS(External RESTful Services) requests are also not supported in the Multiple Matrix mode:
/config/egressmatrixcell/*
/config/sgt/*
/config/sgacl/*
You should, therefore, uncheck the Allow Multiple SGACL check box in the TrustSec Matrix Settings (Work Centers > TrustSec > Settings > TrustSec Matrix Settings) window. This enables you to create an SGACL, and no error message is displayed.
EST Service Does Not Run in Cisco ISE 2.1
After a fresh installation of Cisco ISE 2.1, when you run the show application status ise command, the EST service might be shown as disabled. This issue occurs when the root certificate of the Cisco ISE internal CA is signed by an external CA and the external CA certificate is not present in your Trusted Certificates store. Import the external CA certificate in to the Trusted Certificates store to bring up the EST service.
This issue is also seen after upgrade to Release 2.1, if the entire certificate chain of the internal ISE CA is not present. You must generate the Cisco ISE CA chain to bring up the EST service.
Features Not Supported in Cisco ISE, Release 2.3
IPN / iPEP configuration is not supported with Cisco ISE, Release 2.0 and later.
You cannot access the Operations menu from the primary Monitoring node in Cisco ISE, Release 2.1 and later; it appears only in the Primary Administration Node (PAN).
Cisco ISE License Information
Cisco ISE licensing provides the ability to manage the application features and access, such as the number of concurrent endpoints that can use Cisco ISE network resources.
All Cisco ISE appliances are supplied with a 90-day Evaluation license. To continue to use Cisco ISE services after the 90-day Evaluation license expires, and to support more than 100 concurrent endpoints on the network, you must obtain and register Base licenses for the number of concurrent users on your system. If you require additional functionality, you will need Plus and/or Apex licenses to enable that functionality.
Cisco ISE, Release 2.3, supports licenses with two UIDs. You can obtain a license based on the UIDs of both the primary and secondary Administration nodes.
For more detailed information on license types and obtaining licenses for Cisco ISE, see the “Cisco ISE Licenses” chapter in the Cisco Identity Services Engine Administration Guide, Release 2.3.
Cisco ISE provides a scalable architecture that supports both standalone and distributed deployments.
Table 7 Cisco ISE Deployment Terminology
Term
Description
Service
Specific feature that a persona provides such as network access, profiler, posture, security group access, and monitoring.
Node
Individual instance that runs the Cisco ISE software. Cisco ISE is available as an appliance and also as software that can be run on a VMware server. Each instance (either running on a Cisco ISE appliance or on a VMware server) that runs the Cisco ISE software is called a node.
Persona
Determines the services provided by a node. A Cisco ISE node can assume any or all of the following personas: Administration, Policy Service, Monitoring, and pxGrid.
Deployment Model
Determines if your deployment is a standalone, high availability in standalone (a basic two-node deployment), or distributed deployment.
Types of Nodes and Personas
A Cisco ISE network has the following types of nodes:
Cisco ISE node, which can assume any of the following personas:
– Administration—Allows you to perform all administrative operations for Cisco ISE. It handles all system-related configurations related to functionality such as authentication, authorization, auditing, and so on. In a distributed environment, you can have one or a maximum of two nodes running the Administration persona and configured as a primary and secondary pair. If the primary Administration node goes down, you have to manually promote the secondary Administration node. There is no automatic failover for the Administration persona.
– Policy Service—Provides network access, posturing, BYOD device onboarding (native supplicant and certificate provisioning), guest access, and profiling services. This persona evaluates the policies and makes all the decisions. You can have more than one node assuming this persona. Typically, there is more than one Policy Service persona in a distributed deployment. All Policy Service personas that reside behind a load balancer can be grouped together to form a node group. If one of the nodes in a node group fails, the other nodes in that group process the requests of the node that has failed, thereby providing high availability.
Note SXP service must be enabled on a dedicated node.
– Monitoring—Enables Cisco ISE to function as a log collector and store log messages from all the Administration and Policy Service personas on the Cisco ISE nodes in your network. This persona provides advanced monitoring and troubleshooting tools that you can use to effectively manage your network and resources.
