Note |
Come to the Content Hub at content.cisco.com, where, using the Faceted Search feature, you can accurately zoom in on the content you want; create customized PDF books on the fly for ready reference; and can do so much more... So, what are you waiting for? Click content.cisco.com now! And, if you are already experiencing the Content Hub, we'd like to hear from you! Click the Feedback icon on the page and let your thoughts flow! |
Introduction to Cisco Identity Services Engine
Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure access to network resources. Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices. An administrator can then use this information to make proactive governance decisions by creating access control policies for the various network elements, including access switches, wireless controllers, Virtual Private Network (VPN) gateways, Private 5G networks, and data center switches. Cisco ISE acts as the policy manager in the Cisco TrustSec solution and supports TrustSec software-defined segmentation.
Cisco ISE is available on secure network server appliances with different performance characterizations, and also as software that can be run on a virtual machines (VMs). Note that you can add more appliances to a deployment for better performance.
Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also enables the configuration and management of distinct personas and services, thereby giving you the ability to create and apply services where needed in a network, but operate the Cisco ISE deployment as a complete and coordinated system.
For detailed Cisco ISE ordering and licensing information, see the Cisco Identity Services Engine Ordering Guide.
For information on monitoring and troubleshooting the system, see the "Monitoring and Troubleshooting Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.
What Is New In This Release?
New Features in Cisco ISE, Release 3.0 - Cumulative Patch 7
Support for Cisco Secure Client
Cisco ISE 3.0 Patch 7 supports both AnyConnect and Cisco Secure Client for Windows, macOS, and Linux operating systems. The following Cisco Secure Client versions are supported for these operating systems:
-
Windows: Cisco Secure Client version 5.00529 and later
-
macOS: Cisco Secure Client version 5.00556 and later
-
Linux: Cisco Secure Client version 5.00556 and later
You can configure both AnyConnect and Cisco Secure Client for your endpoints on these operating systems but only one policy will be considered at run time for an endpoint.
Required URL for Smart Licensing
Cisco ISE Release 3.0 Patch 7 uses https://smartreceiver.cisco.com to obtain Smart Licensing information.
New Features in Cisco ISE, Release 3.0 - Cumulative Patch 5
Microsoft Intune Integration Changes Due to Microsoft Graph Updates
Microsoft is deprecating Azure Active Directory (Azure AD) Graph and will not support Azure AD Graph-enabled integrations after June 30, 2022. You must migrate any integrations that use Azure AD Graph to Microsoft Graph. Cisco ISE typically uses the Azure AD Graph for integration with the endpoint management solution Microsoft Intune.
For more information on the migration from Azure AD Graph to Microsoft Graph, see the following resources:
Cisco ISE Release 3.0 Patch 5 supports Microsoft Intune integrations that use Microsoft Graph. To avoid any disruption in the integration between Cisco ISE and Microsoft Intune, update your Cisco ISE to Cisco ISE Release 3.0 Patch 5. Then, update your Cisco ISE integration in Microsoft Azure to use Microsoft Graph instead of Azure AD Graph, before June 30, 2022. In Cisco ISE, you must update your Microsoft Intune integrations to update the Auto Discovery URL field—Replace https://graph.windows.net<Directory (tenant) ID> with https://graph.microsoft.com.
See Connect Microsoft Intune to Cisco ISE as a Mobile Device Management Server for more information on the configuration steps.
New Features in Cisco ISE, Release 3.0 - Cumulative Patch 3
Full Upgrade and Split Upgrade Options Added to Cisco ISE GUI
You can select one of the following options in the Administration > System > Upgrade> Upgrade Selection window to upgrade your Cisco ISE deployment:
-
Full Upgrade: Full upgrade is a multi-step process that enables a complete upgrade of your Cisco ISE deployment sequentially. This method will upgrade all nodes in parallel and in lesser time compared to the split upgrade process. The application services will be down during this upgrade process because all nodes are upgraded parallelly.
Note
The Full Upgrade method is supported for Cisco ISE 3.1 and above. For more information about the Full Upgrade method, see Cisco Identity Services Engine Upgrade Journey, Release 3.1.
-
Split Upgrade: Split upgrade is a multi-step process that enables the upgrade of your Cisco ISE deployment while allowing services to remain available during the upgrade process. This upgrade method allows you to choose the Cisco ISE nodes to be upgraded on your deployment.
New Features in Cisco ISE, Release 3.0 - Cumulative Patch 2
Licensing Methods for Air-Gapped Networks
Cisco ISE Release 3.0 Patch 2 supports the following licensing solution for air-gapped networks:
-
Smart Software Manager (SSM) On-Prem Connection Method
SSM On-Prem is a connection method in which you configure an SSM On-Prem server that manages smart licensing in your Cisco ISE-enabled network. With this connection method, Cisco ISE does not require a persistent connection to the Internet.
See Chapter Licensing in the Cisco ISE Administrator Guide, Release 3.0.
DNS Cache
The DNS requests for hosts can be cached, thereby reducing the load on the DNS server.
This feature can be enabled in the configuration mode using the following command:
service cache enable hosts ttl ttl
To disable this feature, use the no form of this command.
no service cache enable hosts ttl ttl
Admin can choose the Time to Live (TTL) value, in seconds, for a host in the cache while enabling the cache. There is no default setting for ttl. The valid range is from 1 to 2147483647.
Note |
TTL value is honored for negative responses. The TTL value set in the DNS server is honored for positive responses. If there is no TTL defined on the DNS server, then the TTL configured from the command is honored. Cache can be invalidated by disabling the feature. |
Business Outcome: Load on DNS Server is reduced.
New Features in Cisco ISE, Release 3.0
Cisco ISE Release 3.0 uses Essentials, Advantage, and Premier licenses.
For more information about the licenses that are supported in this Cisco ISE release, see the Chapter “Licensing” in the Cisco Identity Services Engine Administrator Guide.
The new features are organized by according to the license required for the features.
Essentials License
The following features require the Cisco ISE Essentials license.
Debug Wizard by Function
The Debug Wizard contains predefined debug templates that you can use to troubleshoot issues on ISE nodes. You can configure the Debug Profiles and the Debug Logs.
Business Outcome: Cisco TAC can now enable the debug logs easily over multiple nodes in an Cisco ISE deployment. This feature helps in quicker troubleshooting.
SAML SSO for Multi-Factor Authentication
Edit the authentication context value in SAML request headings to support multifactor authentications.
Business Outcome: SAML authentication will now support multifactor authentications.
Support for Cisco ISE on VMware Cloud on Amazon Web Services and Azure VMware Solution
The process of installing Cisco ISE on VMware Cloud is exactly the same as that of installing Cisco ISE on VMware virtual machine. See Supported Virtual Environments.
Business Outcome: Cisco ISE can be hosted on VMware Cloud on Amazon Web Services (AWS) and Azure VMware Solution (AVS).
Multiple Attributes Lookup for ODBC Identity Store
Click the Advanced Settings option while adding an ODBC identity store to use the attributes under the following dictionaries as input parameters in the Fetch Attributes stored procedure (in addition to the username and password):
-
RADIUS
-
Device
-
Network Access (AuthenticationMethod, Device IP Address, EapAuthentication, EapTunnel, ISE Host Name, Protocol, UserName, VN, and WasMachineAuthenticated)
You can configure the stored procedures to retrieve the following output parameters from the ODBC database:
-
ACL
-
Security Group
-
VLAN (name or number)
-
Web-redirect ACL
-
Web-redirect portal name
Business Outcome: You can use these attributes to configure the authorization profiles. For example, you can configure an authorization profile to use the VLAN that is returned from the ODBC database based on the specified input attributes (such as MAC address, username, called-station-ID, or device location), instead of manually specifying the VLAN for each authorization profile.
Cisco ISE API Gateway
Cisco ISE API gateway is an API management solution, which acts as a single entry point to multiple Cisco ISE Service APIs to provide better security and traffic management. The API requests from the external clients are routed to the API gateway on Cisco ISE. The requests are further forwarded to the Cisco ISE nodes where service APIs are running, based on the rules configured on the API Gateway.
Business Outcome: Enhanced conversion of information exchange and cross-domain automation for a Cisco Software Defined Access (SDA) fabric in combination with Cisco ACI infrastructure.
Certificate Fingerprinting
The certificate fingerprinting process is used to evaluate immediate issuer fingerprint SHA256 certificate with the trusted certificates. This enforces a secured mechanism for multiple certificates to support different domains. Certificate fingerprinting also allows you to lock the trusted certificates for the 802.1x protocol.
Business Outcome: Several domains are supported by multiple trusted certificates.
MSRPC Protocol for Passive ID Service
From Cisco ISE Release 3.0 onwards, you can use MS-Eventing API or Microsoft Remote Procedure Call (MSRPC) protocol for Passive Identity. Use the MSRPC protocol to establish node communication and monitor heartbeats between nodes in Cisco ISE. This option is available in addition to the WMI protocol for the Passive ID service.
The MSRPC protocol promotes a reliable mechanism when Cisco ISE or Cisco ISE-PIC collects and monitors the events from several domain controllers. It also reduces latency on the Active Directory Domain Controllers user login events.
Business Outcome: Provides a reliable mechanism for monitoring DC events.
Health Check
An on-demand health check option is introduced to diagnose all the nodes in your deployment. Running a health check on all the nodes prior to any operation helps identify critical issues, if any, that may cause downtime or blocker. Health Check provides the working status of all the dependent components. On failure of a component, it immediately provides troubleshooting recommendations to resolve the issue for a seamless execution of the operation.
Ensure that you run Health Check before initiating the upgrade process.
Business Outcome: Identify critical issues to avoid downtime or blockers.
For more information about Health Check, see the chapter "Troubleshooting" in the Cisco Identity Services Engine Administrator Guide.
Telemetry Updates
Additional network statistics are collected.
Business Outcome: The more information you can gather about customer networks, the better job you can do analyzing how to improve your products.
TCP Dump Enhancements
You now have more control over TCP dump files. You can also run TCP dump on additional interfaces.
Business Outcome: Collecting data about TCP traffic is now easier.
Resource Owner Password Credentials Flow to Authenticate Users with Microsoft Entra ID
The Resource Owner Password Credentials (ROPC) flow allows Cisco ISE to carry out authorization and authentication in a network with cloud-based identity providers. This is a controlled introduction feature. We recommend that you thoroughly test this feature in a test environment before using it in a production environment.
Business Outcome: The ROPC flow allows Cisco ISE to authorize and authenticate Microsoft Entra ID users.
Interactive Help
Interactive Help provides tips and step-by-step guidance to complete tasks with ease.
Business Outcome: This helps the end users to easily understand the work flow and complete their tasks with ease.
Advantage License
The following features require the Cisco ISE Advantage License.
New pxGrid Pages
The new pxGrid interface has new pages that separate pxGrid v1 and pxGrid v2. There is also a new Summary window with session and client information.
Business Outcome: Improves workflow when managing pxGrid sessions.
Note |
pxGrid 1.0, which uses legacy Extensible Messaging and Presence Protocol (XMPP) is in maintenance mode, and will be deprecated soon. We introduced pxGrid 2.0 in Cisco ISE, Release 2.4. pxGrid 2.0 uses REST and Websocket protocols, which are a simple and standardized application-to-application communications interface. We encourage partners to switch their pxGrid client implementations to these new protocols. For more information about why we recommend a switch to pxGrid 2.0, see Welcome to Learning Cisco Platform Exchange Grid (pxGrid) |
Configuration of Baseline Policies from Desktop Device Manager
When you upgrade to Cisco ISE Release 3.0, we recommend that you do not use root patches to select configuration baseline policies from the connected Desktop Device Manager servers.
You can also verify Windows endpoints with Device Identifiers instead of MAC addresses for greater accuracy, when dongles, docking stations, or MAC address randomization techniques are in use.
Business Outcome: You can check for endpoint compliance using configuration baseline policies created in Desktop Device Manager servers. Use device identifiers instead of MAC addresses for greater accuracy in endpoint identification.
Cisco ISE ACI-SDA Integration with VN Awareness
Cisco ISE Release 3.0 provides enhanced conversion of information exchange and cross-domain automation for a Cisco Software Defined Access (SDA) fabric in combination with Cisco ACI infrastructure. This implementation supports the exchange and translation of EPG and SGT information, extension of SDA Virtual Networks(VNs) into the Cisco ACI fabric, SDA and ACI fabric data plane automation, along with the exchange of IP-SGT bindings and sending the bindings to pxGrid and SXP domains.
Business Outcome: Better security and traffic management.
Minimum Version of Antivirus and Antimalware
From Cisco ISE Release 3.0 onwards, you can create a posture policy to set a minimum version of antivirus and antimalware for the endpoints in your network. This policy ensures that the endpoints comply with the minimum version of antivirus and antimalware of your network policy. It also automatically updates the condition with new versions of antivirus and antimalware, thus reducing the manual effort required to revise the condition.
Business Outcome: Enhanced security because the endpoints comply with the network policy.
Posture Session Sharing
Posture status is shared between PSNs. The status is not configurable; it is always on.
Business Outcome: Client connections do not need to rerun posture, when switching to a different PSN.
Agentless Posture
This new posture type delivers an agent to the client through SSH, and optionally removes the client when posture is complete. AnyConnect is not required. The agentless posture package is available as part of the default Cisco ISE client provisioning resources. You can select this package while creating an agent configuration to be used for the client provisioning policy.
Business Outcome: Lower footprint, and temporary posture agent is not visible to the customer.
Multi-DNAC Support
Cisco DNA Center systems cannot scale to more than the range of 25 to 100 thousand endpoints. Cisco ISE can scale to two million endpoints. Currently, you can only integrate one Cisco DNA Center system with one Cisco ISE system. Large Cisco ISE deployments can benefit by integrating multiple DNA Center clusters with a single Cisco ISE. Cisco now supports multiple Cisco DNA center clusters per Cisco ISE deployment, also known as Multi-DNAC.
Business Outcome: This feature for the Access Control app in Cisco DNA Center allows you to integrate up to four Cisco DNA Center clusters with a single Cisco ISE system.
Premier License
The following features require Cisco ISE Premier License.
Endpoint Scripts Wizard
The Endpoint Scripts Wizard allows you to run scripts on connected endpoints to carry out administrative tasks that comply with your organization’s requirements. This includes tasks such as uninstalling obsolete software, starting or terminating processes or applications, and enabling or disabling specific services.
Business Outcome: Easily carry out administrative tasks on connected endpoints to comply with your organization’s requirements.
New and Changed APIs in Cisco ISE
For detailed information on new, changed, and deprecated APIs, see the Cisco ISE API Guide on Cisco DevNet.
System Requirements
For an uninterrupted Cisco ISE configuration, ensure that the following system requirements are fulfilled.
