Introduction to Cisco Identity Services Engine
Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure access to network resources. Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices. An administrator can then use this information to make proactive governance decisions by creating access control policies for the various network elements, including access switches, wireless controllers, Virtual Private Network (VPN) gateways, Private 5G networks, and data center switches. Cisco ISE acts as the policy manager in the Cisco TrustSec solution and supports TrustSec software-defined segmentation.
Cisco ISE is available on secure network server appliances with different performance characterizations, and also as software that can be run on a virtual machines (VMs). Note that you can add more appliances to a deployment for better performance.
Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also enables the configuration and management of distinct personas and services, thereby giving you the ability to create and apply services where needed in a network, but operate the Cisco ISE deployment as a complete and coordinated system.
For detailed Cisco ISE ordering and licensing information, see the Cisco Identity Services Engine Ordering Guide.
For information on monitoring and troubleshooting the system, see the "Monitoring and Troubleshooting Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.
What is New in Cisco ISE, Release 3.1?
This section lists the new and changed features in Cisco ISE 3.1.
 Note |
Cisco ISE 3.1 OVA, ISO, and upgrade bundle files have been replaced on the Software Download site. For more information, see Cisco ISE 3.1 Files Replaced on Software Download Site. |
Android Settings for Native Supplicant Profile
Android settings are added for native supplicant profile. You can select one of the following options for Certificate Enrollment Protocol:
-
Enrollment over Secure Transport (EST)
-
Simple Certificate Enrollment Protocol (SCEP)
If you choose the EST protocol, Cisco ISE will ask for additional password inputs from Android users while issuing certificates.
For more information, see "Native Supplicant Profile Settings" in the Chapter "Compliance" in the Cisco ISE Administrator Guide, Release 3.1.
Enhancements in Audit Logs
The following audit logs have been enhanced to include more details about relevant events:
-
Posture audit logs now include information regarding:
-
Creation and deletion of posture policies.
-
Changes made to existing posture policies, such as changes in fields such as Conditions, Rule Name, and so on.
-
Addition, deletion, or modification in posture configurations such as Conditions, Remediation Actions, Requirements, and so on.
-
-
RBAC audit logs now include information regarding creation and deletion of existing menu access and data access content.
-
Network Access and Admin Users audit logs now include information regarding creation, edition, and deletion of Network Access and Admin Users.
Posture State Synchronization
You can configure AnyConnect to probe Cisco ISE at specified intervals when the posture status is not compliant. This helps prevent a client from being stuck in pending state.
The posture state synchronization is supported for Windows, Linux, and MacOS clients.
For more information, see "Posture State Synchronization" in the Chapter "Compliance" in the Cisco ISE Administrator Guide, Release 3.1.
Obtain Configuration Backup Using Cisco Support Diagnostics Connector
You can use Cisco Support Diagnostics Connector to trigger configuration backup and upload the backup files to the Cisco Support Diagnostics folder. After uploading the backup files to the Cisco Support Diagnostics folder, you can delete the backup files from the Cisco ISE local disk. To use this feature, you must enable smart licensing and Cisco Support Diagnostics in Cisco ISE.
For more information, see "Obtain Configuration Backup Using Cisco Support Diagnostics Connector" in the Chapter "Troubleshoot" in the Cisco ISE Administrator Guide, Release 3.1.
Configuration of Authorization Result Alarm
You can configure alarms based on the results of authorization policies. This allows you to monitor the impact of any networking, infrastructure, or application changes on endpoint authorizations. You can define the scope of your alarms by choosing specific Network Device Groups (NDGs). For each NDG you choose, a new Authorization Result alarm is created.
You can filter the authorization logs to be monitored for an alarm by choosing specific authorization profiles and Security Group Tags (SGTs). Only endpoints that have met authorization policy sets with the specified authorization profiles and SGTs are monitored by the alarm.
For more information, see "Configure Authorization Result Alarm" in the Chapter "Troubleshoot" in the Cisco ISE Administrator Guide, Release 3.1.