A node with this persona aggregates and correlates the data that it collects to provide meaningful reports. Cisco ISE allows a maximum of two nodes with this persona that can assume primary or secondary roles for high availability. Both the primary and secondary Monitoring personas collect log messages. In case the primary Monitoring persona goes down, the secondary Monitoring persona automatically assumes the role of the primary Monitoring persona.
Note At least one node in your distributed setup should assume the Monitoring persona. It is recommended that the Monitoring persona be on a separate, designated node for higher performance in terms of data collection and reporting.
– pxGrid—Cisco pxGrid is a method for network and security devices to share data with other devices through a secure publish and subscribe mechanism. These services are applicable for applications that are used external to ISE and that interface with pxGrid. The pxGrid services can share contextual information across the network to identify the policies and to share common policy objects. This extends the policy management.
Table 8 Recommended Number of Nodes and Personas in a Distributed Deployment
Node / Persona
Minimum Number in a Deployment
Maximum Number in a Deployment
Administration
1
2 (Configured as a high-availability pair)
Monitor
1
2 (Configured as a high-availability pair)
Policy Service
1
2—when the Administration/Monitoring/Policy Service personas are on the same primary/secondary appliances
5—when Administration and Monitoring personas are on same appliance
Requirements for CA to Interoperate with Cisco ISE
While using a CA server with Cisco ISE, make sure that the following requirements are met:
Key size should be 1024, 2048, or higher. In CA server, the key size is defined using certificate template. You can define the key size on Cisco ISE using the supplicant profile.
Key usage should allow signing and encryption in extension.
While using GetCACapabilities through the SCEP protocol, cryptography algorithm and request hash should be supported. It is recommended to use RSA + SHA1.
Online Certificate Status Protocol (OCSP) is supported. This is not directly used in BYOD, but a CA which can act as an OCSP server can be used for certificate revocation.
Note EJBCA 4.x is not supported by Cisco ISE for proxy SCEP. EJBCA is supported by Cisco ISE for standard EAP authentication like PEAP, EAP-TLS, and so on.
If you use an enterprise PKI to issue certificates for Apple iOS devices, ensure that you configure key usage in the SCEP template and enable the “Key Encipherment” option. For example, if you use Microsoft CA, edit the Key Usage Extension in the certificate template. In the Encryption area, click the Allow key exchange only with key encryption (key encipherment) radio button and also check the Allow encryption of user data check box.
Cisco ISE supports the use of RSASSA-PSS algorithm for trusted certificates and endpoint certificates for EAP-TLS authentication. When you view the certificate, the signature algorithm is listed as 1.2.840.113549.1.1.10 instead of the algorithm name.
However, if you use the Cisco ISE internal CA for the BYOD flow, the Admin certificate should not be signed using the RSASSA-PSS algorithm (by an external CA). The Cisco ISE internal CA cannot verify an Admin certificate that is signed using this algorithm and the request would fail.
Telemetry
After installation, when you log in to the Admin portal for the first time, the Cisco ISE Telemetry banner appears on screen. Using this feature, Cisco ISE securely collects non-sensitive information about your deployment, network access devices, profiler, and other services that you are using. The data that is collected will be used to provide better services and additional features in forthcoming releases. By default, the telemetry feature is enabled. You can choose to disable or modify the account information. To do this, choose Administration > Settings > Smart Call Home. Account information provided is unique to the deployment. Each admin user need not provide it separately.
Cisco ISE Installation Files, Updates, and Client Resources
There are three resources you can use to download to provision and provide policy service in Cisco ISE:
Cisco ISE Downloads from the Download Software Center
In addition to the.ISO installation package required to perform a fresh installation of Cisco ISE as described in Installing Cisco ISE Software, you can use the Download software web page to retrieve other Cisco ISE software elements, like Windows and Mac OS X agent installers and AV/AS compliance modules.
Downloaded agent files may be used for manual installation on a supported endpoint or used with third-party software distribution packages for mass deployment.
To access the Cisco Download Software center and download the necessary software:
The following Cisco ISE installers and software packages are available for download:
Cisco ISE installer.ISO image
Supplicant Provisioning Wizards for Windows and Mac OS X Native Supplicants
Windows client machine agent installation files (including MST and MSI versions for manual provisioning)
Mac OS X client machine agent installation files
AnyConnect agent installation files
AV/AS compliance modules
Step 3 Click Download or Add to Cart.