For more details on hardware platforms and installation of this Cisco ISE release, see the Cisco Identity Services Engine Hardware Installation Guide.
Supported Hardware
Cisco ISE, Release 3.0, can be installed on the following platforms:
Hardware Platform |
Configuration |
---|---|
Cisco SNS-3515-K9 (small) |
For appliance hardware specifications, see the Cisco Secure Network Server Appliance Hardware Installation Guide. |
Cisco SNS-3595-K9 (large) |
|
Cisco SNS-3615-K9 (small) |
|
Cisco SNS-3655-K9 (medium) |
|
Cisco SNS-3695-K9 (large) |
After installation, you can configure Cisco ISE with specific component personas such as Administration, Monitoring, or pxGrid on the platforms that are listed in the above table. In addition to these personas, Cisco ISE contains other types of personas within Policy Service, such as Profiling Service, Session Services, Threat-Centric NAC Service, SXP Service for TrustSec, TACACS+ Device Admin Service, and Passive Identity Service.
Caution |
|
Supported Virtual Environments
Cisco ISE supports the following virtual environment platforms:
-
VMware ESXi 5.x, 6.x, 7.x, 8.x
For Cisco ISE Release 3.0 and later releases, we recommend that you update to VMware ESXi 7.0.3 or later releases.
-
Cisco ISE has been validated with Cisco HyperFlex HX-Series with VMware ESXi 6.5.
-
You can deploy Cisco ISE on VMware cloud solutions on the following public cloud platforms:
-
VMware cloud in Amazon Web Services (AWS): Host Cisco ISE on a software-defined data center provided by VMware Cloud on AWS.
-
Azure VMware Solution: Azure VMware Solution runs VMware workloads natively on Microsoft Azure. You can host Cisco ISE as a VMware virtual machine.
-
Google Cloud VMware Engine: Google Cloud VMware Engine runs software- defined data center by VMware on the Google Cloud. You can host Cisco ISE as a VMware virtual machine on the software-defined data center provided by the VMware Engine.
-
-
-
Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later
-
KVM on QEMU 1.5.3-160
Note
Cisco ISE cannot be installed on OpenStack.
-
Nutanix AHV 20201105.2096
For information about the virtual machine requirements, see the Cisco Identity Services Engine Installation Guide for your version of Cisco ISE.
Note |
From Cisco ISE Release 3.0 onwards, the CPUs of the virtualization platform that hosts Cisco ISE virtual machines must support the Streaming SIMD Extensions (SSE) 4.2 instruction set. Otherwise, certain Cisco ISE services (such as ISE API gateway) will not work, and the Cisco ISE GUI cannot be launched. Both Intel and AMD processors support SSE Version 4.2 since 2011. |
Federal Information Processing Standard (FIPS) Mode Support
Cisco ISE uses embedded Federal Information Processing Standard (FIPS) 140-2-validated cryptographic module, Cisco FIPS Object Module Version 6.2 (Certificate #2984). For details about the FIPS compliance claims, see Global Government Certifications.
When FIPS mode is enabled on Cisco ISE, consider the following:
-
All non-FIPS-compliant cipher suites will be disabled.
-
Certificates and private keys must use only FIPS-compliant hash and encryption algorithms.
-
RSA private keys must be 2048 bits or greater.
-
Elliptical Curve Digital Signature Algorithm (ECDSA) private keys must be 224 bits or greater.
-
Diffie–Hellman Ephemeral (DHE) ciphers work with Diffie–Hellman (DH) parameters of 2048 bits or greater.
-
SHA1 is not allowed to generate ISE local server certificates.
-
The anonymous PAC provisioning option in EAP-FAST is disabled.
-
The local SSH server operates in FIPS mode.
-
The following protocols are not supported in FIPS mode for RADIUS:
-
EAP-MD5
-
PAP
-
CHAP
-
MS-CHAPv1
-
MS-CHAPv2
-
LEAP
-
Supported Browsers
The supported browsers for the Admin portal include:
-
Mozilla Firefox 96 and earlier versions from version 82
-
Mozilla Firefox ESR 91.3 and earlier versions
-
Google Chrome 97 and earlier versions from version 86
-
Microsoft Edge, the latest version and one version earlier than the latest version
Validated External Identity Sources
Note |
The supported Active Directory versions are the same for both Cisco ISE and Cisco ISE-PIC. Cisco ISE supports Microsoft Entra ID. |
External Identity Source |
Version |
---|---|
Active Directory 1 |
|
Microsoft Windows Active Directory 2012 |
Windows Server 2012 |
Microsoft Windows Active Directory 2012 R2 2 |
Windows Server 2012 R2 |
Microsoft Windows Active Directory 2016 |
Windows Server 2016 |
Microsoft Windows Active Directory 2019 |
Windows Server 2019 |
LDAP Servers |
|
SunONE LDAP Directory Server |
Version 5.2 |
OpenLDAP Directory Server |
Version 2.4.23 |
Any LDAP v3-compliant server |
Any version that is LDAP v3 compliant |
Token Servers |
|
RSA ACE/Server |
6.x series |
RSA Authentication Manager |
7.x and 8.x series |
Any RADIUS RFC 2865-compliant token server |
Any version that is RFC 2865 compliant |
Security Assertion Markup Language (SAML) Single Sign-On (SSO) |
|
Microsoft Azure MFA |
Latest |
Oracle Access Manager (OAM) |
Version 11.1.2.2.0 |
Oracle Identity Federation (OIF) |
Version 11.1.1.2.0 |
PingFederate Server |
Version 6.10.0.4 |
PingOne Cloud |
Latest |
Secure Auth |
8.1.1 |
Any SAMLv2-compliant Identity Provider |
Any Identity Provider version that is SAMLv2 compliant |
Open Database Connectivity (ODBC) Identity Source |
|
Microsoft SQL Server |
Microsoft SQL Server 2012 Microsoft SQL Server 2022 |
Oracle |
Enterprise Edition Release 12.1.0.2.0 |
PostgreSQL |
9.0 |
Sybase |
16.0 |
MySQL |
6.3 |
Social Login (for Guest User Accounts) |
|
|
Latest |
Cisco ISE OCSP functionality is available only on Microsoft Windows Active Directory 2008 and later.
Cisco ISE supports all the legacy features in Microsoft Windows Active Directory 2012 R2. However, the new features in Microsoft Windows Active Directory 2012 R2, such as Protected User Groups, are not supported.
Supported Antivirus and Antimalware Products
For information about the antivirus and antimalware products supported by the Cisco ISE posture agent, see Cisco AnyConnect ISE Posture Support Charts.
Validated OpenSSL Version
Cisco ISE is validated with OpenSSL 1.0.2.x (CiscoSSL 6.0).
Known Limitations and Workarounds
This section provides information about the various known limitations and the corresponding workarounds.
Hot Patch for RADIUS Live Log Delays
In Cisco ISE Release 3.0 Cumulative Patch 8, you may experience RADIUS live logs delay as explained in CSCwi06794. You must install the following hot patch to fix this issue: ise-apply-CSCwi06794_3.0.0.458_patch8-SPA.tar.gz.
Incorrect Smart Licensing Consumption Reports
After you upgrade to Cisco ISE Release 3.0 Patch 7, if your smart licensing configuration uses the connection methods Direct HTTPS or HTTPS Proxy, you may witness incorrect compliance statuses being reported. Incorrect license consumption counts may be reported due to a communication error between Cisco ISE and CSSM.
To troubleshoot the communication error, in the Licensing window of the Cisco ISE administration portal, deregister and then reregister your smart licensing.
Authentication Might Fail for SNMP Users After Upgrade due to Wrong Hash Value
If you are upgrading from Cisco ISE 2.7 or earlier release to Cisco ISE 3.0, you must reconfigure the settings for SNMP users after the upgrade. Otherwise, authentication might fail for SNMP users because of the wrong hash value.
Use the following commands to reconfigure the settings for SNMPv3 users:
no snmp-server user <snmp user> <snmp version> <auth password> <priv password>
snmp-server user <snmp user> <snmp version> <auth password> <priv password>
Online Help in Japanese
If you have configured your localization settings to enable Japanese in your Cisco ISE, note that the Online Help does not include information on new features introduced in this release. See Cisco ISE Administration Guide, Release 3.0 for information on these features.
Radius Logs for Authentication
Details of an authentication event can be viewed in the Details field of the Radius Authentications window. The details of an authentication event are available only for 7 days, after which no data on the authentication event will be visible. All the authentication log data will be removed when a purge is triggered.
LDAP Server Reconfiguration after Upgrade
Limitation
The primary Hostname or IP is not updated which causes authentication failures. This is because while upgarding the Cisco ISE deployment, the deployment IDs tend to reset.
Condition
When you enable the Specify server for each ISE node option in the Connection window. To view this window, click the Menu icon () and choose or choose and an existing server, and then upgrade your Cisco ISE deployment which has PSNs, the deployment IDs tend to reset.
Workaround
Reconfigure the LDAP Server settings for each node. For more information, see LDAP Identity Source Settings section in the Administrative Access to Cisco ISE Using an External Identity Store chapter in the "Cisco Identity Services Engine Administrator Guide, Release 2.4".
Valid User-Agent Header
From Cisco ISE Release 2.7, Cisco ISE requires a valid User-Agent header sent along in a web request to a Cisco ISE end-user facing portal, such as a Cisco ISE sponsor portal, to receive successful or redirects responses.
Response Status Lines
From Cisco ISE Release 2.7, Cisco ISE web services and portals return response status lines containing only the HTTP versions and the status codes, but not the corresponding reason phrases.
Server IP Update Under Trustsec AAA Server List
When the IP address of the Cisco ISE instance is changed using the CLI, Cisco ISE services are restarted. After the services are up, you must change the IP address of the Trustsec AAA server. In the Cisco ISE GUI, click the Menu icon () and choose .
Upgrade Information
Upgrading to Release 3.0
You can directly upgrade to Release 3.0 from the following Cisco ISE releases:
-
2.4
-
2.6
-
2.7
If you are on a version earlier than Cisco ISE, Release 2.4, you must first upgrade to one of the releases listed above, and then upgrade to Release 3.0.
Note |
We recommend that you upgrade to the latest patch in the existing version before starting the upgrade. |
Upgrade Packages
For information about upgrade packages and supported platforms, see Cisco ISE Software Download.
License Changes
The licenses that are used for Cisco ISE Releases 2.x, such as Base, Plus, and Apex, have been replaced with new license types. Cisco ISE Release 3.0 uses Essentials, Advantage, and Premier licenses. See the Chapter “Licensing” in the Cisco Identity Services Engine Administrator Guide.
You must convert your existing smart or traditional licenses to the new license type through the Cisco Smart Software Manager (CSSM), to enable license consumption in Cisco ISE Release 3.0.
Upgrade Procedure Prerequisites
-
Run the Upgrade Readiness Tool (URT) before the upgrade to check whether the configured data can be upgraded to the required Cisco ISE version. Most upgrade failures occur because of data upgrade issues. The URT validates the data before the actual upgrade and reports the issues, if any. The URT can be downloaded from the Cisco ISE Download Software Center.
-
We recommend that you install all the relevant patches before beginning the upgrade.
For more information, see the Cisco Identity Services Engine Upgrade Guide.
Telemetry
After installation, when you log in to the Admin portal for the first time, the Cisco ISE Telemetry banner is displayed. Using this feature, Cisco ISE securely collects nonsensitive information about your deployment, network access devices, profiler, and other services that you are using. This data will be used to provide better services and more features in the forthcoming releases. By default, telemetry is enabled. To disable or modify the account information, choose Administration > Settings > Network Settings Diagnostics > Telemetry. The account is unique for each deployment. Each admin user need not provide it separately.
Telemetry provides valuable information about the status and capabilities of Cisco ISE. Telemetry is used by Cisco to improve appliance lifecycle management for IT teams who have deployed Cisco ISE. Collecting this data helps the product teams serve customers better. This data and related insights enable Cisco to proactively identify potential issues, improve services and support, facilitate discussions to gather additional value from new and existing features, and assist IT teams with inventory report of license entitlement and upcoming renewals.
It may take up to 24 hours after the Telemetry feature is disabled for Cisco ISE to stop sharing telemetry data.
Types of data collected include Product Usage Telemetry and Cisco Support Diagnostics.
Cisco Support Diagnostics
The Cisco Support Diagnostics Connector enables Cisco Technical Assistance Center (TAC) and Cisco support engineers to obtain support information on the deployment through the primary administration node. By default, this feature is disabled. See the Cisco Identity Services Engine Administrator Guide for instructions on how to enable this feature.
Cisco ISE Live Update Portals
Cisco ISE Live Update portals help you to automatically download the Supplicant Provisioning wizard, AV/AS support (Compliance Module), and agent installer packages that support client provisioning and posture policy services. These live update portals are configured in Cisco ISE during the initial deployment to retrieve the latest client provisioning and posture software directly from Cisco.com to the corresponding device using Cisco ISE.
If the default Update portal URL is not reachable and your network requires a proxy server, configure the proxy settings. In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Settings > Proxy before you access the Live Update portals. If proxy settings allow access to the profiler, posture, and client-provisioning feeds, access to a Mobile Device Management (MDM) server is blocked because Cisco ISE cannot bypass the proxy services for MDM communication. To resolve this, you can configure the proxy services to allow communication to the MDM servers. For more information on proxy settings, see the "Specify Proxy Settings in Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.
Client Provisioning and Posture Live Update Portals
You can download Client Provisioning resources from:
In the Cisco ISE GUI, click the Menu icon () and choose
The following software elements are available at this URL:
-
Supplicant Provisioning wizards for Windows and Mac OS X native supplicants
-
Windows versions of the latest Cisco ISE persistent and temporal agents
-
Mac OS X versions of the latest Cisco ISE persistent agents
-
ActiveX and Java Applet installer helpers
-
AV/AS compliance module files
For more information on automatically downloading the software packages that are available at the Client Provisioning Update portal to Cisco ISE, see the "Download Client Provisioning Resources Automatically" section in the "Configure Client Provisioning" chapter in the Cisco Identity Services Engine Administrator Guide.
You can download Posture updates from:
In the Cisco ISE GUI, click the Menu icon () and choose
The following software elements are available at this URL:
-
Cisco-predefined checks and rules
-
Windows and Mac OS X AV/AS support charts
-
Cisco ISE operating system support
For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the "Download Posture Updates Automatically" section in the Cisco Identity Services Engine Administrator Guide.
If you do not want to enable the automatic download capabilities, you can choose to download updates offline.
Cisco ISE Offline Updates
This offline update option allows you to download client provisioning and posture updates, when direct internet access to Cisco.com from a device using Cisco ISE is not available or is not permitted by a security policy.