Configuration of Preferred Domain Controllers
You can specify the domain controllers that you want to use in case of domain failover. If a domain fails, Cisco ISE compares the priority scores of the domain controllers that are added to the preferred list and selects the one with the highest priority score. If that domain controller is offline or is not reachable because of an issue, the next one in the preferred list with the highest priority score is used. If all the domain controllers in the preferred list are down, a domain controller outside the list is selected based on the priority score. When the domain controller that was used before the failover is restored, Cisco ISE switches back to that domain controller.
For more information, see "Configure Preferred Domain Controllers" in the Chapter "Asset Visibility" in the Cisco ISE Administrator Guide, Release 3.1.
Context Visibility Enhancements
-
In the Export Endpoints dialog box, you can now check the Importable Only check box if you want to export only the attributes that can be imported to Cisco ISE without any modification to the CSV file. Using this option prevents the need to modify the columns or metadata in the exported CSV file before importing it to Cisco ISE.
-
While using the Quick Filter or Advanced Filter option, you can use the Export Filtered option to export only the filtered endpoints.
For more information, see "Export Endpoints Using CSV File" in the Chapter "Asset Visibility" in the Cisco ISE Administrator Guide, Release 3.1.
Full Upgrade and Split Upgrade Options Added to Cisco ISE GUI
In the Administration > System > Upgrade> Upgrade Selection window, you can choose one of the following options based on your requirements:
-
Full Upgrade: Full upgrade is a multistep process that enables a complete upgrade of your Cisco ISE deployment sequentially. This upgrades all the nodes in parallel and in lesser time compared to the split upgrade process. Because all the nodes are upgraded parallelly, services will be down during the upgrade process.
-
Split Upgrade: Split upgrade is a multistep process that enables the upgrade of your Cisco ISE deployment while allowing services to remain available during the upgrade process for users. With the split upgrade option, you will be able to choose the nodes to be upgraded.
For more information, see "Upgrade a Cisco ISE Deployment from the GUI" in the Chapter "Upgrade Method" in Cisco Identity Services Engine Upgrade Journey, Release 3.1.
Cisco ISE on Amazon Web Services
You can launch a Cisco ISE instance on the Amazon Web Services (AWS) platform using a Cloud Formation Template (CFT) or an Amazon Machine Image (AMI).
For more information, see the Chapter "Install Cisco ISE with AmazonWeb Services" in Cisco ISE Installation Guide, Release 3.1.
Virtual Appliance Licenses
Cisco ISE Release 3.1 and later supports the ISE VM license, which replaces the VM Small, VM Medium, and VM Large licenses that were supported in releases prior to Release 3.1. The new ISE VM license covers the Cisco ISE VM nodes in both on-premises and cloud deployments.
For more information, see "Cisco ISE Licenses" in the Chapter "Licensing" in the Cisco ISE Administrator Guide for your release.
Download or Upload Files from Local Disk
You can easily add, download, or delete the files that are used for local disk management.
For more information, see "Download and Upload Files from Local Disk" in the Chapter "Maintain and Monitor" in the Cisco ISE Administrator Guide, Release 3.1.
MacOS Versions in Posture Policy Configurations
In Cisco ISE 3.0 and earlier, you could configure posture policies and requirements with minor MacOS versions such as MacOS 11.1, MacOS 11.2, and so on. In Cisco ISE 3.1, you can only choose major MacOS versions such as MacOS 11 (All) to configure posture policies and requirements.
When you upgrade to Cisco ISE 3.1, any posture condition that includes a minor MacOS version is automatically updated to the corresponding major MacOS version. For example, a posture condition that was configured for MacOS 11.1 will be updated to MacOS 11 (All).
OpenAPI Service
OpenAPIs are REST APIs based on HTTPS operating over port 443. From Cisco ISE 3.1 onwards, newer APIs are available in the OpenAPI format. For more information on Cisco ISE OpenAPIs, see https://<ise-ip>/api/swagger-ui/index.html.
The following OpenAPIs have been introduced in Cisco ISE 3.1:
-
Repository Management
-
Configuration Data Backup and Restore
-
Certificate Management
-
Policy Management
-
RADIUS Policy
-
TACACS+ Policy
-
For more information, see "Enable API Service" in the Chapter "Basic Setup" in Cisco ISE Administrator Guide, Release 3.1.