Cisco ISE Live Updates
Cisco ISE Live Update locations allow you to automatically download Supplicant Provisioning Wizard, Cisco NAC Agent for Windows and Mac OS X, AV/AS support (Compliance Module), and agent installer packages that support client provisioning and posture policy services. These live update portals should be configured in Cisco ISE upon initial deployment to retrieve the latest client provisioning and posture software directly from Cisco.com to the Cisco ISE appliance.
Prerequisite:
If the default Update Feed URL is not reachable and your network requires a proxy server, you must configure the proxy settings in Administration > System > Settings > Proxy before you access the Live Update locations. If proxy settings are enabled to allow access to the profiler and posture/client provisioning feeds, it will break access to the MDM server as Cisco ISE cannot bypass proxy services for MDM communication. To resolve this, you can configure the proxy service to allow communication to the MDM servers. For more information on proxy settings, see the “Specify Proxy Settings in Cisco ISE” section in the “Administer Cisco ISE” chapter of the Cisco Identity Services Engine Administrator Guide, Release 2.3.
Client Provisioning and Posture Live Update portals:
The following software elements are available at this URL:
– Supplicant Provisioning Wizards for Windows and Mac OS X Native Supplicants
– Windows versions of the latest Cisco ISE persistent and temporal agents
– Mac OS X versions of the latest Cisco ISE persistent agents
– ActiveX and Java Applet installer helpers
– AV/AS compliance module files
For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the “Download Client Provisioning Resources Automatically” section in the “Configure Client Provisioning” chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.3.
The following software elements are available at this URL:
– Cisco predefined checks and rules
– Windows and Mac OS X AV/AS support charts
– Cisco ISE operating system support
For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the “Download Posture Updates Automatically” section in the “Configure Client Posture Policies” chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.3.
If you do not want to enable the automatic download capabilities described above, you can choose to download updates offline (see Cisco ISE Offline Updates).
Cisco ISE Offline Updates
Cisco ISE offline updates allow you to manually download Supplicant Provisioning Wizard, agent, AV/AS support, compliance modules, and agent installer packages that support client provisioning and posture policy services. This option allows you to upload client provisioning and posture updates when direct Internet access to Cisco.com from a Cisco ISE appliance is not available or not permitted by a security policy.
Offline updates are also available for Profiler Feed Service. For more information, see the Configure Profiler Feed Services Offline section in the Cisco Identity Services Engine Administrator Guide.
webagent- <version> -isebundle.zip — Off-Line Web Agent Installation Package
Step 3 Click Download or Add to Cart.
For more information on adding the downloaded installation packages to Cisco ISE, refer to the “Add Client Provisioning Resources from a Local Machine” section in the “Configure Client Provisioning” chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.3.
You can update the checks, operating system information, and antivirus and antispyware support charts for Windows and Macintosh operating systems offline from an archive on your local system using posture updates.
For offline updates, you need to ensure that the versions of the archive files match the version in the configuration file. Use offline posture updates when you have configured Cisco ISE and want to enable dynamic updates for the posture policy service.
Save the posture-offline.zip file to your local system. This file is used to update the operating system information, checks, rules, and antivirus and antispyware support charts for Windows and Macintosh operating systems.
Step 2 Launch the Cisco ISE administrator user interface and choose Administration > System > Settings > Posture.
Step 3 Click the arrow to view the settings for posture.
Step 4 Choose Updates.
The Posture Updates page appears.
Step 5 Choose the Offline option.
Step 6 Click Browse to locate the archive file (posture-offline.zip) from the local folder on your system.
Note The File to Update field is a required field. You can select only a single archive file (.zip) that contains the appropriate files. Archive files other than.zip (like.tar, and.gz) are not allowed.
Step 7 Click the Update Now button.
Using the Bug Search Tool
You can use the Bug Search Tool to view the list of outstanding and resolved bugs in a release. This section explains how to use the Bug Search Tool to search for a specific bug or to search for all the bugs in a specified release.
Step 2 Enter your registered Cisco.com username and password, and then click Log In.