To download offline client provisioning resources:
Procedure
Step 1 |
Go to: https://software.cisco.com/download/home/283801620/type/283802505/release/3.0.0. |
Step 2 |
Provide your login credentials. |
Step 3 |
Navigate to the Cisco Identity Services Engine download window, and select the release. The following Offline Installation Packages are available for download:
|
Step 4 |
Click either Download or Add to Cart. |
For more information on adding the downloaded installation packages to Cisco ISE, see the "Add Client Provisioning Resources from a Local Machine" section in the Cisco Identity Services Engine Administrator Guide.
You can update the checks, operating system information, and antivirus and antispyware support charts for Windows and Mac operating systems offline from an archive in your local system, using posture updates.
For offline updates, ensure that the versions of the archive files match the versions in the configuration file. Use offline posture updates after you configure Cisco ISE and want to enable dynamic updates for the posture policy service.
To download offline posture updates:
Procedure
Step 1 |
Go to https://www.cisco.com/web/secure/spa/posture-offline.html. |
||
Step 2 |
Save the posture-offline.zip file to your local system. This file is used to update the operating system information, checks, rules, and antivirus and antispyware support charts for Windows and Mac operating systems. |
||
Step 3 |
In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Settings > Posture. |
||
Step 4 |
Click the arrow to view the settings for posture. |
||
Step 5 |
Click Updates. The Posture Updates window is displayed.
|
||
Step 6 |
Click the Offline option. |
||
Step 7 |
Click Browse to locate the archive file (posture-offline.zip) from the local folder in your system.
|
||
Step 8 |
Click Update Now. |
Configuration Prerequisites
-
The relevant Cisco ISE license fees should be paid.
-
The latest patches should be installed.
-
Cisco ISE software capabilities should be active.
Monitoring and Troubleshooting
For information on monitoring and troubleshooting the system, see the "Monitoring and Troubleshooting Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.
Ordering Information
For detailed Cisco ISE ordering and licensing information, see the Cisco Identity Services Engine Ordering Guide.
Cisco ISE Integration with Cisco Catalyst Center
Cisco ISE can integrate with Cisco Catalyst Center. For information about configuring Cisco ISE to work with Catalyst Center, see the Cisco Catalyst Center documentation.
For information about Cisco ISE compatibility with Catalyst Center, see the Cisco SD-Access Compatibility Matrix.
Cisco AI Endpoint Analytics
Cisco AI Endpoint Analytics is a solution on Cisco DNA Center that improves endpoint profiling fidelity. It provides fine-grained endpoint identification and assigns labels to various endpoints. Information gathered through deep-packet inspection, and probes from sources such as Cisco ISE, Cisco SD-AVC, and network devices, is analyzed for endpoint profiling.
Cisco AI Endpoint Analytics also uses artificial intelligence (AI) and machine learning capabilities to intuitively group endpoints with similar attributes. IT administrators can review such groups and assign labels to them. These endpoint labels are then available in Cisco ISE if your Cisco ISE account is connected to on-premises Cisco DNA Center.
These endpoint labels from Cisco AI Endpoint Analytics can be used by Cisco ISE administrators to create custom authorization policies. You can provide the right set of access privileges to endpoints or endpoint groups through such authorization policies.
Install a New Patch
To obtain the patch file that is necessary to apply a patch to Cisco ISE, log in to the Cisco Download Software site at https://software.cisco.com/download/home (you will be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
For instructions on how to apply the patch to your system, see the "Cisco ISE Software Patches" section in the Cisco Identity Services Engine Upgrade Journey.
For instructions on how to install a patch using the CLI, see the "Patch Install" section in the Cisco Identity Services Engine CLI Reference Guide.
Note |
Cisco ISE Release 3.0 Patch 2 and later releases support the licensing feature SSM On-Prem connection method. If you enable this feature and need to roll back to Cisco ISE 3.0 Patch 1 or earlier, you must disable the licensing feature before you uninstall the patch with the licensing feature. |
Automatic Root CA Certificate Regeneration
From Cisco ISE Release 3.0 Patch 6, you must regenerate the root CA certificate when you install a new patch.
-
In a standalone node, when you install a patch through the CLI or the GUI, the root CA certificate is automatically regenerated.
-
In a distributed deployment, if you install a patch through the CLI, you must regenerate the root CA certificate after the patch is installed. If you install a patch through the Cisco ISE GUI, root CA certificate is automatically regenerated.
If you roll back from Cisco ISE Release 3.0 Patch 6 or later releases to Cisco ISE Release 3.0 Patch 5 or earlier releases, you must regenerate the root CA certificate in the Cisco ISE release that you roll back to.
For information on how to generate a root CA certificate, see the topic "Generate Root CA and Subordinate CAs on the Primary PAN and PSN" in the Chapter "Basic Setup" in the Cisco ISE Administrator Guide.
Caveats
The Caveats section includes the bug ID and a short description of the bug. For details on the symptoms, conditions, and workaround for a specific caveat, use the Cisco Bug Search Tool (BST).
Note |
The Open Caveats sections list the open caveats that apply to the current release and might apply to releases earlier than Cisco ISE 3.0. A caveat that is open for an earlier release and is still unresolved applies to all future releases until it is resolved. |
Resolved Caveats
Resolved Caveats in Cisco ISE Release 3.0 - Cumulative Patch 8
The following table lists the resolved caveats in Release 3.0 cumulative patch 8.
Identifier |
Headline |
---|---|
pxGrid session publishing stops when reintergrating FMC while P-PIC is down |
|
Cisco Identity Services Engine Information Disclosure Vulnerability |
|
Cisco Identity Services Engine Path Traversal Vulnerability |
|
ISE smart licensing now using smart transport |
|
Mac OS Beta Monterey (MacOS 12 beta 2) failing NSP MacOsXSPWizard v3.1.0.2 |
|
while exporting Scheduled report with huge size coming as empty on the repository. |
|
ISE-DNAC Integration Fails If There Are Invalid Certificates In ISE Trusted Store |
|
ISE displaying tomcat stacktrace when using a specific URL |
|
ISE 3.1 patch 4 : GUI : Certificate Authentication : Permissions |
|
During upgrade the deregister call fails to remove all the nodes from the DB |
|
ISE and CVE-2023-24998 |
|
No validation of PBIS reg key configuration on advance tuning page. |
|
ISE Get All Endpoints request takes much longer time to execute since 2.7 |
|
LSD is causing high bandwidth utilization |
|
ISE 3.2 : APIC Integration : missing fvIP subscription |
|
ISE cannot retrieve multiple attribute values from client certificate in EAP-TLS session resumption |
|
guest sponsor portal country code issue |
|
ISE 3.2/3.1/3.0 displays mismatched information on "Get All Endpoints" report |
|
/ in Command Arguments not Preserved after CSV Import of T+ Command Set |
|
Update warning message while changing Timezone |
|
Cisco Identity Services Engine XML External Entity Injection Vulnerability |
|
Network Device Profile shows HTML code as name |
|
Radius used space reports incorrect usage as it also taken into account few TACACS tables |
|
TLS 1.0/1.1 accepted at ISE 3.0 admin portal |
|
ISE is sending old Audit Session ID in reath CoA after previously successful port-bounce CoA |
|
GUI TCPDUMP gets stuck on Stop_In_Progress |
|
ISE- SQLException sent to the Collection Failure Alarm caused by NAS-Port-id length |
|
ISE fails to translate AD attribute of msRASSavedFramedIPAddress |
|
Certificate based GUI admin login stuck |
|
ISE is unable to save the Subnet/IP Address Pool Name for voice vlans. |
|
UI crashed while loading authz policy on chrome and edge browser |
|
Cisco Identity Services Engine XML External Entity Injection Vulnerability |
|
Cisco Identity Services Engine Denial of Service Vulnerability |
|
Radius Token Server config accepts empty host IP for Secondary Server |
|
ISE cannot retrieve repositories and scan policies of Tenable Security Center |
|
TACACS Command Accounting report export is not working |
|
Mnt Log Processor service stops every night |
|
ISE not sending hostname attribute to DNAC |
|
Persisting of Reprofiling result is not updating to Oracle/VCS after feed incremental update |
|
profiler is triggering Port Bounce when there are multiple sessions exist on a switch port |
|
Unable to change the Identity source from internal to external RSA/RADIUS-token server |
|
Posture Assessment By Condition generates ORA-00904: "SYSTEM_NAME": invalid identifier |
|
ISE Debug Wizard Posture profile does not contain client-webapp component to DEBUG |
|
Multiple requests for same IP+VN+VPN combinations with diff session ID creating duplicate records |
|
For SCCM integration with ISE need MSAL support as MS is deprecating ADAL |
|
Improvement of logs in association with ISE SXP conflict causing warning in DNAC |
|
ISE with 2 interfaces configured for portal access is broken |
|
Anomalous behavior detection is not working as expected |
|
Profiler CoA sent with the wrong session ID |
|
MDM - Connection to Microsoft SCCM fails after Windows DCOM Server Hardening for CVE-2021-26414 |
|
ISE vPSN with IMS performance degrades by 30-40% compared to UDP syslog |
|
Unable to import certificates on Secondary node post Registration to the deployment |
|
SXP service gets stuck in initializing due to an exception on 9644. |
|
Launch page level help not working for Patch Management, Upgrade, and Health Checks |
|
Session directory write failed alarm with Cisco NAD using "user defined" NAD profile |
|
ISE Replication: SyncRequest timeout monitor thread does not kill file transfer after timeout |
|
SG and contracts with multiple backslash characters in a row in the description cannot sync to ISE |
|
Attempt to delete "Is IPSEC Device" NDG causes all subsequent RADIUS/T+ authentications to fail |
|
Online Page level Help IDs for meraki-connector pages in ISE GUI |
|
ISE 3.1 certain SFTP servers stopped working after upgrade to patch 4/5 |
|
ISE 3.1/ Certificate based login asks for license file if only the Device Admin license is enabled |
|
ISE 2.6 p7 is not able to match "identityaccessrestricted equals true" in Auth Policy. |
|
CIAM: xstream 1.4.17 |
|
Cisco Identity Services Engine Command Injection Vulnerability |
|
ISE cannot retrieve a peer certificate during EAP-TLS authentication |
|
ISE - Network device captcha only prompting when filter matches only 1 Network device |
|
SXP service gets stuck into initializing due to H2 DB delay in querying Bindings |
|
URT failing for upgrade from 2.6/2.7 to 3.1 |
|
Fix for CSCvz85074 breaks AD group retrieval in ISE |
|
Unable to login successfully into ISE GUI through ipv6 address |
|
ISE Africa/Cairo Timezone DST |
|
[ENH] Session stitching support with ISE PIC Agent |
|
ISE: Mexico Time Zone Incorrectly Changing to Daylight Saving |
|
ISE SXP Bindings API call returns 2xx response when the call failed |
|
Vulnerabilities in jszip 3.0.0 |
|
Permission for collector.log file is set as root root automatically |
|
Not able to download support bundle with size over 1GB from GUI |
|
Cisco DNA Center integration issue due to more internal CA certificates |
|
ISE 2.7 patch 8 lowers read test speeds from CLI causing "Insufficient Virtual Machine Resources" |
|
CPU spike due memory leak with EP purge call |
|
ISE: Live Session get stuck at "Authenticated" state |
|
All NADs are getting deleted while doing Filter on NDG Location and IP |
Resolved Caveats in Cisco ISE Release 3.0 - Cumulative Patch 7
The following table lists the resolved caveats in Release 3.0 cumulative patch 7.