Posture Support for Linux Operating System
Posture is a service in Cisco ISE that allows you to check the state of all the endpoints that are connecting to a network for compliance with corporate security policies. Cisco ISE 3.1 supports the following Linux operating system versions, in addition to Windows and Mac operating systems:
-
Ubuntu
-
18.04
-
20.04
-
-
Red Hat
-
7.5
-
7.9
-
8.1
-
8.2
-
8.3
-
8.4
-
8.5
-
8.6
-
8.7
-
8.8
-
8.9
-
9.0
-
9.1
-
9.2
-
9.3
-
-
SUSE
-
12.3
-
12.4
-
12.5
-
15.0
-
15.1
-
15.2
-
The following posture conditions are supported for Linux operating system:
-
File Condition
-
Application Condition
-
Antimalware Condition
-
Patch Management Condition
You can configure agent profiles for Linux clients. You can add client-provisioning resources for AnyConnect Linux clients.
For more information, see the Chapter "Compliance" in Cisco ISE Administrator Guide, Release 3.1.
ERS Service Auto Enabled on VMware Cloud Environment
The External RESTful Services (ERS) API service is enabled by default when the Amazon Machine Image (AMI) version of Cisco ISE is deployed on a VMware Cloud environment. This helps in easy integration of Cisco ISE with other Cisco products and third-party applications, without the need to enable the ERS service from the Cisco ISE GUI.
For more information, see "Enable API Service" in the Chapter "Basic Setup" in the Cisco ISE Administrator Guide, Release 3.1.
pxGrid Client Auto Approval API
pxGrid can be used to share context-sensitive information from the Cisco ISE session directory with other network systems such as Cisco ISE ecosystem partner systems and other Cisco platforms. The pxGrid Client Auto Approval API can be used to:
-
Enable automatic approval of certificate-based connection requests from new pxGrid clients. Enable this option only when you trust all the clients in your environment.
-
Enable username or password-based authentication for the pxGrid clients. When this option is enabled, pxGrid clients cannot be automatically approved. A pxGrid client can register itself with the pxGrid controller by sending the username through a REST API. The pxGrid controller generates a password for the pxGrid client during client registration. An administrator can approve or deny the connection request.
For more information about the PxGrid Client Auto Approval API, see the “pxGrid Settings” section in the ERS SDK. You can access the ERS SDK with the following URL:
https://<ISE-Admin-Node>:9060/ers/sdk
Note |
Only users with ERS Admin role can access the ERS SDK. |
Configuration of Maximum Password Attempts for Active Directory Account
You can configure the badPwdCount attribute to prevent Active Directory account lockout due to too many bad password attempts. Before authenticating the user, Cisco ISE compares the maximum bad password attempts configured in Cisco ISE with the current value of the badPwdCount attribute on Active Directory. When the maximum bad password attempts configured in Cisco ISE is equal to the value of the badPwdCount attribute, the authentication is dropped and not sent to Active Directory.
For more information, see "Configure Maximum Password Attempts for AD Account" in the Chapter "Asset Visibility" in the Cisco ISE Administrator Guide, Release 3.1.
Handle Random and Changing MAC Addresses with Mobile Device Management Servers
As a privacy measure, mobile devices and some desktop operating systems increasingly use random and changing MAC addresses for each SSID that they connect to. In Cisco ISE, you can now work around this problem by configuring Cisco ISE to use a unique device identifier called GUID instead of MAC addresses. When an endpoint enrolls with a Mobile Device Management (MDM) server, the MDM server sends a certificate with a GUID value to the endpoint. The endpoint uses this certificate for authentication with Cisco ISE. Cisco ISE receives the GUID for the endpoint from the certificate. All communications between Cisco ISE and the MDM server now use the GUID to identify the endpoint, ensuring accuracy and consistency between the two systems.
For more information, see "Handle Random and Changing MAC Addresses With Mobile Device Management Servers" in the Chapter "Secure Wired Access" in Cisco ISE Administrator Guide, Release 3.1
MAC Randomization for BYOD
Android and iOS devices increasingly use random and changing MAC addresses for each SSID that they connect to. Cisco ISE and MDM systems see different MAC addresses for the same device depending on which SSID they use to connect to the service. Therefore, a unique identifier is generated by the Cisco ISE Provisioning service to identify these endpoints.