The Bug Toolkit page opens.
Note If you do not have a Cisco.com username and password, you can register for them at http://tools.cisco.com/RPF/register/register.do.
Step 3 To search for a specific bug, enter the bug ID in the Search For field and press Enter.
Step 4 To search for bugs in the current release:
a. Click the Select from List link.
The Select Product page is displayed.
b. Choose Security > Access Control and Policy > Cisco Identity Services Engine (ISE) 3300 Series Appliances.
c. Click OK.
d. When the search results are displayed, use the filter tools to find the types of bugs you are looking for. You can search for bugs based on different criteria, such as status, severity, or modified date.
Click the Export Results to Excel link in the Search Results page to export all the bug details from your search to an Excel spreadsheet. Presently, up to 10,000 bugs can be exported at a time to the Excel spreadsheet.
Download and Install a New Patch
To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.3, log in to the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
For instructions on how to apply the patch to your system, refer to the “Installing a Software Patch ” section of the “Administer Cisco ISE” chapter of the Cisco Identity Services Engine Administrator Guide, Release 2.3.
For instructions to install a patch using CLI, refer to the "Patch Install " section of the "Cisco ISE CLI Commands in EXEC Mode" chapter of the Cisco Identity Services Engine CLI Reference Guide, Release 2.3.
Cisco ISE, Release 2.3.0.298 Patch Updates
This section provides information on patches that were made available after the initial availability of the Cisco ISE 2.3 release. Patches are cumulative such that any patch version also includes all fixes delivered in the preceding patch versions. Cisco ISE version 2.3.0.298 was the initial version of the Cisco ISE 2.3 release. After installation of the patch, you can see the version information from Settings > About Identity Services Engine page in the Cisco ISE GUI and from the CLI in the following format “2.3.0.298 patch N”; where N is the patch number.
Note Within the bug database, issues resolved in a patch have a version number with different nomenclature in the format, “2.3(0.9NN)” where NN is also the patch number, displayed as two digits. For example, version “2.3.0.298 patch 1" corresponds to the following version in the bug database “2.3(0.901)”.
Note We recommend you to clear your browser cache after you install a patch on Cisco ISE, Release 2.3.
The following patch releases apply to Cisco ISE release 2.3:
Resolved Caveats in Cisco ISE Version 2.3.0.298—Cumulative Patch 7
Table 10 lists the caveats that are resolved in Cisco Identity Services Engine, Release 2.3 cumulative patch 7. Patch 7 might not work with older versions of SPW. MAC users need to upgrade their SPW to MacOsXSPWizard 2.2.1.43 or later and Windows users need to upgrade their SPW to WinSPWizard 2.2.1.53 or later.
Table 9 Cisco ISE Patch Version 2.3.0.298 - Patch 7 Resolved Caveats
Authentication request is not sent to external RADIUS token server if communication between client and ISE is in IPv6 and between ISE and external radius token server is in IPv4
RSA or RADIUS Token user with Valid account and credentials gets a blank page when trying to login to ISE Admin portal if the account doesn't exists under Access > Administrators
Under heavy load, ISE live logs are unavailable or delayed
New Features in Cisco ISE Version 2.3.0.2988—Cumulative Patch 6
Identity Caching in RSA SecurID Server
Identity caching is used to allow processing of requests that do not perform authentication against the server. You can enable the identity caching option and set the aging time in minutes. The default value is 120 minutes. The valid range is from 1 to 1440 minutes. The results obtained from the last successful authentication are available in the cache for the specified time period.
This option is disabled by default.
Resolved Caveats in Cisco ISE Version 2.3.0.298—Cumulative Patch 6
Table 10 lists the caveats that are resolved in Cisco Identity Services Engine, Release 2.3 cumulative patch 6. Patch 6 might not work with older versions of SPW. MAC users need to upgrade their SPW to MacOsXSPWizard 2.2.1.43 or later and Windows users need to upgrade their SPW to WinSPWizard 2.2.1.53 or later.