Caveat ID Number |
Description |
---|---|
User Attributes fetching from ODBC even didn't config on ISE |
|
Deleted network device groups still show up in policy sets |
|
Make a Wish link is updated to a new location |
|
XML External Entity Injection Vulnerability |
|
Static default route with gateway of interfaces other than Gig 0 breaks network connectivity |
|
Support Bundle page loads slowly due to Download Logs page loading in the background |
|
Error handling/ messaging for mobile number format not clear |
|
Profiler Condition does not display the Attribute Value |
|
Duplicate Manager does not remove packet when there is an exception in reading configuration |
|
Certificate based administrator login does not work when client/browser sends more than one certificate |
|
ISE 3.0 patch 6 : Missing Scheduled Reports |
|
ISE does not allow import of CA signed certificate on top of self-signed certificate |
|
Underscore is vulnerable in Guest Portals |
|
ERS SDK authentication settings are not disabled via API call |
|
31p5 : App server and API gateway service do not run |
|
ENH: ISE with Twilio MessagingServiceSid for SMS gateway |
|
No Replication Stopped Alarm triggered |
|
Create a nested endpoint group using ERS API |
|
Fail to import Internal CA and key from ISE 2.7P2 to 3.0 |
|
ERS SDK network device bulk request documentation is not correct |
|
CIAM: openssl 1.0.2n |
|
Unable to download rest-id-store from Download Logs on GUI |
|
PGA memory used by the instance exceeds PGA_AGGREGATE_LIMIT on MNT node |
|
NetworkSetupAssistance.exe digital signature certificate expired in BYOD flow using Windows SPW |
|
Hourly cron should clean up the cached buffers instead of 95% memory usage |
|
Unable to add quotation character in TACACS authorization profile |
|
High CPU Utilization when Agentless Posture is configured |
|
Passive Easy Connect does not work in ISE with Dedicated MnT nodes |
|
High Operations DB Usage Alarm percentage need to be configurable. |
|
Metaspace exhaustion causes crashes on ISE node |
|
Stored Cross-Site Scripting vulnerability |
|
ISE 3.1 Patch 3 is unable to import endpoints from csv file if SAML is used |
|
Context Visibility Endpoints and NADs from an existing deployment are not removed after restore operation |
|
PxGrid publishing changed for accounting stop |
|
Unable to download a created support bundle from GUI when logging in using the format DomainName\UserName |
|
TLSv1.1 enabled on port 8084 |
|
RMQForwarder thread to control based on hardware appliance in platform.properties on 2.7 p7 |
|
PRA failover |
|
ISE send SXP MSG size and 4096 bytes in SXP Version 4 |
|
Queue Link Errors "Unknown CA" when utilizing third-party signed certificate for IMS |
|
ISE 3.0: Admin access is allowed for ISE GUI with secondary interfaces GigabitEthernet 1 and Bond 1 |
|
3.2:Maxscale: PPAN application server stuck at initializing state |
|
Auth Step latency for policy evaluation due to GC activity |
|
ISE 3.0 does not save SCCM MDM server object with new password, works when new instance is used |
|
Inconsistent IP to SGT mapping after several re-authentication attempts when VN value changes |
|
ISE 3.1: Error while creating network device groups through REST API |
|
ISE detects large VMs as Unsupported |
|
Cross-Site Scripting vulnerability |
|
ISE 3.1 ERS call /ers/config/sgmapping/{id} does not return SGT value for custom SGTs |
|
Interface feature insufficient access control vulnerability |
|
ISE 3.1: Context visibility endpoint authentication tab does not show data |
|
Command injection vulnerability |
|
GUI does not validate default value while adding custom attributes |
|
ISE 3.1 REST API typo in SNMP password parameters |
|
ISE 3.2 displays the error: "TypeError: Cannot read properties of undefined (reading 'attr')" |
|
Unable to add SSH/SFTP to hosts w/ newer HostKey algorithms (e.g. rsa-sha2-512) |
|
CIAM: jackson-databind 2.9.8 |
|
Disable temporary MNT persona on upgraded node fails in split upgrade |
|
CIAM: openssl upgrade to 1.0.2ze and 1.1.1o |
|
Save button for SAML configuration grayed out |
|
ERS validation error - mandatory fields missing: [validDays] |
|
Health check and full upgrade precheck times out when third party CA certificate is used for admin |
|
MAC - CSC 5.0554 web deployment packages fail to upload |
|
Guest redirect with Auth vlan no longer works on ISE 3.1 |
|
Sec_txnlog_master table should be truncated post 2M record count |
|
All nodes thrown OUT_OF_SYNC as a result of incorrect cert expiry check |
|
containerd.io RPM package openssl 1.0.2r CIAM CVE-2021-23841 + others |
|
Precheck may get timed out with optimistic locking failed in ise-psc.log on ppan |
|
Cross-site scripting vulnerability |
|
Stored cross-site scripting vulnerability |
|
Supported HTTP methods are visible |
|
PUT operation failure with payload through DNAC to ISE (ERS) |
|
ISE RADIUS and PassiveID session merge |
|
Add serviceability and fix "Could not get a resource since the pool is exhausted" error on ISE 3.0 |
|
Latency observed during query of Session.PostureStatus |
|
"Invalid Length" TACACS auth failures within Live Logs for non-TACACS traffic |
|
Change Configuration Audit Report does not clearly indicate SGT create and delete events |
|
EAP-TEAP with EAP-TLS unable to match condition that has "CERTIFICATE.Issuer - Common Name" |
|
Schema upgrade fails while modifying constraints for 3.1 and 3.2.0.804 upgrade |
|
ISE 3.1 GUI does not load post login |
|
LSD is causing high CPU |
|
Profiler should ignore non-positive RADIUS syslog messages for forwarding from default RADIUS probe |
|
Device administration using RADIUS does not consume base license |
|
SSH from ISE to FIPS enabled device does not work |
|
Using "Export Selected" under Network Devices aborts to login screen with more than x selections |
|
ISE configuration backup fails due to SYS_EXPORT_SCHEMA_01 |
|
Scheduled backup failure when ISE indexing engine backup fails |
|
ERS API does not allow for use of minus character in "Network Device Group" name. |
|
ISE 3.0 NFS share stuck |
|
Changing Parent Identity Group name breaks authorization references |
|
ISE AD Connector fails during join operation |
|
CSV NAD import is rejected if += characters are at the beginning of the RADIUS shared secret |
|
ISE abruptly stops consuming passive-id session from a 3rd party Syslog server |
|
ISE 3.2 ERS POST /ers/config/networkdevicegroup fails - broken attribute othername/type/ndgtype |
|
Sponsor portal breaks after removing endpoint groups. |
|
CIAM: rpm 4.11.3 CVE-2021-20271 |
|
ISE 3.1 Services auto restart fails with an internal error during IP address change in eth 1 |
|
TACACS responses are not sent sometimes with single connect enabled |
|
"The phone number is invalid" when trying to import users from csv file. |
|
TrustCertQuickView giving the same info for all trusted certificates |
|
SAML flow with loadbalancer fails due to incorrect token handling on ISE |
|
ANC COA is sent to the NAS IP address instead of the device IP address |
|
Repository name is not updated on export summary page after renaming. |
|
My Devices portal does not open after reloading the node unless CRUD is done |
|
Certificate signing request shoule not be case sensitive |
Resolved Caveats in Cisco ISE Release 3.0 - Cumulative Patch 6
Identifier |
Headline |
---|---|
CIAM: sqlite 3.7.17 |
|
Cisco ISE PSN nodes crash due to incorrect cryptoLib initialization |
|
64-character limit is too small to accommodate external user identities, such as user principal name |
|
CIAM: unixodbc 2.3.0 |
|
backup-logs using public key encryption on the ISE CLI does not allow for caputure of core files |
|
When Essential license disabled on ISE GUI, smart licensing portal not reporting license consumtion. |
|
ISE-PIC not forwarding live sessions beginning with special characters |
|
ISE allowing user to change admin password without validating current password |
|
ISE must avoid sending Empty Cisco AV-Pairs in access-accept packets. |
|
Threads getting exhuast post moving to latest patches were nss rpm is updated(Only 3.0p5&2.7p7,3.1P1 |
|
ISE 2.7 EST service not running and CA service stuck in initializing state after installing P5 |
|
ISE 2.7:Authentication success settings shows success/success url |
|
ISE Can login to GUI with disabled shadow admin accounts with external identity source. |
|
CIAM: samba 4.8.3 |
|
RMQ TLS syslogs related to internal docker ip 169.254.2.2 are sent to Audit logs |
|
REST ID is fething the groups from Cloud once the connector settings page is opened |
|
Cisco Identity Services Engine Assessment of CVE-2021-4034 Polkit |
|
new objects doesnt exist in condition studio |
|
CIAM: cyrus-sasl 2.1.27 |
|
Get-By-Id server sequence, returns empty server list after first change made on the sequence via GUI |
|
Reports are unusable due to misshandling fields with multiple values |
|
Sponsor Portal admin unable to create random guest accounts 60mins/1hr duration or less |
|
DNA Center - ISE Integration: ISE shows an old DNAC certificate for pxGrid endpoint |
|
3.1:Maxscale: Core generated by /opt/CSCOcpm/prrt/diag/bin/diagRunner start |
|
NTP Sync Failure Alarms with more than 2 NTP Servers Configured. |
|
Session Directory Write failed, SQLException: String Data right truncation on ISE3.0P4 |
|
CIAM: jszip 2.5.0 |
|
High Latency observed for Tacacs+ requests with date time condition in authorization policies |
|
ISE 3.1 : Special character in attributes not supported |
|
ISE replacing pxgrid cert when generating ISE internal CA |
|
IP-SGT mapping does not link with new network access device group. |
|
CIAM: libpng 1.6.20 |
|
CIAM: net-snmp 5.7.2 |
|
guest users (AD or internal) cant delete/add their own devices on specific node |
|
CSV NAD import is rejected due to special symbol @ at the beginning of RADIUS shared secret |
|
Fix for CSCvu35802 breaks AD group retrieval with certificate attribute as identity in EAP-Chaining |
|
ISE 3.0 P5: Unable to login into GUI of MnT nodes using RSA 2FA in distribusted deployment. |
|
ISE API add user operation with long custom attribute string takes 4min using Curl |
|
ISE 3.1 Guest Username/Password Policy is not modifiable |
|
Multiple runtime crashes seen due to memory allocation inconsistency |
|
AD security groups cannot have their OU end with dot character on Posture Policy |
|
Duplicated culomn "Failure Reasons" in RADIUS Authentications Report |
|
3.0P6 : system summary not getting updated post Patch RollBack and Patch Install |
|
$ui_time_left$ variable showing wrong duration |
|
Pingnode call causing App server to crash (OOM exception) during CRL validation |
|
Posture Firewall remmediation action unchangeable |
|
After fixing failed pre-upgrade check, proceed button still not available |
|
Last 7 days filter not working in Reports |
|
Unable to enter ipv6 address for on-prem SSM server |
|
Attribute value dc-opaque causing issues with Live Logs. |
|
CIAM: nss 3.44.0 |
|
Max Sessions not Being Enforced with EAP-FAST-Chaining--ISE |
|
Guest posrtal registration page gives "error loading page" when email address contains apostrophe |
|
Multiline issues for Guest SMS notification under ISE Portal |
|
ISE 3.0 & 3.1: Device Admin License alone should allow access to all TACACS required menu's |
|
nextPage field is missing from the json response of API 'GET /ers/config/radiusserversequence' |
|
Unknown NAD and Misconfigured Network Device Detected Alarms |
|
CIAM: perl 5.16.3 |
|
Need to handle Posture expiry when 8 octet MAC is present in endpoint on the deployment node |
|
CIAM: glib 2.56.4 |
|
Missing PermSize attribute on sysodbcini file |
|
EP stuck in posture unknown Not able to find session in LSD by MAC |
|
ISE is not sending $mobilenumber$ value in the SMTP API body |
|
ISE Smart Licensing Authorization Renewal Failure: Details=Invalid response from licensing cloud |
|
Deleted Root Network Device groups are still referenced in the Network Devices exported CSV Report |
|
CIAM: jspdf 2.3.0 |
|
CIAM: openjdk - multiple versions |
|
Need hard Q cap on RMQ in 3.x |
|
Spring Hibernate TPS upgrade (hibernate 5.5.2, Spring 5.3.8) |
|
ODBC Behavior Failover Issues |
|
Unable to restore CFG backup from linux SFTP repository if the file owned by a group name w/ space |
|
Config backup fails due to "EDF_DB_LOG" |
|
Existing routes are not installed in routing table after MTU change |
|
ISE Conditions Studio - Identity Groups Drop-down limited to 1000 |
|
CoA was not initiated on ISE for switches for which matrix wasn’t changed, hence Policy sync failed |
|
Location of "Location" and "Device Type" exchanging every time clicking Network Devices > Add |
|
Default domain configuration in Passive-Syslog provider does not work in ISE 3.1 |
|
ISE 3.X: Invalid Characters in External RADIUS Token shared Secret. |
|
upgrade External Radius server List not showing up after migration to 3.0 |
|
ISE Queue Link Error: Message=From Node1 To Node2; Cause=Timeout in NAT'ed deployment |
|
ISE 3.1 Patch 1 : SSH : FIPS : error: Xkey_sign: invalid digest |
|
T+ ports (49) are still open if disable Device admin process under deployment page |
|
application server stuck initializing after installing p5 or p6 due to missing table |
|
SNMP config set on the N/w device, a delay of 20seconds is introduced while processing SNMP record |
|
ISE - Invalid character error in Admin Groups |
|
ISE 3.1: Unable to delete endpoint identity group created via REST API when setting no description. |
|
Deployment-RegistrationPoller causing performance issues on PAN node with 200+ internal certificates |
|
CIAM: kafka CVE-2019-12399 |
|
From address to send email is invalid if it does not end with .com or .net |
|
ISE Configured with 15 Collection Filters Hides the 15th Filter |
|
Optimize bouncy-castle class to improve performance on PAN |
|
Improvement to logs needed with Conflict handling SGT-IP mapping w/VN |
|
PLR returned upon 3.0P5 -> 3.0P3 |
|
Context Visibility broken after restore of backup ISE 3.0 P4 |
|
Inaccurate dictionary word evaluation for passwords |
|
hotpatch.log needs to be included in support-bundle |
|
Guest Portal's Button's text element is causing words to be repeated for Apple VoiceOver |
|
DST/TZ update should happen automatically |
|
SCM js files browser download during admin login |
|
ISE 3.0 AD User SamAccountName parameter is null for user session |
|
ISE Queue Link Error : Cause=Timeout due to 169.254.2.0/25 in ISE iptables |
|
ISE 3.0: Unable to edit PAN Auto Failover alarms |
|
Sorting internal users based on User Identity Groups doesn't work in Identity Mangement->Identities |
|
ISE pxGrid Exceptions should have ERROR log level instead of DEBUG |
|
ISE 3.0p2- Monitor All setting displays incorrectly with multiple matrices and different views |
|
ISE is adding extra 6 hours to nextUpdate date for CRL |
|
Unsafe Characters in T+ Commands Stored in Hex Numeric Character References |
|
AD security groups cannot have their OU end with dot character on Client Provisioning Policy |
|
Unable to edit or remove Scheduled Reports if Admin who created them is no longer available |
|
Inconsistent sorting on ERS API(s) for endpoint group |
|
CIAM: dom4j 1.6.1 |
|
Getting 400 Bad Request while enabling the Internal User with external password type using Rest API. |
|
ISE 3.0 : APIC Integration : Failed to create secGroup |
|
Application server restart on all nodes after changing the Primary PAN Admin certificate |
|
CA initializing on PAN, Root CA regeneration fails with "no message defined" error |