For more information, see "MAC Randomization for BYOD" in the Chapter "Basic Setup" in Cisco ISE Administrator Guide, Release 3.1.
Endpoint API Enhancement
The logicalProfileName filter can be used to get endpoints that belong to a specific Logical Profile. The supported operator for logicalProfileNamefilter is EQ (equal to). The syntax to invoke the API with this filter is:
/ers/config/endpoint?filter={filter name}.{operator}.{logical profile name}
For more information, see Cisco ISE API Reference Guide.
Posture Script Remediation
You can create and upload posture remediation scripts to Cisco ISE to resolve non-compliance issues in endpoints.
For more information, see "Add a Script Remediation" in the Chapter "Compliance" in Cisco ISE Administrator Guide, Release 3.1.
RHEL 8.2 Support
Cisco ISE runs on the Cisco Application Deployment Engine Operating System (ADEOS), which is based on Red Hat Enterprise Linux (RHEL). For Cisco ISE 3.1, ADEOS is based on RHEL 8.2.
RHEL 8.2 supports the following VMware ESXi versions:
-
VMware ESXi 6.5
-
VMware ESXi 6.5 U1
-
VMware ESXi 6.5 U2
-
VMware ESXi 6.5 U3
-
VMware ESXi 6.7
-
VMware ESXi 6.7 U1
-
VMware ESXi 6.7 U2
-
VMware ESXi 6.7 U3
-
VMware ESXi 7.0
-
VMware ESXi 7.0 U1
-
VMware ESXi 7.0 U2
-
VMware ESXi 8.0
For more information, see the Chapter "Overview" in Cisco Identity Services Engine Upgrade Journey, Release 3.1.
SAML-Based Admin Login
SAML-based admin login adds a single sign on capability to Cisco ISE using the SAML 2.0 standard. You can use an external Identity Provider such as Okta or any Identity Provider that implements SAML 2.0.
For more information, see "SAML-based Admin Login" in the Chapter "‘Asset Visibility" in Cisco ISE Administrator Guide, Release 3.1.
Specific License Reservation
Specific License Reservation is a smart licensing method that helps you manage your smart licensing when your organization's security requirements do not allow a persistent connection between Cisco ISE and the Cisco Smart Software Manager (CSSM). Specific License Reservation allows you to reserve specific license entitlements on a Cisco ISE node.
You can create a Specific License Reservation by defining the type and number of licenses you need to reserve, and then activate the reservation on a Cisco ISE node. The Cisco ISE node on which you register and enable the reservation then tracks license usage and enforces license consumption compliance.
For more information, see "Specific License Reservation" in the Chapter "Licensing" in the Cisco ISE Administrator Guide, Release 3.1.
Upgrade to pxGrid 2.0
From Cisco ISE Release 3.1, all pxGrid connections must be based on pxGrid 2.0. pxGrid 1.0-based (XMPP-based) integrations will cease to work on Cisco ISE from Release 3.1 onwards.
pxGrid Version 2.0, which is based on WebSockets, was introduced in Cisco ISE Release 2.4. We recommend that you plan and upgrade your other systems to pxGrid 2.0-compliant versions in order to prevent potential disruptions, if any, to integrations.
For more information, see the Chapter "pxGrid" in Cisco ISE Administrator Guide, Release 3.1.
Note |
The output of show application status ise command reflects only the status of pxGrid 1.0 services. |
Zero Touch Provisioning
Zero Touch Provisioning (ZTP) refers to the uninterrupted provisioning mechanism that helps to automate Cisco ISE installation, infrastructure service enablement, patching, and hot patching without manual intervention.
For more information, see "Zero Touch Provisioning" in the Chapter "Additional Installation Information" in Cisco ISE Installation Guide, Release 3.1.
Cisco Secure Access Control System-to-Cisco ISE Migration Tool
The Cisco Secure Access Control System-to-Cisco ISE Migration Tool is not supported for Cisco ISE 3.1 and later. End-of-life dates have been announced for Cisco Secure Access Control System. For more information, see End-of-Life Notice.