Table 10 Cisco ISE Patch Version 2.3.0.298-Patch 6 Resolved Caveats
pxGrid node name limit is too short for Cisco Firepower Management Center (FMC)
Resolved Caveats in Cisco ISE Version 2.3.0.298—Cumulative Patch 5
Table 12 lists the caveats that are resolved in Cisco Identity Services Engine, Release 2.3 cumulative patch 5. Patch 5 might not work with older versions of SPW. MAC users need to upgrade their SPW to MacOsXSPWizard 2.2.1.43 or later and Windows users need to upgrade their SPW to WinSPWizard 2.2.0.53 or later.
Table 12 Cisco ISE Patch Version 2.3.0.298-Patch 5 Resolved Caveats
Resolved Caveats in Cisco ISE Version 2.3.0.298—Cumulative Patch 4
Table 13 lists the caveats that are resolved in Cisco Identity Services Engine, Release 2.3 cumulative patch 4. Patch 4 might not work with older versions of SPW. MAC users need to upgrade their SPW to MacOsXSPWizard 2.1.0.42 or later and Windows users need to upgrade their SPW to WinSPWizard 2.1.0.51 or later.
Table 13 Cisco ISE Patch Version 2.3.0.298-Patch 4 Resolved Caveats
DNA-C Integration with ISE 2.4 fails as the old DNA-C client certificate is still present in the ISE certificate store
Resolved Caveats in Cisco ISE Version 2.3.0.298—Cumulative Patch 3
Table 14 lists the caveats that are resolved in Cisco Identity Services Engine, Release 2.3 cumulative patch 3. Patch 3 might not work with older versions of SPW. MAC users need to upgrade their SPW to MacOsXSPWizard 2.1.0.42 or later and Windows users need to upgrade their SPW to WinSPWizard 2.1.0.51 or later.
Table 14 Cisco ISE Patch Version 2.3.0.298-Patch 3 Resolved Caveats
Resolved Caveats in Cisco ISE Version 2.3.0.298—Cumulative Patch 2
Table 15 lists the caveats that are resolved in Cisco Identity Services Engine, Release 2.3 cumulative
patch 2. Patch 2 might not work with older versions of SPW. MAC users need to upgrade their SPW to MacOsXSPWizard 2.1.0.42 or later and Windows users need to upgrade their SPW to WinSPWizard 2.1.0.51 or later.
Table 15 Cisco ISE Patch Version 2.3.0.298-Patch 2 Resolved Caveats
ISE fails to resolve ambiguity in Active Directory usernames that randomly results in users with short usernames not getting authenticated or getting authenticated in wrong domains.
The Identity Group is not displayed in the Context Visibility > Endpoints > Attributes page, when an endpoint is reauthenticated after manually updating the Identity Group.
ISE reboots and generates core files when trying to authenticate HP devices and Multi RADIUS keys.
New Features in Cisco ISE Version 2.3.0.298—Cumulative Patch 2
Active Directory Identity Search Attributes
Cisco ISE identifies users using the attributes SAM, CN, or both. Cisco ISE, Release 2.2 Patch 5 and above, and 2.3 Patch 2 and above, use sAMAccountName attribute as the default attribute. In earlier releases, both SAM and CN attributes were searched by default. This behavior has changed in Release 2.2 Patch 5 and above, and 2.3 Patch 2 and above, as part of CSCvf21978 bug fix (see https://tools.cisco.com/bugsearch/bug/CSCvf21978 for details). In these releases, only the sAMAccountName attribute is used as the default attribute.
You can configure Cisco ISE to use SAM, CN, or both, if your environment requires it. When SAM and CN are used, and the value of the SAMAccountName attribute is not unique, Cisco ISE also compares the CN attribute value.
To configure Active Directory identity search attributes:
1. Choose Administration > Identity Management > External Identity Sources > Active Directory. In the Active Directory window, click Advanced Tools, and choose Advanced Tuning. Enter the following details:
ISE Node —Choose the ISE node that is connecting to Active Directory.
Name —Enter the registry key that you are changing. To change the AD search attributes, enter: REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\IdentityLookupField
Value —Enter the attributes that ISE uses to identify a user:
– SAM —To use only SAM in the query (this is the default option).
– CN —To use only CN in the query.
– SAMCN —To use CN and SAM in the query.
Comment —Describe what you are changing, for example: Changing the default behavior to SAM and CN
2. Click Update Value to update the registry.
A pop-up message appears. Read the message and accept the change. The AD connector service in ISE restarts.