|
Inconsistent sorting on ERS API(s) for identity group |
Resolved Caveats in Cisco ISE Release 3.0 - Cumulative Patch 5
Caveat ID Number |
Description |
---|---|
MnT log processor is not running because collector log permission is denied |
|
Replace "black list/blacklist" and "white list/whitelist" with appropriate terms in all ISE Syslogs |
|
CSCvz77905 | Cisco Identity Services Engine RADIUS Service Denial of Service Vulnerability |
ISE 3.0 BH : TACACS live logs do not give an option to select Network Device IP |
|
ISE-2.x: Intune MDM Alarm for connectivity || 401 Unauthorized |
|
DOC: unknown maximum time difference between ISE system time and OCSP response. Update of OCSP response |
|
Updated fields list for PUT on /erc/config/authorizationprofile/{id} is usually empty |
|
CIAM found poi vulnerable |
|
3.0P2:Accounting Report Export is taking more time to complete |
|
CIAM: screen 4.1.0 CVE-2021-26937 |
|
Inconsistency between ISE syslog level and message level |
|
DOC: Agentless posture documentation requirements for Windows is incorrect |
|
TCP port 19444 is open only on ISE 3.0 |
|
EAP-chaining authorization fails as machine authentication flag is incorrectly set to "True" |
|
Certificate Validation Syslog Message Sent During Specific Certificate Audits--ISE |
|
DOC: ISE: SAML certificate shouldn't be removed from ISE deployment |
|
ISE Document Bug: Agentless and Temporal Posture Limitations : explanation incomplete |
|
CIAM: nettle 3.4.1 |
|
ISE 2.7 Patch 4 pxGrid Services -> All Clients ends up with java.lang.NullPointerException |
|
Cisco Identity Services Engine XML External Entity Injection Vulnerability |
|
Incorrect Posture Compound Condition Hotfixes |
|
Enabling cookies for POST /ers/config/internaluser/ causes Identity Group(s) does not exist error |
|
ISE: DST Root CA X3 Certificate Authority - Expires by 30 Sep 2021 ( within 90 days ) |
|
ISE restore popup menu displays wrong text |
|
Session cache needs to be updated during EAP chaining flow to handle relavent identities |
|
Changing log level of log "this update field is earlier than currunet time more than week" |
|
PnSLongevity: 3.0P3 observing replication failed error in Longevity testbed |
|
"interesting groups" are returned as a SINGLE STRING with an embedded new line |
|
ISE GUI stuck at loading if AD group does not exist when using certificate based authorization for GUI access |
|
ISE GUI shows all the licenses as Out of Compliance - Smart Licensing |
|
VN's are not replicating from Author to Reader |
|
Upgrade ISE 3.0 and earlier patches with CiscoSSL 1.0.2za |
|
Authentication is not blocked in policy set with TimeAndDate condition for a specific minute of the day |
|
ISE: Application server stuck initializing after backup restore due to MDM configuration |
|
User unable to generate support bundle |
|
ISE Health Check during MDM Validation creates false alarm |
|
GET for dacls using /ers/config/downloadableacl does not add the nextPage or previousPage of exist |
|
Queue Link Error:WARN:{socket_closed_unexpectedly;'connection.start'} |
|
NTP (' - ') source state description missing in ISE CLI |
|
ISE reaching out to NTP servers is not defined in configuration |
|
Sponsor Permissions are not passed to Guest REST API for "By Name" calls. |
|
ISE 3.0 Agentless posture doesn’t use domain authenitcation if same local user exists |
|
ISE manage account selection issue |
|
ISE using jquery v1.10.2 is vulnerable |
|
ISE Documentation Update : Microsoft Intune Integration : Permissions |
|
CIAM: jsoup 1.10.3 |
|
ISE CTS TLSv1.2 Support |
|
ISE GUI : net::ERR_ABORTED 404 : /admin/ng/nls/fr-fr/ |
|
CIAM: bind 9.11.20 |
|
Cisco:cisco-av-pair AuthZ conditions stopped working |
|
The secondary PAN ISE node causes services to restart on Primary PAN node, mismatch on documentation |
|
ISE 3.0 checks only the first SAN entry |
|
High Active Directory latency during high TPS causes HOL Blocking on ADRT |
|
CSCvz63405 | ISE client pxgrid certificate is not delivered to DNAC |
ISE 2.7: EndpointPersister thread getting stopped |
|
"Add" button under Context Visibility>Endpoints, "Guest" tab gives nullpoint error |
|
Full upgrade won't work with patch when CLI repo or disk repo is used |
|
Radius reports older than 7 days are empty (regression of CSCvw78289) |
|
SMS Javascript customization is not working for SMS Email gateway |
|
Local Log Settings tooltip on all fields shows irrelevant and unuseful 'Trust Certificates' |
|
Configuration changes to Guest types is not updated in audit reports |
|
SNMPv3 COA request is not issued by ISE 2.7 |
|
CIAM: nss - multiple versions |
|
ISE 3.1 : Authentication tab shows blank result in Context Visivility |
|
Adding FQDN in discovery host, Discovery host: invalid IP address or host name |
|
Agentless Posture not passing AntiMalware check |
|
ERS API does't allow for use of dot character in "Network Device Group" name or create / update |
|
ISE 3.0 Can't deselect the 'location' settings as part of the guest self registration portal |
|
ISE 3.0 evaluation expiry error on registered ISE |
|
Version pre-check fails for 3.2 full upgrade. |
|
ISE unable to fetch the URL attribute value from improper index during posture flow |
|
Empty User Custom Attribute included in Authorization Advanced Attributes Settings results in incorrect AVP |
|
ISE Health Check I/O bandwidth performance check creates false Alarm |
|
Live log/session is not showing the latest data due to "too many files open" error |
|
Unsupported message code 91104 and 91105 Alarms |
|
CSCvz88188 |
TACACS authorization policy querying for username fails because username from session cache is null |
Internal users using External Password Store are getting disabled if we create users using API flow |
|
Unable to fetch the attributes from ODBC after upgrading ISE to 3.0 patch 3 |
|
Guest portal does not load if hosted is on a different interface from Gig0 |
|
Unable to add more than one ACI IP address / hostname when trying to enable ACI integration in ISE |
|
All NADs got deleted due to one particular NAD deletion |
|
ISE CPP is not loading correctly for some languages |
|
Stale sessions observed for TACACS could not find selected service error |
|
Could not create Identity User if username includes $ |
|
Missing IPv4 mappings if sessions have both IPv4 and IPv6 addresses |
|
Session service unavailable for PxGrid Session Directory with dedicated MNT |
|
Catalina.out file is huge because of SSL audit events |
|
ISE 2.7 p 4,5,6 reports error "There is an overlapping IP Address in your device" |
|
RCM and MDM flows are getting failed because session cache is not populated |
|
KONG is not able to reach postgres which is impacting the ISE GUI access |
|
ISE Evaluation log4j CVE-2021-44228 |
Resolved Caveats in Cisco ISE Release 3.0 - Cumulative Patch 4
Caveat ID Number |
Description |
---|---|
Multiple Vulnerabilities in Apache log4j. |
|
CIAM: Multiple vulnerabilities in openjdk. |
|
GRUB2 Arbitrary Code Execution Vulnerability. |
|
Memory Leak: PKCS11 key store creates memory leak when endpoints are in Cisco ISE. |
|
Cisco ISE: NTP out of sync after upgrade to Cisco ISE Release 2.7. |
|
Cisco ISE 3.0 Agentless Posture doesn't install CA certificate chain in endpoint Trusted Store. |
|
Cisco Identity Services Engine Cross-Site Scripting Vulnerability. |
|
CTS-SXP-CONN : ph_tcp_close from device to Cisco ISE SXP connection - Hawkeye. |
|
Cisco ISE Application server crashes or restarts due to cancellation of configuration backup. |
|
[CFD] User unable to create a guest SSID during Portal Creation step - Cisco ISE is busy error. |
|
Cisco ISE installation fails with database priming failed error when all-numbers subdomain is used. |
|
Cisco ISE 2.7 p2 : [ 400 ] Bad Request with SAML SSO OKTA on Apple devices. |
|
CIAM: cpio 2.12. |
|
Account used for Cisco ISE AD join may be locked after passive-id service is enabled. |
|
Cisco ISE: cannot create network device group with name Location or Device Type. |
|
[400] Bad Request error when refreshing the Mydevice portal. |
|
Changes to Network Device Groups not reflected in Change Audit Logs. |
|
Cisco ISE Root CA cannot be regenerated due to Plus License is out of compliance error. |
|
Update "blacklist portal" to "blocked list portal" everywhere in the ISE UI + code. |
|
SYSAUX tablespace full despite fix for CSCvr96003. |
|
High CPU on PSN node - extension of CSCvt34876. |
|
Unable to change network Device group Name and Description at the same time. |
|
Generate bulk certificates do not include Cisco ISE self-signed certificate. |
|
Cisco ISE authorization profiles option gets truncated during editing or saving (Chrome only). |
|
3.0P2:Accounting Report Export takes long time to complete. |
|
Session Directory topic does not update user SGT attribute after a dynamic authorization. |
|
ERS Self-Registration portal update does not delete fields as expected in PSN. |
|
In case of a duplicated Radius Vendor ID, any network device change can cause PSN to crash. |
|
Posture lease breaks for EAP chianing from Cisco ISE Release 2.7. |
|
Not clearing SessionCache for TACACS AuthZ failures results in high heap usage and auth latency. |
|
DELETE /ers/config/networkdevicegroup/{id} not working; CRUD exception. |
|
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability. |
|
Cisco ISE reports: Top Authorization does not show filter in scheduled reports. |
|
Cisco ISE Release 3.0 ROPC authentication is failing with non Base64 characters in the password. |
|
Cisco ISE internal ERS user attepting to authenticate occasionly via external ID store causes REST delays. |
|
Cisco ISE 2.7P3 sends packet to other node with src add :169.254.2.2 if backup interface is configured. |
|
MNT REST API for ReAuth fails when used in a distributed deployment (separate MnT). |
|
Cisco ISE Release 2.6 and Release 2.7 TACACS Reports Advance Filters do not work when matching full numeric ID entries. |
|
All SXP Mapping not displaying IPv6 mappings learned via Session. |
|
Cisco ISE Release 3.0 Agentless Posture fails if Cisco ISE admin certificate CN is not equal to FQDN. |
|
Cisco ISE Release 3.0 Agentless posture breaks if Windows username includes space. |
|
Authorization profile throws an error if we use some symbols. |
|
RADIUS Accounting Details Report does not display Accounting Details. |
|
Special characters previously allowed in the Descriptions field for few objects cannot be used. |
|
Cisco ISE not accepting more than 6 attributes to be modified in the RADIUS sequence attributes. |
|
Cisco ISE: "/opt/CSCOcpm/config/cpmenv.sh:line 396:<ipv6>:command not found" error during CLI backup. |
|
Cisco ISE does not accept name of custom attribute for Framed-IPv6-Address in the authZ profile. |
|
LDAP groups dissapear from Sponsor groups when you make other changes to the options and save them. |
|
Cisco ISE does not send certificate chain on admin portal. |
|
Application Server stuck in initializing state due to certificate template curve type P-192. |
|
Cisco ISE Release 2.3 and later releases do not support "cariage return" <cr> character in command-set. |
|
TCP port 19444 is open on Cisco ISE Release 3.x. |
|
Cisco ISE Release 2.7 P3 GUI doesn't show complete device admin Authz policies. |
|
Updating single custom attribute through ERS request causes deletion of another. |
|
TACACS custom AV pair as condition in policies is not working. |
|
Cisco ISE Guest Self-Registration Error for duplicate user when "Use Phone number as username" is enabled. |
|
Intermittent error on Cisco DNA Center while trying to deploy a policy from Cisco DNA Center. |
|
Cisco ISE authorization profile ERS update ignores accessType attribute changes. |
|
Cisco ISE Release 2.7 should display an error when attempting to delete IP default label of NAD on GUI. |
|
While editing a NAD, the wrong device profile is being mapped. |
|
Setup wizard password supports hyphen, but after configuration reset through the CLI the wizard no longers supports hyphen. |
|
Cisco ISE Release 2.4 CoA failure upon endpoint change to a new switch-port and EP IdGroup Remove/Remove-All EP. |
|
Cisco ISE Release 2.7 Patch 3 ERS call does not accept 3 characters RADIUS shared secret. |
|
UI: Generate key pair, accepts space but then cannot export key. |
|
REST API for CoA works with any server IP. |
|
PassiveID: Configuring WMI with an AD account password that contains a % result in an error. |
|
Customer fields in guest portal contains & - $ #. |
|
Cisco ISE internal users are not disabled after they hit the inactivity timer. |
|
Cisco ISE DACL syntax validator does not comply with ASA's code requirements. |
|
IPv6 changes the Subnet to /128 when using the duplicate option in the Network Device tab. |
|
Cisco ISE: Need the Select ALL check box device with or without filter in the NAD page. |
|
Cisco ISE Guest SAML authentication fails with "Access rights validated" HTML page. |
|
Wrong display as Unicode of Chinese in First/Last name under Network Access Users. |
|
ISE: DST Root CA X3 Certificate Authority - Expires by 30 Sep 2021 ( within 90 days ) |
|
Cisco ISE Release 3.0 Device Admin License should only allow access to the Administration > System > Logging menu. |
|
Possible to choose secondary PAN without Policy persona in NAD, and to send configuration changes to device CoA. |
|
TACACS report showing duplicate entries due to EPOCH time being null. |
|
TACACS authentication report shows duplicate entries. |
|
Endpoints incorreclty profiled as "cisco-router" due to NMAP performing aggressive guesses. |
|
When upgrading from Cisco ISE Release 2.4 patch 13 to Cisco ISE Release 2.7, if an external RADIUS server is configured, the upgrade process fails. |
|
Special characters in Banner blocking SFTP repository. |
|
Cisco ISE Release 2.7 patch 4 unable to upload .json file for Umbrella security profile. |
|
Platform check fails for Cisco ISE that has disk size more than 1 TB. |
|
Cisco ISE Release 2.6 Patch 9: default permissions cannot go back to default group Internal after adding a new group. |
|
Cisco ISE Release 2.7: Failed to add endpoint to group. |
|
PEAP session timeout value restricted to maximum value 604800. |
|
Policy engine - enhancements. |
|
Menu access customization is not working. |
|
Cisco ISE Release 3.0 TimesTen connection closes when an SQLException is encountered. |
|
Sponsor user cannot edit data when phone or email fields are filled. |
|
Cisco ISE Release 3.0 cannot locate REST ID store after services restart. |
|
Policy change doesn’t get pushed to the network device after Cisco ISE failover. |
|
Reauth issue - Aruba - third-party device. |
|
Not able to scroll to different pages in Issued Certficates page. |
|
Reset Password mobile number validation does not satisfy e.164 format. |
Resolved Caveats in Cisco ISE Release 3.0 - Cumulative Patch 3
Caveat ID Number |
Description |
---|---|
ISE RADIUS session-timeout value restricted to max 65535 |
|
Guest remember me radius accounting and access accept not sending guest username |
|
Unable to see complete list of AD groups when using Scrollbar. |
|
Receiving Alarms - Account is suspended temporarily due to excessive failed auth |
|
GNU gettext default_add_message Double-Free Vulnerability |
|
MIT Kerberos 5 KDC krbtgt Ticket S4U2Self Request Denial of Service ... |
|
error when attempting to change ISE-PIC GUI admin user settings |
|
ISC BIND managed-keys Trust Anchor Denial of Service Vulnerability |
|
Show running-config fails to complete |
|