System Requirements
For an uninterrupted Cisco ISE configuration, ensure that the following system requirements are fulfilled.
For more details on hardware platforms and installation of this Cisco ISE release, see the Cisco Identity Services Engine Hardware Installation Guide.
Supported Hardware
Cisco ISE 3.1 can be installed on the following platforms:
|
Hardware Platform |
Configuration |
|---|---|
|
Cisco SNS-3595-K9 (large) |
For appliance hardware specifications, see the Cisco Secure Network Server Appliance Hardware Installation Guide. |
|
Cisco SNS-3615-K9 (small) |
|
|
Cisco SNS-3655-K9 (medium) |
|
|
Cisco SNS-3695-K9 (large) |
|
|
Cisco SNS-3715-K9 (small) |
|
|
Cisco SNS-3755-K9 (medium) |
|
|
Cisco SNS-3795-K9 (large) |
Note |
|
After installation, you can configure Cisco ISE with specific component personas such as Administration, Monitoring, or pxGrid on the platforms that are listed in the above table. In addition to these personas, Cisco ISE contains other types of personas within Policy Service, such as Profiling Service, Session Services, Threat-Centric NAC Service, SXP Service for TrustSec, TACACS+ Device Admin Service, and Passive Identity Service.
Supported Virtual Environments
Cisco ISE supports the following virtual environment platforms:
-
-
VMware version 9 for ESXi 6.5
-
VMware version 14 for ESXi 6.7 and later
For Cisco ISE Release 3.0 and later releases, we recommend that you update to VMware ESXi 7.0.3 or later releases.
You can deploy Cisco ISE on VMware cloud solutions on the following public cloud platforms:
-
VMware cloud in Amazon Web Services (AWS): Host Cisco ISE on a software-defined data center provided by VMware Cloud on AWS.
-
Azure VMware Solution: Azure VMware Solution runs VMware workloads natively on Microsoft Azure. You can host Cisco ISE as a VMware virtual machine.
-
Google Cloud VMware Engine: Google Cloud VMware Engine runs software defined data centre by VMware on the Google Cloud. You can host Cisco ISE as a VMware virtual machine on the software-defined data center provided by the VMware Engine.
Note
From Cisco ISE 3.1, you can use the VMware migration feature to migrate virtual machine (VM) instances (running any persona) between hosts. Cisco ISE supports both hot and cold migration. Hot migration is also called live migration or vMotion. Cisco ISE need not be shut down or powered off during the hot migration. You can migrate the Cisco ISE VM without any interruption in its availability.
-
-
Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later
-
KVM on QEMU 2.12.0-99
Note
Cisco ISE cannot be installed on OpenStack.
-
Nutanix AHV 20201105.2096
You can deploy Cisco ISE natively on the following public cloud platforms:
-
Amazon Web Services (AWS)
For information about the virtual machine requirements, see the Cisco Identity Services Engine Installation Guide for your version of Cisco ISE.
Federal Information Processing Standard (FIPS) Mode Support
Cisco ISE uses embedded Federal Information Processing Standard (FIPS) 140-2-validated cryptographic module, Cisco FIPS Object Module Version 7.2a (Certificate #4036). Cisco ISE 3.1 Patch 1 or later is required. For details about the FIPS compliance claims, see Global Government Certifications.
When FIPS mode is enabled on Cisco ISE, consider the following:
-
All non-FIPS-compliant cipher suites will be disabled.
-
Certificates and private keys must use only FIPS-compliant hash and encryption algorithms.
-
RSA private keys must be 2048 bits or greater.
-
Elliptical Curve Digital Signature Algorithm (ECDSA) private keys must be 224 bits or greater.
-
Diffie–Hellman Ephemeral (DHE) ciphers work with Diffie–Hellman (DH) parameters of 2048 bits or greater.
-
SHA1 is not allowed to generate ISE local server certificates.
-
The anonymous PAC provisioning option in EAP-FAST is disabled.
-
The local SSH server operates in FIPS mode.