AnyConnect Stealth Mode Notifications
Several new failure notifications are added for AnyConnect stealth mode deployment to help users identify issues with their wired, wireless, or VPN connections. Perform the following steps to enable or disable notifications in the Stealth Mode:
2. Click Add > NAC Agent or AnyConnect ISE Posture Profile.
3. In the Select a Category drop-down, choose AnyConnect.
4. In the Agent Behavior section, in the Enable Notifications in Stealth Mode, choose Enabled or Disabled.
Note AnyConnect version 4.5.0.3040 supports Stealth Mode notifications.
Support for Two Shared Secrets Per IP for RADIUS NAD Clients
You can specify two shared secrets (keys) to be used by the network device and Cisco ISE. You can configure the shared secrets in the RADIUS authentication settings section for a NAD in the Administration > Network Resources > Network Devices page in Cisco ISE.
Note Although TrustSec devices can take advantage of the dual shared secrets (keys), TrustSec CoA packets sent by Cisco ISE will always use the first shared secret (key). Therefore, the TrustSec policy push using CoA feature will not be supported if the network device uses the second shared secret (key).
Resolved Caveats in Cisco ISE Version 2.3.0.298—Cumulative Patch 1
Note We have recalled ISE 2.3 Patch 1 due to an issue we found after posting. An updated patch file has been reposted, and the new file name is ise-patchbundle-2.3.0.298-Patch1-221754.SPA.x86_64.tar.gz. If you already installed the previously posted patch, you MUST uninstall that patch, and install the new one.
Table 16 lists the caveats that are resolved in Cisco Identity Services Engine, Release 2.3 cumulative
patch 1.
Patch 1 might not work with older versions of SPW. MAC users need to upgrade their SPW to MacOsXSPWizard 2.1.0.42 or later and Windows users need to upgrade their SPW to WinSPWizard 2.1.0.51 or later.
Table 16 Cisco ISE Patch Version 2.3.0.298-Patch 1 Resolved Caveats
If Self-registration option is disabled and Social login with registration form option is enabled, the registration form may not appear in the Portal Page Customization tab.
Filtering of endpoints in the Context Visibility page occasionally does not display existing endpoints.
Note The context visibility sync option and reset commands can be found in Release 2.3 Patch 1.
a. Run the app configure ise command on the Secondary Admin node CLI and select the following option:
[19]Reset Context Visibility
b. When you see a prompt to proceed with reset on the Primary Admin node, switch to Primary Admin node and select [19]Reset Context Visibility option.
c. After reset is complete on the Primary Admin node, switch to the Secondary Admin node and press Y to confirm that the reset was successful on the Primary Admin node.
d. Select the following option in the Primary Admin node:
[20]Synchronize Context Visibility With Database
Known Issues in Cisco ISE Version 2.3.0.298—Cumulative Patch 1
Conditions Studio Editor After Upgrade to ISE 2.3
When you create conditions using the Conditions Studio editor after upgrade, you can click the Attribute Value drop-down list or click the icon next to the Attribute Value text box to choose the required attribute. If the Attribute Value drop-down list is not displayed, you must use the mouse or trackpad, scroll up to the top of the page, and click the Attribute Value text box.
Resolved Caveats - Initial Release
Caveats resolved for the initial release.5*@WR6SW$4Ri
If the default condition in authentication inner policy is set to a value other than DenyAccess, the default value gets reverted to DenyAccess after restart.
FMC uses hostname+33 bytes generated ID for node name. And that easily goes over 50 bytes limit in ISE. The limit was created for a security enhancement in CSCvm45072
Cisco ISE 2.3 supports accessibility for the user facing web portals only. Cisco Web Accessibility Design Requirements (ADRs) are based on W3C Web Content Accessibility Guidelines (WCAG) 2.0 Level AA requirements. Cisco ADRs cover all Section 508 standards and more. Cisco ADRs website, http://wwwin.cisco.com/accessibility/acc_center/adrs_web/main.html, provides all information and resources for the accessibility requirements.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.1.
This document is to be used in conjunction with the documents listed in the
“Related Documentation” section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.