Info-ZIP UnZip File Overlapping Denial of Service Vulnerability CVSS v3.0 Base 7.5 |
|
cURL and libcurl tftp_receive_packet() Function Heap Buffer Overflow Vulner CVSS v3.1 Base: 9.8 |
|
cURL and libcurl tftp_receive_packet() Function Heap Buffer Overflow ... |
|
GNU patch pch_write_line Function Denial of Service Vulnerability |
|
SSSD Group Policy Objects Implementation Improper Access Control Vulner |
|
ISC BIND Dynamically Loadable Zones Unauthorized Access Vulnerability |
|
libssh2 packet.c Integer Overflow Vulnerability CVSS v3.1 Base: 8.1 |
|
Samba Filename Path Separators Unauthorized Access Vulnerability |
|
ISE 2.4 p5 crashes continuously around midnight, generating core files. |
|
gllibc LD_PREFER_MAP_32BIT_EXEC Environment Variable ASLR Bypass Vulner |
|
Live Log and NADs show Anonymous when User Fail Machine Success |
|
libxml2 xmlParseBalancedChunkMemoryRecover Memory Leak Vulnerability |
|
Multiple Vulnerabilities in libcurl |
|
Systemd button_open Memory Leak Vulnerability |
|
Multiple Vulnerabilities in python |
|
Posture Condition failed Check vc_visInst_v4_CiscoAnyConnectSecureMobility Client_4_x is not found |
|
suspected memory leak in io.netty.buffer.PoolChunk |
|
In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters wit |
|
Sponsor group membership being removed when adding/removing AD group |
|
ISE with DUO as External Radius Proxy drops access-reject |
|
CIAM: batik 1.7 |
|
CIAM: cups 1.6.3 |
|
CIAM: ksh |
|
CIAM: libssh |
|
CIAM: perl 5.14.1 |
|
CIAM: procps 3.3.10 |
|
CIAM: python (version 2.7.5, 2.7.14 & 3.7.1) |
|
CIAM: vim 7.4.160 |
|
Update "blacklist portal" to "blocked list portal" everywhere in the ISE UI + code |
|
Posture fails when primary PSN/PAN are unreachable |
|
Replace "blacklist" with "blocked list" across all authentication and authorization rules/profiles |
|
CIAM: d-bus 1.10.24 |
|
certificate chain is not sent on the portal |
|
Cisco Identity Services Engine Cross-Site Scripting Vulnerability |
|
CIAM: libjpeg & libjpeg-turbo |
|
Session Cache for dropped session not getting cleared; causing High CPU on the PSN's |
|
Max Sessions Limit is not working for Users and Groups |
|
Invalid objects in Database |
|
ISE customer could not see the guest identity in the DNAC Assurance page |
|
ISE 2.4 While renewing ISE cert for HTTPS,EAP,DTLS,PORTAL, only PORTAL and Admin roles gets applied. |
|
DNA ACA SG Sync Fails with JDBCException:could not prepare statement |
|
Live session details report show incorrect Authorization profile and policy for VPN Posture scenario |
|
Livelog sessions show incomplete Authorization policy for VPN Posture scenario |
|
NFS Repository is not working from GUI |
|
Generate self-signed certificates and CSR default params doesn't correspond to pre-installed cert |
|
Internal CA Certificate Not Getting Deleted When Node Is Removed From Deployment |
|
Error storing the running-config lead to loss of startup config |
|
TrustSec enabled NADs not showing in trustSec Matrices when NDG column exceeds 255 characters. |
|
[CFD] Mapped SGT entry cleared from AuthZ Rules on ISE if SG name is modified in Cisco DNA Center |
|
Heap Dump generation fails post reset-config of ISE node |
|
ISE Hotspot guest portal broken flow |
|
Authentication summary report gets stuck if the total records are more than 5M |
|
ISE SXP should have a mechanism to clear stale mappings learned from Session |
|
ISE adding the ability to use a forward slash in the IP data type of internal user custom attribute |
|
Unable to Create unique community string for different SNMP servers |
|
proxy bypass settings does not allow upper characters |
|
Memory Leak: PSN rmi GC collection not working properly causing memory leak in passive id flow |
|
ISE 3.0 REST ID Process failed action used too often |
|
Domain doesnt get assigned to sxp peer |
|
Cisco Identity Services Engine Untrusted File Upload Vulnerability |
|
ISE not consuming plus license when using local or global exceptions |
|
ISE 3.0 REST ID log file not included in support bundle |
|
ISE constantly requesting internal "Super Admin" users against to external RADIUS token server. |
|
Bulk certificate generation failed with 'An unexpected error occurred' message after RMA'd pPAN |
|
ISE generating CSR with hostname-x in SAN gives an error |
|
Need DigitCert Global Root G2 in CTL for ROPC |
|
REST error in ropc.log should include the endpoint URL |
|
Policy set not saving if any authz rule has only security group but no authz profile |
|
Memory Leak : High Allocation in by CAD_ValidateUser during PassiveID stress |
|
WebUI restore not working in IE11 |
|
ISE 3.0 shows "PxGrid disabled" when you open PxGrid Services menu in new window |
|
ISE 2.6p3 Adding Double Slash "//" in File Path with SFTP Servers |
|
[CFD] ACA Sync broken - "Error occurs during migration: Waiting for Sync Runtime timed out" |
|
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability |
|
Unable to load Context Visibility page for custom view in ISE 2.7p2 |
|
ISE Config Restore fails at 40% with error "DB Restore using IMPDP failed" |
|
Replace Keyword kong in ISE Admin Web UI and CLI to API GW |
|
ISE admin/portal Login with Chrome 85/86 could show error Oops. Something went wrong. |
|
Memory leak after adding AD Groups for passiv-id flow |
|
Sponsor is unable to display the list of created guest users when accessing portal with his User ID. |
|
Posture does not work with dynamic redirection on 3rd party NADs |
|
GNU.org bash rbash BASH_CMDS Modification Privilege Escalation Vulnerab |
|
Scheduled OPS backups not being triggered after PMNT reload |
|
Pushing IP to SGT mapping from ISE to switch doesnt work if default route is tagged |
|
Editing external data source posture condition is showing always the wrong AD |
|
NAD Location is not updating in Context Visibility ElasticSearch |
|
ISE 2.6 p5 Agent marks DC as down if agent service comes up before windows network interface |
|
Authorization Profiles showing "No data available" after NAD profile deleted |
|
pxGrid ANC applyEndpointPolicy does not handle all MAC address formats correctly |
|
Purging not purging endpoints due to an exception |
|
Cisco Identity Services Engine Untrusted File Upload Vulnerability |
|
ISE TACACS logging timestamp shows future date |
|
ISE 3.0 not importing certificates missing CN and SAN into Trusted Certificate Store |
|
DOC: ISE: Need to include OVA Template reservations table in ISE 2.7 Installation guide |
|
NADs shared secrets are visible in the logs while using APIs |
|
Internal User custom attributes are not sent in CoA-Push |
|
SAML groups do not work if they are applied in the Sponsor Portal Groups |
|
ISE MNT Live Session status is not changing to Postured in VPN use case |
|
Scheduled operational backup stuck at "Backup is in progress..." |
|
GUI Not Accessible After Applying IP Access Restrictions |
|
ISE Service Account Locked and WMI not established due to special characters in password |
|
ANC CoA not working as ISE uses hostname for internal calls |
|
SBET: Exception w.r.t Repository in ise-psc.log while loading Backup & Restore page. |
|
Functional:Guest portal creation failure with ISE 3.0 |
|
ISE 3.0 Syslog provider cannot apply configuration |
|
same Idenity Group creating multiple times and showing in Ui using ers rest api sending |
|
Cisco ADE-OS Local File Inclusion Vulnerability |
|
SNMPv3 | ISE is not processing gathered SNMP information for endpoint : String index out of range: 8 |
|
API IP SGT mapping not returning result for [No Devices] |
|
no TACACS Command Accounting Report for third party device with a space before TACACS command |
|
CoA-disconnect is not issued by ISE for Aruba WLC once grace access expires |
|
AD security groups cannot have their OU end with dot character on RBAC policies |
|
ISE Live Session Postured session is moving to Started upon Interim Update |
|
ACI endpoint livelog stuck on 'loading' without showing any information |
|
SB should collect Hibernate.log |
|
ISE does not display Full Authorization Rules if it has 50 rules or more in Japanese GUI |
|
ISE fails to send CoA from PSN's with "Identifier Allocation Failed" error |
|
GNOME GLib file_copy_fallback Function Improper Permission Vulnerability |
|
XStream before version 1.4.15 multiple vulnerabilities |
|
Heap buffer overflow in Freetype CVE-2020-15999, CVE-2018-6942 |
|
Moment Module Date String Regular Expression Denial of Service Vulnerab |
|
In js/parts/SvgRenderer.js in Highcharts JS before 6.1.0, the use of ... |
|
Multiple Vulnerabilities in c3p0 |
|
Multiple Vulnerabilities in glibc |
|
ISE Policy Evaluation : RADIUS requests dropped after deleting policy sets |
|
Restore Process All Processes need to be stopped before dropping schema Objects |
|
ISE 3.0 policy condition studio GUI bug |
|
CIAM found mariadb vulnerable |
|
CIAM: go 1.12 CVE-2019-9634 and others |
|
Doc: lack of documentation for ISE 3.0 on syslog categories |
|
RADIUS server sequence gets corrupted after selected external servers list was changed |
|
CIAM found jspdf vulnerable |
|
ISE incorrect number for the TOTAL field |
|
Guest user is created with incorrect lifetime |
|
"All SXP Mapping" table contains terminated sessions on ISE |
|
NTP sync failure alarms not relevant needs change |
|
CIAM: libssh2 CVE-2019-17498 and others |
|
CIAM: libcurl CVE-2016-8622 and others |
|
CIAM: json-sanitizer 1.2.0 CVE-2020-13973 |
|
MNTHA: MNT node name set to NULL when IP access enabled. |
|
HotSpot Guest portal displays Error Loading Page when passcode field contains special characters |
|
Dot1x authentication failed due to duplicate manager: add=false |
|
CWE-20: Improper Input Validation for Create Node Group |
|
Auth Passed live logs are not seen when using a profile name with more than 50 characters |
|
"Radius Authentication Details" Report takes time when IMS(ISE Messaging Service) is disabled |
|
ISE 2.6/2.7 Sorting based on username doesn't work in User Identity Groups |
|
ISE 3.0 TACACS+ Endstation Network Conditions scrollbar not working |
|
Authz profile CWA option don't work correctly with some network device profiles |
|
ISE:Configuration Audit detail does not show which Policy Set was modified |
|
TACACS+ N/W cond and PORT N/W condition scrollbar is not working |
|
Live session is not showing correct active session |
|
ISE 2.4 p13 break AD Authorization lookup for MAB authenticated endpoints |
|
MAB authentication via Active Directory passes with AD object disabled |
|
DB Clean up hourly cron acquiring DB lock causing deployment registration failure |
|
for PKI based SFTP, exporting GUI key for MnT node is only possible when it is promoted to be PAN |
|
RBAC rules not enforced in 2.7 |
|
ISE 2.4 patch 8 Unable to edit,duplicate or delete guest portals. |
|
iPod not shown as an option in ISE BYOD portal |
|
External MDM server(Microsoft_intune), change in Polling interval not taking effect |
|
Static policy and group assignment is lost from EP when updating custom attributes from API |
|
Internal user export feature no error with invalid character in password |
|
ISE RBAC - adding a network device gives an error "Unable to load NetworkDevices" |
|
ACI learned mappings do not show up in xgrid bulk download |
|
Admin access with certificate based authentication can be bypassed by going directly to login.jsp |
|
ISE 2.7: Context Visibility: all shards failed when sorting endpoint Applications by Running process |
|
ISE remains in eval expire state even after registering with smart Licensing |
|
CIAM: json-sanitizer 1.2.0 CVE-2021-23899 and others |
|
Upgrade flow via CLI from 2.7 P3 to 3.1.236 failed with certificate issue for multinode deployment |
|
Health Checks:DNS Resolvability: False failures with ISE FQDN as CNAME (alias) |
|
Health Checks:Disk space: insufficient failure info |
|
Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021 |
|
ISE "ipv6 address autoconfig" gets removed when changing IP address of bond interface |
|
ISE 3.0 GUI certificate authentication - unsupported certificate purpose |
|
Add IdenTrust Commercial Root CA 1 Certificate to ISE truststore |
|
Authorization Should Look Up MAC address in Format Configured in ODBC Stored-Procedures Page |
|
Support Bundle does not capture ise-jedis.log files on ISE 2.7 and newer version |
|
ISE 2.7 : On Re-creating Root CA, Jedis DB connection pool is not re-created |
|
NetworkAccess:Authentication Method conditions not matching in Policy Set entry evaluation |
|
TC-NAC services not running after unexpected power event |
|
Paging from Azure AD is not implemented on ROPC |
|
ISE Health Check Platform Support should update directly UI with results |
|
SGA value Under-Provisioned for SNS3515 running all personas on same node |
|
Error 400 While authenticating to Sponsor portal with Single Sign-on/Kerberos User. |
|
Sponsor portal gives "Invalid Input" if the "mobile number" field is unchecked in portal settings |
|
Unable to get all tenable adapter repositories with Tenable SC 5.17 |
|
No login fail log when using external username with Wrong Password |
|
Receiving acct stop without NAS-IP address keep session in started state |
|
ISE AD runtime should support rewrite a1-a2-a3-a4-a5-a6 to a1a2a3a4a5a6 |
|
ISE 2.4 CoA failure upon endpoint change to a new switch-port and Endpoint Identity Group change |
|
In EAP chaining scenario, posture policy failed to retrieve machine AD group membership. |
|
ISE not mapping correctly AMP events for new endpoints |
|
Memory leak on TACACS flow |
|
CIAM: bind - multiple versions CVE-2020-8625 |
|
Add IdenTrust Commercial Root CA 1 Certificate for Smart Call Home and Smart Licensing |
|
Add IdenTrust Commercial Root CA 1 Certificate for Network Success Diagnostics |
|
NIC bonding prevents MAR Cache replication |
|
ISE 3.0 Authorization policy conditions are not correctly formatted |
|
Network Devices > Default Device page requires PLUS license to allow config |
|
TrustSec policy matrix allows limited scrolling in ISE 3.0 |
|
isedailycron temp1 tracking is causing delay in AWR reports |
|
User can select only one option either full upgrade or split upgrade at a given time. |
|
Top N Authentication by Network Device details not showing |
|
With PLR, Profiler Online Updates error : Failed to get License file data : null |
|
ISE Log Collection error "Session directory write failed" |
|
ISE not updating the Json file info into the AnyConnect output config file |
|
"Invalid phone number format." on Mobile devices using the country-code drop-down |
|
PnSLongevity: Deployment went out of sync due to unavailabiltiy of db connections |
|
ISE don't accept % in EXEC or Enable Mode password under configiration deployment of Adv Trustsec |
|
REST auth Service will be disabled if backup interface configured |
|
ISE 2.7 | Emails sent for all system alarms even when there is no email address configured |
|
Qualys integration is failing with ISE |
|
internal user inactivity timer don't get updated due to login letter case |
|
ISE can't handle deletion/addition of SXP-IP mappings propagation due to race condition |
|
Smart license of de-registration flow is not working in ISE and ISE-PIC |
|
The instruction box should be removed when the login-page message is empty |
|
UI Issues on TrustSec page |
|
RADIUS Token Identity Source Prompt vs Internal User prompt for TACACS authentication |
|
EST service not running on 2/7 p2 and above |
|
vulnerabilities fixed in XStream 1.4.16 |
|
ISE NAD IP definitions using - or * do not perform full IP comparison after patch |
|
Manual ActiveSession report is empty |