-
The following protocols are not supported in FIPS mode for RADIUS:
-
EAP-MD5
-
PAP
-
CHAP
-
MS-CHAPv1
-
MS-CHAPv2
-
LEAP
-
Supported Browsers
Cisco ISE 3.1 is supported on the following browsers:
-
Mozilla Firefox 123, 125
-
Mozilla Firefox ESR 102.4 and earlier versions
-
Google Chrome 122, 124
-
Microsoft Edge 122, 125
Note |
Currently, you cannot access the Cisco ISE GUI on mobile devices. |
Validated External Identity Sources
Note |
The supported Active Directory versions are the same for both Cisco ISE and Cisco ISE-PIC. |
|
External Identity Source |
Version |
|---|---|
|
Active Directory |
|
|
Microsoft Windows Active Directory 2012 |
Windows Server 2012 |
|
Microsoft Windows Active Directory 2012 R2 1 |
Windows Server 2012 R2 |
|
Microsoft Windows Active Directory 2016 |
Windows Server 2016 |
|
Microsoft Windows Active Directory 2019 |
Windows Server 2019 |
|
Microsoft Windows Active Directory 2022 |
Windows Server 2022 with Patch Windows10.0-KB5025230-x64-V1.006.msu |
|
LDAP Servers |
|
|
SunONE LDAP Directory Server |
Version 5.2 |
|
OpenLDAP Directory Server |
Version 2.4.23 |
|
Any LDAP v3-compliant server |
Any version that is LDAP v3 compliant |
|
AD as LDAP |
Windows Server 2022 with Patch Windows10.0-KB5025230-x64-V1.006.msu |
|
Token Servers |
|
|
RSA ACE/Server |
6.x series |
|
RSA Authentication Manager |
7.x and 8.x series |
|
Any RADIUS RFC 2865-compliant token server |
Any version that is RFC 2865 compliant |
|
Security Assertion Markup Language (SAML) Single Sign-On (SSO) |
|
|
Microsoft Azure MFA |
Latest |
|
Oracle Access Manager (OAM) |
Version 11.1.2.2.0 |
|
Oracle Identity Federation (OIF) |
Version 11.1.1.2.0 |
|
PingFederate Server |
Version 6.10.0.4 |
|
PingOne Cloud |
Latest |
|
Secure Auth |
8.1.1 |
|
Any SAMLv2-compliant Identity Provider |
Any Identity Provider version that is SAMLv2 compliant |
|
Open Database Connectivity (ODBC) Identity Source |
|
|
Microsoft SQL Server |
Microsoft SQL Server 2012 Microsoft SQL Server 2022 |
|
Oracle |
Enterprise Edition Release 12.1.0.2.0 |
|
PostgreSQL |
9.0 |
|
Sybase |
16.0 |
|
MySQL |
6.3 |
|
Social Login (for Guest User Accounts) |
|
|
|
Latest |
Cisco ISE supports all the legacy features in Microsoft Windows Active Directory 2012 R2. However, the new features in Microsoft Windows Active Directory 2012 R2, such as Protective User Groups, are not supported.
Supported Antivirus and Antimalware Products
For information about the antivirus and antimalware products supported by the Cisco ISE posture agent, see Cisco AnyConnect ISE Posture Support Charts.
Validated OpenSSL Version
Cisco ISE 3.1 is validated with OpenSSL 1.1.1k.
OpenSSL Update Requires CA:True in CA Certificates
For a certificate to be defined as a CA certificate, the certificate must contain the following property:
basicConstraints=CA:TRUE
This property is mandatory to comply with recent OpenSSL updates.
Known Limitations and Workarounds
This section provides information about the various known limitations and the corresponding workarounds.
Microsoft Compliance Retrieval API Support for Ethernet MAC Address-based APIs
Microsoft Compliance Retrieval API currently does not support the Ethernet MAC attribute for MAC address-based APIs. This limitation is addressed by Microsoft in January 2024. For wired deployments, we recommended that you migrate to GUID-embedded certificates before upgrading to the following patches: Cisco ISE Release 3.1 Patch 8, Cisco ISE Release 3.2 Patch 4, or Cisco ISE Release 3.3 Patch 1.
Incorrect Smart Licensing Consumption Reports
After you upgrade to Cisco ISE Release 3.1 Patches 5 or 6, if your smart licensing configuration uses the connection methods Direct HTTPS or HTTPS Proxy, you may witness incorrect compliance statuses being reported. Incorrect license consumption counts may be reported due to a communication error between Cisco ISE and CSSM.
To troubleshoot the communication error, in the Licensing window of the Cisco ISE administration portal, deregister and then reregister your smart licensing.
CSCwc74531 Hot Patch Affects Cisco ISE Application Server
Installing the CSCwc74531 hot patch affects the Cisco ISE application server if all the following conditions are met:
-
You installed Cisco ISE Release 3.1 using the ise-3.1.0.518.SPA.x86_64.iso file
-
You are running Cisco ISE Release 3.1 Patch 3 or earlier
-
You have applied Log4j hot patch
In this scenario, reach out to Cisco TAC for node recovery.
We recommend that you upgrade to Patch 5 or later versions instead of applying the Log4j or CSCwc74531 hot patches while using Cisco ISE Release 3.1 Patch 3 or earlier.
If you have installed Cisco ISE Release 3.1 using the ise-3.1.0.518b.SPA.x86_64.iso file, this limitation does not affect your Cisco ISE.
Antimalware Condition for ClamWin Products
You might see the following error message while trying to add an antimalware condition for the ClamWin Pty Ltd vendor:
class com.cisco.cpm.posture.exceptions.PostureException:Check am_linux_def_v4_ClamWinPtyLtd is not foundWhen multiple ClamWin products with 0.x version are listed in the Baseline Condition tab, if you select any of those products and configure an antimalware condition, the preceding error message might be displayed.
In such a scenario, you must run the posture feed update one or more times to remove the multiple entries for 0.x version.
As a workaround, you can select a product from the Advanced Condition tab and configure an antimalware condition for the ClamWin Pty Ltd vendor.
Authentication Might Fail for SNMP Users After Upgrade due to Wrong Hash Value
If you are upgrading from Cisco ISE 2.7 or earlier release to Cisco ISE 3.1, you must reconfigure the settings for SNMP users after the upgrade. Otherwise, authentication might fail for SNMP users because of the wrong hash value.
Use the following commands to reconfigure the settings for SNMPv3 users:
no snmp-server user <snmp user> <snmp version> <auth password> <priv password>
snmp-server user <snmp user> <snmp version> <auth password> <priv password>
Special Characters Usage Limitations in Name and Description Fields
-
These special characters cannot be used in the Description field for TACACS+ profiles and Device Administration Network conditions—[%\<>*^:"|',=/()$.@;&-!#{}.?]. Supported characters are alphanumeric, underscore, and space.
-
These special characters cannot be used in the Name and Description fields for Authorization profiles—%\<>*^:\"|',=. Supported characters for the Name and Description fields are alphanumeric, hyphen, dot, underscore, and space.
-
These special characters cannot be used in the Name and Description fields for Time and Date conditions—[%\#$&()~+*@{}!/?;:',=^`]"<>". Supported characters for the Name and Description fields are alphanumeric, hyphen, dot, underscore, and space.
Make a Wish Option not Available in Japanese
If you have configured your localization settings to enable Japanese in your Cisco ISE, note that the Make a Wish option is not available in Japanese.
Radius Logs for Authentication
Details of an authentication event can be viewed in the Details field of the Radius Authentications window. The details of an authentication event are available only for 7 days, after which no data on the authentication event will be visible. All the authentication log data will be removed when a purge is triggered.
Server IP Update Under Trustsec AAA Server List
When the IP address of the Cisco ISE instance is changed using the CLI, Cisco ISE
services are restarted. After the services are up, you must change the IP address of the
Trustsec AAA server. In the Cisco ISE GUI, click the Menu icon (
) and choose
.