|
Read-only admin should not be allowed to perform Upgrade |
|
Remove 3515 from upgrade support |
|
High CPU seen on PSN nodes from ISE 2.6P3 onwards due to PIP query evaluation |
|
Unable to update domains to be blocked/allowed via API |
|
Cisco Identity Services Engine Self Cross-Site Scripting Issue |
|
ISE REST API returns duplicate values for IP-SGT mappings. |
|
max-height too small in FF 88 |
|
Access-Reject if any authz rule has only security group but no authz profile |
|
AAA requests without Framed-IP value will cause exception in sxp process |
|
Full upgrade should throw warning if data size is more than 40GB overall |
|
Delete 'All' function in Context Visibility, shows {0} Endpoint(s) on CAPTCHA popup |
Resolved Caveats in Cisco ISE, Release 3.0 - Cumulative Patch 2
Caveat ID Number |
Description |
---|---|
Incorrect DNS configuration can lead to TACACS or Radius authentication failure |
|
ISE should either allow IP only for syslog targets or provide DNS caching |
|
BYOD certificate provisioning flow failed in macOS 11 |
|
While renewing ISE certificate for HTTPS, EAP, DTLS, PORTAL, only PORTAL and Admin roles gets applied |
|
Context Visibility shows incorrect Authorization profile and policy for VPN Posture scenario |
|
Device admin service is getting disabled while updating TACACS configuration |
|
When RADIUS Shared Secret is missing for ISE_EST_Local_Host, ISE application server goes to intializing state |
|
Context Visibility CVS exported from CLI not showing IP addresses |
|
ISE 2.6/2.7 Repositories get deleted post ISE node reload |
|
Suspended Guest User is not automatically removed from Endpoint Group |
|
ISE 3.0 Health Check License validation false Alarm |
|
Smart Licensing Entitlement Tab gets stuck at "Refreshing" if there is connection failure |
|
Not Throwing error for ip overlap case |
|
Passive ID is not working stable with multi-connect syslog clients |
|
Enabling Essentials licenses only block access to Network Devices tab add/modifiy |
|
ISE does not display Full Authorization Rules if it has 50 rules or more in Japanese GUI |
|
ISE 3.0 Evaluations Specs to be pulled from cisco.com |
|
No option for OnPrem Satellite for Smart licensing and Permanent License Reservation |
|
ISE Conditions Library corruption during Pen test |
|
CWE-20: Improper Input Validation for Create Node Group |
|
Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities |
|
Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities |
|
Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities |
|
Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities |
|
Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities |
|
Itune Integration is throwing error while saving but Test Connection works fine |
|
Unable to fetch Azure AD groups |
Resolved Caveats in Cisco ISE Release 3.0 - Cumulative Patch 1
Caveat ID Number |
Description |
---|---|
ERS Update/Create for "Authorization Profile" failing XML Schema Validation |
|
Unable to configure grace period for over 1 day because of posture lease |
|
Import NAD is failing with unsupported error when shared secret key has special character |
|
Application Server takes more time to initialize |
|
Guest email fails to send after changing SMTP server |
|
Update "master guest report" to "primary guest report" everywhere in the ISE GUI |
|
Update "blacklist portal" to "blocked list portal" everywhere in the ISE GUI |
|
Update "blacklist identity group" to "blocked list identity group" everywhere in the ISE GUI |
|
Update "master/slave" terms to "primary/subordinate" in "show interface" command |
|
Replace "blacklist" with "blocked list" across all authentication and authorization rules/profiles |
|
Guest password policy settings cannot be saved when set to ranges for alphabets or numbers |
|
ISE Radius Live Sessions page showing No Data Found |
|
ISE 2.6 patch 7 not doing lookup for all mac addresses in mac list causing redirect less Posture to fail |
|
ISE 2.4 Application server going to Initializing state on enabling endpoint debugs |
|
Application server crashes while transitioning into Stop state |
|
Endpoint data not visible on secondary Admin node |
|
Log Collection Error alarms appear |
|
Authorization profile not saved with proper attributes when Security Group selected under common tasks |
|
Pxgrid internal client ping failed |
|
Modify TCP settings to enhance TACACS+ and TCP on ISE |
|
BYOD Flow is broken in iOS 14 beta |
|
Discovery host description text is misleading |
|
Cannot start CSV exporting for Selected User in internal ID Store |
|
Radius passed-auth live logs not sent due to invalid IPv6 address |
|
Manual NMAP not working when only custom ports are enabled |
|
Unable to create posture condition for LANDESK |
|
PSK cisco-av-pair throws an error if the key contains < or > symbols |
|
Static hostname sgt mapping creation does not allow to choose SXP Domain |
|
Health check does not work when ISE has NIC teaming enabled |
|
Cannot get the download link of NetworkSetupAssistant.exe using Aruba dynamic URL redirect |
|
ISE Hotspot guest portal flow broken |
|
Export of Current Active Session reports only shows sessions that have been updated since midnight |
|
Saving command with parenthesis in TACACS command set gives an error (ISE 2.7 patch 2) |
|
Deadlock in pxgrid nodes due to TRACE level debug |
|
Group lookup failed as empty value is appended to the context |
|
Certificate Authority Service initializing EST Service not running after upgrade to ISE 2.7 patch 2 |
|
ISE RADIUS Live Log details missing AD-Group-Names under Other Attributes section |
|
Custom Attribute from Culinda not shown in endpoint GUI page |
|
Network Device API call throws error 500 if you query a nonexistent network device |
|
Case sensitivity on User Identity Groups causes "Select Sponsor Group Members" window not to load |
|
Radius Server Sequence page showing "no data available" |
|
TAC Support Cases redirection issue |
|
Posture Assessment by Condition Report displays No Data with Condition Status filter |
|
Security Group values in Authorization Profile disappear shortly after fetching |
|
Cannot modify AUP text |
|
ISE 3.0 DNS resolvability false alarm |
|
ISE 3.0 GUI glitch in SAML Identity Providers |
|
Unable to retrieve LDAP Groups/Subject Attributes when % character is used twice or more in bind password. |
|
Bias-free text/code in upgrade and database |
|
Local repository usage information not displayed |
|
ISE Posture auto-update not running |
|
Network Device IP filter does not match IPs that are inside subnets |
|
ISE 3.0 Upgrade failing at RuleResultsSGTUpgradeService step |
|
ISE 2.6 scheduled reports are not working when primary MNT is down |
|
Collection Filters not displayed in Logging page |
|
ISE 2.6 Patch 6: The following error message is displayed while
trying to create SGT with the name "Employees":
|
|
Users that do not belong to the sponsor group are unable to log in to the sponsor portal |
|
ISE GUI Login page shows the following error with Chrome 85/86:
|
|
ACI mappings not deleted even after delete message is sent |
|
ISE 2.6 patch 7: Sophos 10.x definition missing from Anti-malware condition for MAC OSX |
|
ISE 3.0 Config Backup Restore failing at step UPSUpgradeHandler |
Resolved Caveats in Cisco ISE Release 3.0
The resolved caveats in Cisco ISE Release 3.0, have parity with these Cisco ISE patch releases: 2.4 Patch 13, 2.6 Patch 7, and 2.7 Patch 2.
Caveat ID Number |
Description |
---|---|
ISE not returning configured Radius AVP 18 in access-reject |
|
GET-BY-ID Not Implemented exception when home page is refreshed |
|
ISE shows IP Addr. instead MAC Addr. for VPN users in live auth sometime |
|
ISE RBAC Network Device Type/Location View not working |
|
No AD domain attributes retrieved for RA-VPN/CWA if AD used for both authC and authZ |
|
MNT API does not support special charactor |
|
MAC OX fails after upgrade to 3.6.11362.2 compliance module |
|
nas-update=true accounting attribute will cause session to not be deleted. |
|
ENH // Smart License registration using HTTPS Proxy fails |
|
Posture session state need to be shared across PSNs in multi-node deployment |
|
CSCvi62805 ISE ODBC does not convert the mac address as per configured stored procedure |
|
ISE sends CoA to active-compliant sessions when a node-group member is unreachable |
|
Typo in Onboard Portal For IOS Devices |
|
2.3P4, 2.4P3 upgrade is failing during OS upgrade |
|
ISE Guest/BYOD Portal Retry Redirects to 1.1.1.1 |
|
RADIUS DTLS and Portal usage not being assigned to new self-signed certificate on hostname change |
|
Include profiler update for Cisco IP phones - 8832,7832 |
|
ISE Crashes during policy evaluation for AD attributes |
|
Selecting checkbox All endpoints across pages on context visibility doesn't work |
|
EAP-TLS authentications with Endpoint profile set to not unknown fails in second authorization. |
|
Request cache controll set to private, no-cache and no-store |
|
address shows as HTML code in context visibility |
|
ISE 2.4 URT does not check is node is on a supported appliance |
|
AnyConnect displays Cisco NAC agent error when using Cisco temporal agent |
|
Enable or disable "Username/password" in Self-Reg Success Page doesn't hold in Page customization |
|
Memory leak on ISE node with the openldap rpm running version 2.4.44 |
|
Guest ERS API "SearchResult" total is inconsistent with other APIs |
|
ISE Secondary PAN node sending RST to other ISE node with src ip address 169.254.2.2 |
|
[ENH] Remove archives during patch installation phase |
|
ISE TACACS livelogs does not have the option to filter using specific NAS ip address. |
|
ISE CoA is not sent even though new Logical Profile is used under Authz Policy Exceptions |
|
Significant memory increase in MNT during Longevity test |
|
ISE 2.4 SNMPv3 user added with wrong hash after reload causing SNMPv3 authentication failure. |
|
ISE PSN node crashing while fetching context attributes during posture plus RADIUS flow |
|
Disabled PSN persona but TACACS port 49 still open. |
|
Replication failed alarm generated and ORA-00001 exceptions seen on ise-psc.log |
|
My Device Portal does not show a device after BYOD on-boarding with SAML authentication |
|
Preview of of the self registration guest portal does not display "Registration Code" label |
|
SNMP traps on access switch connected to APs causes incorrect profiling. |
|
EAP Chaining: Dynamic Attribute value is unavailable |
|
Radius Authentication and Radius Account Report performance is slow |
|
ENH: Support native event log API's, EVT API for the passive ID functionality |
|
Blank Course of Action for Threat events received from CTA cloud to TC-NAC adapter |
|
EAP-FAST authentication failed with no shared cipher in case of private key encryption failed. |
|
Export failed in ISE gui in case of private key encryption failed no ERROR msg in ISE GUI |
|
pxGrid not publishing MnT events |
|
[enh] Increase Range of Time Interval For Compliance Device ReAuth Query for SCCM |
|
2.4P10 Endpoint added via REST has visible policy assignment only in "edit" mode |
|
ISE IP routing precedence issue |
|
" No policy server detect" on ISE posture module during high load . |
|
Failing Network Devices CSV import, process silently terminating without reason |
|
ISE: prefers cached AD OU over new OU after changing the Account OU |
|
tzdata needs to be updated in ISE guest OS |
|
ISE App crash due to user API |
|
ACI mappings are not published to SXP pxGrid topic |
|
ISE fails to re-establish External syslog connection after break in connectivity |
|
SYSAUX tablespace is getting filled up with AWR and OPSSTAT data |
|
ISE doesn't display the correct user in RADIUS reports if the user was entered differently twice |
|
ISE : TACACS : PSN crashes for TACACS+ |
|
App server and EST services crash/restart at 1 every morning |
|
ISE: Reset config on 2.4 patch 9 throws some errors despite finishing successfully. |
|
Add the capability to filter out failed COA due to MAR cache checks among group nodes in ISE |
|
Cisco Identity Services Engine Cross-Site Scripting Vulnerability |
|
Policy engine continues to evaluate all Policy Sets even after rule is matched |
|
Improve behavior against brute force password attacks |
|
Invalid root CA certificate accepted |
|
ISE 2.6 should allow multiple blank lines in dACL syntax, even if user chooses IPv4 (or) IPv6. |
|
ISE 2.x Network Device stuck loading |
|
Unable to configure CRL URL with 2 parenthesis at ISE 2.6 |
|
Trustsec matrix pushing stale data |
|
NAD group CSV imports should allow all supported characters in description field. |
|
Highload on Mnt nodes with Xms value |
|
SEC_ERROR_BAD_DATABASE seen in system/app debug logs while removing a trusted CA cert |
|
Self Registered Guest portal unable to save guest type settings |
|
Unable to edit static group assignment |
|
Service account passwords returned from server in SMS and LDAP page |
|
The CRL is expired with specific condition |
|
Cisco Identity Services Engine Cross-Site Scripting Vulnerability |
|
ISE not updating SGT's correctly |
|
Radius Accounting report doesn't work - no accounting records show |
|
AuthZ profile advanced profile for url-redirect does not allow custom HTTPS destination |
|
ISE 2.6 CA Certificate with the same CN removed from Trusted Store while integrating with DNA-C |
|
Condition disappeared from the library but is still in DB |
|
Fail to import Internal CA and key on ISE2.6 |
|
ISE versions use old JDBC version (11.2.0.3) which is not compatible with new Oracle Database |
|
ISE allows to insert a space before command under Command Sets |
|
NFS mounting causes crash |
|
Backups are not triggering with special characters for encryption key |
|
MACAdress API is not working(API/mnt/Session/MACAddress) |
|
ISE 2.4: Administrator Login Report, Auth failed when using cert based admin auth |
|
Creating a new user in the sponsor portal shows "invalid input" |
|
Days to Expiry value, marked as 0 for random authentications |
|
In captive portal user can trigger the sending of emails at will |
|
NAD CSV imports should allow all supported characters in the TrustSecDeviceID |
|
ISE Admin User Unable To Change The Group For Internal Users |
|
collector log filled with repeated pxGrid and DNAC messages |
|
Tacacsprofile not retrieved properly using REST API |
|
Authz Profiles not pulling properly using REST API (Pagination is missing) |
|
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability |
|
After importing network device / groups, unable to add new Location |
|
ISE 2.2+ affected with memory leak. Everyday 1-2% increase in native memory due to Inflater() |
|
ISE errors when Security Group is created with an underscore via ERS API |
|
ISE 2.2+ affected with memory leak. Everyday 1-2% increase in native memory by PORT_Alloc_Util() |
|
ISE: 2.4p9 Intermediate CA cert not installed when configuring SCEP RA |
|
Cannot add registry key value condition containing % or < as it throws an error |
|
Unable to do portal customization for "certificate provisioning portal" |
|
ISE crashes due to empty string instead of username in RadiusProxyFlow::stripUserName() |
|
ISE: Unable to use attribute "url-redirect" with HTTPS, same URL with HTTP works fine. |
|
URT fails on a ConditionsData clause from INetworkAuthZCheck |
|
Expired Certificates not listed for deletion |
|
SXP Bindings are not published to pxGrid 2.0 clients |
|
API is not retrieving the data when interim-updates are not stored DB |
|
Having string 'TACACS' in AD join-point causes AD joinpoint to not show in AuthZ condition |
|
ISE 2.4 Guest ERS Call Get-By-Name fails when guest username contains @ sign (guest@example.com) |
|
ISE 2.6 Install: Input Validation- Check IP Domain Name |
|
ISE SNMP server crashes when using Hash Password. |
|
CEPM schema stats not collected/scheduled for PAN only node |
|
RabbitMQ user password printed in plain text in ADE-OS log, should be masked or removed |
|
Docker image ise-rabbitmq could not be successfully loaded post config reset |
|
LONG:Significant memory increase in PMNT node of longevity test |
|
Importing metadata xml file with special characters results in unsupported tags error |
|
Multiple Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities |
|
TACACS auth/acc reports are not visbile after restoring OP backup |
|
Importing Endpoint CSV file to CV 2.4 patch 9 does not retain 'description' field |
|
ISE ERS API lookup slow when large number of endpoints exist |
|
.dmp files not deleted from /opt/oracle/base/admin/cpm10/dpdump even after the reset-config on ISE |
|
File Remediation check is failing while tested with ISE 2.7 server |
|
404 error upon refresh of success page of guest sponsored portal |
|
We are not able to Localize message for OS detection message in BYOD welcome page |
|
NMAP - MCAFeeEPROOrchestratorClientscan fails to execute on 2.6 version of ISE |
|
ISE expired TACACS sessions are not cleared in a timely manner from session cache |
|
Cert Revoke and CPP not functioning without APEX license. |
|
Change "View" Options Wording in TrustSec Policy Matrix--ISE |
|
POST getBackupRestoreStatus occures on every ISE page after navigating to Backup/Restore menu |
|
No threshold option for High disk Utilization in Alarm Settings |
|
Posture with tunnel group policy evaluation is eating away Java Mem |
|
ISE shouldnt be allowing ANY in egress policy when imported |
|
Time difference in ISE 2.6 |
|
ISE 2.2 P16 Already extended guest user cannot be extended again |
|
Add proper logging and reporting to handle SCCM server timeout |
|
ISE MDM integration - misleading COA type in the debugs |
|
[ENH] Add the ability to "GET|PUT|DELETE by Name" using the API for network devices |
|
Sh version command is not working ISE non-admin CLI user |
|
"AD-Operating-System" attribute is not being fetched when this OS attribute changes on the AD Server |
|
Exporting Endpoints from CLI results in java exception |
|
Still Possible to Create SGTs within Policy Sets Eventhough DNAC Manages GBAC |
|
ISE Feed Server fails via 'createLicenseSource' method "FlexlmListException: Error" |
|
IP SGT static mapping import not working correctly with hostnames |
|
pxGrid 2.0 WebSocket distributed upstream connect issue |
|
pxGrid 2.0 WebSocket ping pong too slow even on idled standalone |
|
ISE doesn't display all device admin authz rules when there are more authz policies and exceptions |
|
Certificate Authority Service initializing EST Service not running after upgrade to ISE 2.6/2.7 |
|
Authentication goes to process fail when "Guest User" ID Store is used. |
|
Preventive bug :Radius Errors/Misconfigured supplicants tables do not exist after upgrade to ISE2.6 |
|
High Load Alarms coinciding with System Summary Dashboard not populating for some nodes |
|
When accessing the portal with iPad using Apple CNA and AUP as a link we get 400 Bad Request error. |
|
GUI Slowness while enabling AVC |
|
ISE shouldn't allow ANY SGT or value 65535 to be exposed over SGT import or export |
|
AuthZ Conditions with AD Groups Not matched for TEAP - EAP-Chaining |
|
ISE ERS API Endpoint update slow when large number of endpoints exist |
|
"*Endpoint Consumption Count Updated :" not updated in Licensing |
|
Cannot add/modify allowed values more than 6 attributes to System Use dictionaries |
|
ISE2.7 compliance counter is 0 |
|
ISE 2.7 Anyconnect configuration's deferred updates do not get saved |
|
ISE latency in responding to RADIUS and high CPU |
|
EP lookup takes more time causing high latency for guest flow |
|
NullpointerException thrown in catalina.out during posture flow when clientMac is null |
|
Identity group update for an internal user in ISE via ERS |
|
ISE 2.6 MDM flow fails if redirect value is present in the URL |
|
Expired Evaluation profiler lic on ISE will cause default radius probe to enable |
|
[ENH] Add the ability to "GET|PUT|DELETE by Name" using the API for /ers/config/internaluser |
|
ISE: If min pwd length is increased then exisiting shorter pwd fails to login via GUI with no error |
|
MNT node election process is not properly designed. |
|
ISE wrongly reports posture session lookup calls as SSH login |
|
ISE: runtime-aaa debugs do not print packet details in ascii; breaking Endpoint debugs |
|
Backups failing due to disk space issue not purged ENDPOINTS_REJECT_RELEASE table |
|
Unavailability to edit saved compound conditions using conditions library. |
|
Syslog Target configured with FQDN can cause Network Outage |
|
SMS over HTTPS is not sending username/password to gateway |
|
"Current IP address" is displayed in CV even though IP attribute in redis has been removed |
|
ISE BYOD with Apple CNA fails with 9800 |
|
Authentication summary report for yesterday and today not showing adata |
|
App-server crashes if IP-access submitted w/o any entries |
|
Intermittent password rule error for REST API Update Operation |
|
ISE ERS API - GET calls on network devices is slow while processing SNMP configuration |
|
Posture - non redirection flow fails with "No policy server detected" when LSD is disbaled |
|
Description using two lines, or <Enter> was used, under Client provisioning resources throws errorA |
|
Misleading Null Pointer exception, post Manual sync is performed |
|
ISE-2.x || MNT REST API for ReAuth fails when using in distributed deployment |
|
Livelogs are not showing for User authentication failed |
|
ISE still generates false positive alarm "Alarms: Patch Failure" |
|
Application server may crash when MAR cache replication is enabled |
|
pxGrid unable to delete user in INIT state |
|
Alarm Dashlet shows 'No Data Found'. |
|
Mismatched Information between CLI export and Context Visibility |
|
ISE Backup file transfer logs show Success although there is no space in the SFTP Repository |
|
Cannot select 45 or more products when creating Anti-Malware Condition for definition |
|
CPU spikes are being observed at policy HitCountCollector |
|
Rotation of diagnostics.log is not working on ISE |
|
No debug log for non working MNT widgets |
|
Sponsor portal display ? for non English characters |
|
Session cache getting filled with incomplete sessions |
|
ISE DACL Syntax check not detecting IPv4 format errors |
|
ISE does not reattempt wildcard replication for failed nodes |
|
ISE RADIUS Accounting Report details shows "No data found" under Accounting Details |
|
ise-psc.log filled up with "check TTConnection is valid" causing relevant logs to roll over |
|
ISE 2.6p6 Unable to delete custom endpoint attribute |
|
ISE 2.6 : Create Guest User using external sponsor users via ERS fails with 401 Unauthorized Error |
|
suspected memory leak in io.netty.buffer.PoolChunk |
|
ISE is not allowing to disable Radius in NAD via API |
|
Mandatory values when using Update-By-Name method with Internal Users |
|
TC-NAC adapter stopped scanning with nexpose (insiteVM) |
|
Changes in IP-TABLES ISE 2.6 causing TCP delays, TACACS latency |
|
Markup langauge error when use file check condition with dot(.) in file name |
|
ISE 2.6p6 // Portal background displays incorrectly |
|
ISE is returning an incorrect version for the rest API call from DNAC |
|
Import option is not working under Tacacs command sets |
|
ISE logging timestamp shows future date |
|
ISE2.6P6 services fail to initialize after reload on SNS 3655 PSN |
|
ERS SGT create is not permitted after moving from Multiple matrix to Single matrix |
|
2.4P11 VPN + Posture : Apex Licenses are not being consumed, |
|
NDG added through ERS became associated with all network devices in DB |
|
When running ISR ERS API for internaluser update the existing identityGroups value is set to null |
|
High cpu on ISE 2.7 causing authentication latency |
|
License out of compliance alarm with a valid license |
|
ISE 2.4 p6 - REST API MnT query to get device by MAC address taking more than 2 seconds |
|
ISE 2.x, Free space on Undo tablespace not cleared as per isehourlycron.sh cron script |
|
Report repository export is not working with dedicated mnt enable. |
|
Shared email for AD users fail to retrieve groups,ISE shows multiple account found in forest |
|
Session API for MAC Address returning Char 0x0 out of allowed range |
|
[CFD] GBAC sync breaks on deleting VN from SG if AuthZ profile is mapped to the same VN for diff SG |
|
Machine Authentications via EAP-TLS fail during authorization flow citing a user not found error |
|
ISE 2.x, 3.x : Drop_Cache required for systems with High Memory Issues |
|
ISE ERS API DELETE device returns 500 error with more than 1 call |
|
suspected Memory Leak in Elastic search |
|
Devices configured SNMP v2c version on DNAC is not seen on Network devices in ISE |
|
ISE: prefers cached AD OU over new OU after changing the Account OU |
|
ISE Authorize-Only requests are not assessed against Internal User Groups |
|
REST API call can remove Network Device Group referenced in Policy Set |
|
Radius secret 4 chars min requirement is not checked when REST API used to create NAD |
|
Improve error messaging on My Device Portal when the identity store has issues |
|
ERS REST API returns duplicate values multiple times when use filter by locations |
|
SessionDB columns are missing from ISE (>=2.4) |
|
ISE creates new site in insiteVM (tc-nac server) |
|
Context Visibility fuses endpoint parameters on username update |
|
Failed Logins to ISE GUI Are Not Seen in Audit Report When AD Is Selected as the Identity Source |
|
CWE-937 Use of JavaScript Library with Known Vulnerability |
|
ISE 2.6 p5 ERS API res for XML or JSON req with invalid creds is HTTP 401 with unexpected HTML body |
|
Alarm Suppression required for ERS queries along with suppression on iselocalstore.log |
|
Alarms and system summary is not showing up on ISE GUI |
|
authentication failure with reason"12308 Client sent Result TLV indicating failure" |
|
ISE: LDAP and ODBC identity store names do not allow hyphen |
|
ISE is deleting Key pairs after changes perfomed in sftp repository |
|
ISE allows duplicates device ID in ERS flow in all version. |
|
CLDAP thread is hung and running infinite |
|
InternalUser Attributes in ATZ policy will fail TACACS+ ASCII Authentication |
|
ISE Authentication Status API Call Duration does not work as expected |
|
Guest authentication fails with "Account is not yet active" for incorrect password |
|
Overlap of network devices using subnet and IP range |
|
ISE unable to connect with ODBC "Connection failed" with a port number |
|
TACACS Aggregate table is not purged properly. |
|
ISE TCP ports 84xx not opened if there is shutdown interface with IP address assigned |
|
ISE Authentication Status API Call does not return all records for the specified time range |
|
Policy Export Is Not Being Saved Without Encryption After It is Saved With Encryption |
|
isedataupgrade.sh failed. ISE global data upgrade failed -2.7,3.0 from ISE 2.6P6 |
|
pxGrid 2.0 authorization profile attribute missing from the session directory |
|
pxGrid to publish ADUser, ADHost, SamAccountName and QualifiedName |
|
Add to ISE SCCM query possibility to check Baseline status |
|
Add to ISE SCCM query possibility to check Configuration Item status |
Open Caveats
Open Caveats in Cisco ISE Release 3.0 - Cumulative Patch 8
There are no open caveats in Cisco ISE Release 3.0 Patch 8.
Open Caveats in Cisco ISE Release 3.0 - Cumulative Patch 7
There are no open caveats in Cisco ISE Release 3.0 Patch 7.
Open Caveats in Cisco ISE Release 3.0 - Cumulative Patch 6
Identifier |
Headline |
---|---|
Formatting of the Open New Case window is not correctly displayed. |
Open Caveats in Cisco ISE Release 3.0 - Cumulative Patch 5
Caveat ID Number |
Description |
---|---|
High latency observed for UDN pxgrid assign Device API |
|
PLR returned upon 3.0P5 -> 3.0P3 |
Open Caveats in Cisco ISE Release 3.0 - Cumulative Patch 4
There are no open caveats in Cisco ISE Release 3.0 Patch 4.
Open Caveats in Cisco ISE Release 3.0 - Cumulative Patch 3
Caveat ID Number |
Description |
---|---|
PnSLongevity: 3.0P3 Observing replication failed error in Longevity testbed |
Open Caveats in Cisco ISE Release 3.0 - Cumulative Patch 2
Caveat ID Number |
Description |
---|---|
PnSLongevity: 3.0P3 Observing replication failed error in Longevity testbed |
Open Caveats in Cisco ISE Release 3.0 - Cumulative Patch 1
Caveat ID Number |
Description |
---|---|
Porting changes of OnPrem Satellite option for Smart licensing |
Open Caveats in Cisco ISE Release 3.0
Caveat ID Number |
Description |
---|---|
FMC subscription to ISE unavailable with large count of SGTs |
|
Source SGT correlation doesn't work for FMC and FTD 6.5 |
|
few labels in the ISE Admin GUI are not translated into Japanese |
|
"Support TrustSec Verification reports" checkbox shouldnt be enabled |
|
IE latest version:Portal tiles are overlapping in guest portal page on a DB restored setup. |
|
IE GUI :Progress bars & info icons overlapping/misaligned with module names in health check page. |
|
Deadlock in pxgrid nodes due to TRACE level debug. |
|
HTTPS serverlist config not persistent post upgrade from 2.7 P1 to ISE 3.0 |
|
[ISE-3.0]ISED crashing continuously in WSA |
|
[ISE3.0]:ISE-WSA Integration fails when no session is present |
|
Domain doesnt get assigned to sxp peer |
|
TAC Support Cases Redirection Issue |
|
CSCwc83059 | Post full upgrade VCS information is missing |
Timestamps need adjustment whenever timezone is changed |
|
Live logs and live sessions pages are displayed in incorrect sorting order when timezone is changed on PSN and MnT nodes |
|
Session data is shown at the bottom when PSNs are in different timezones |
Known Limitations in Cisco ISE 3.0 Patch 2
Special Characters Usage Limitations in Name and Description Fields
-
The following special characters cannot be used in the Description field for TACACS+ profiles and Device Administration Network conditions: [%\<>*^:"|',=/()$.@;&-!#{}.?]. Supported characters are: alphanumeric, underscore(_ ), and space.
-
The following special characters cannot be used in the Name and Description fields for Authorization Profiles: %\<>*^:\"|',=. Supported characters for the Name and Description fields are: alphanumeric, hyphen(-), dot(.), underscore(_ ), and space.
-
The following special characters cannot be used in the Name and Description fields for Time and Date conditions: [%\#$&()~+*@{}!/?;:',=^`]"<>". Supported characters for the Name and Description fields are: alphanumeric, hyphen(-), dot(.), underscore(_ ), and space.
Communications, Services, and Additional Information
-
To receive timely and relevant information from Cisco, sign up at Cisco Profile Manager.
-
To get the business impact you are looking for with the technologies that matter, visit Cisco Services.
-
To submit a service request, visit Cisco Support.
-
To discover and browse secure and validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.
-
To obtain information about general networking, training, and certification titles, visit Cisco Press.
-
To find warranty information for a specific product or product family, access Cisco Warranty Finder.