EAP-TLS Authentication Might Fail for Certificates Using TPM Module
In Cisco ISE Release 3.1, EAP-TLS authentication might fail for certificates using TPM module on Windows 10. This is an issue with the TPM module and not with Cisco ISE.
application configure ise[33]Enable/Disable/Current_status of RSA_PSS signature for EAP-TLS.3.1P8 SLR registered Node shows SL registered post patch rollback
If you install Cisco ISE Release 3.1 Patch 8 or later releases on a Cisco ISE node, enable Specific License Registration (SLR), and then roll back to an earlier release, the node is automatically registered to Smart Licensing (SL) instead of SLR. In this case, you cannot return SLR because deregistration or update operations will not work due to incorrect licensing configuration. This issue can be resolved through TAC intervention.
To avoid this, you must return SLR before rolling back to an earlier release. Each node has a unique code that you must submit in the Cisco Smart Software Manager (CSSM) to return SLR. If you had enabled SLR before installing Cisco ISE Release 3.1 Patch 8 or later, you do not have to return SLR before rolling back to an earlier release.
Upgrade Information
Upgrading to Release 3.1
You can directly upgrade to Release 3.1 from the following Cisco ISE releases:
-
2.6
-
2.7
-
3.0
If you are on a version earlier than Cisco ISE, Release 2.6, you must first upgrade to one of the releases listed above, and then upgrade to Release 3.1.
We recommend that you upgrade to the latest patch in the existing version before starting the upgrade.
Upgrade Packages
For information about upgrade packages and supported platforms, see Cisco ISE Software Download.
Upgrade Procedure Prerequisites
-
Run the Upgrade Readiness Tool (URT) before the upgrade to check whether the configured data can be upgraded to the required Cisco ISE version. Most upgrade failures occur because of data upgrade issues. The URT validates the data before the actual upgrade and reports the issues, if any. The URT can be downloaded from the Cisco ISE Download Software Center.
-
We recommend that you install all the relevant patches before beginning the upgrade.
For more information, see the Cisco Identity Services Engine Upgrade Guide.
Telemetry
After installation, when you log in to the Admin portal for the first time, the Cisco ISE Telemetry banner is displayed. Using this feature, Cisco ISE securely collects nonsensitive information about your deployment, network access devices, profiler, and other services that you are using. This data will be used to provide better services and more features in the forthcoming releases. By default, telemetry is enabled. To disable or modify the account information, choose Administration > Settings > Network Settings Diagnostics > Telemetry. The account is unique for each deployment. Each admin user need not provide it separately.
It may take up to 24 hours after the Telemetry feature is disabled for Cisco ISE to stop sharing telemetry data.
Types of data collected include Product Usage Telemetry and Cisco Support Diagnostics.
Cisco Support Diagnostics
The Cisco Support Diagnostics Connector enables Cisco Technical Assistance Center (TAC) and Cisco support engineers to obtain support information on the deployment through the primary administration node. By default, this feature is disabled. See the Cisco Identity Services Engine Administrator Guide for instructions on how to enable this feature.
Cisco ISE Live Update Portals
Cisco ISE Live Update portals help you to automatically download the Supplicant Provisioning wizard, AV/AS support (Compliance Module), and agent installer packages that support client provisioning and posture policy services. These live update portals are configured in Cisco ISE during the initial deployment to retrieve the latest client provisioning and posture software directly from Cisco.com to the corresponding device using Cisco ISE.
If the default Update portal URL is not reachable and your network requires a proxy server, configure the proxy settings.
In the Cisco ISE GUI, click the Menu icon () and choose
Administration > System > Settings > Proxy before you access the Live Update portals. If proxy settings allow access to the profiler, posture, and client-provisioning
feeds, access to a Mobile Device Management (MDM) server is blocked because Cisco ISE cannot bypass the proxy services for
MDM communication. To resolve this, you can configure the proxy services to allow communication to the MDM servers. For more
information on proxy settings, see the "Specify Proxy Settings in Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.
Client Provisioning and Posture Live Update Portals
You can download Client Provisioning resources from:
In the Cisco ISE GUI, click the Menu icon () and choose
The following software elements are available at this URL:
-
Supplicant Provisioning wizards for Windows and Mac OS X native supplicants
-
Windows versions of the latest Cisco ISE persistent and temporal agents
-
Mac OS X versions of the latest Cisco ISE persistent agents
-
ActiveX and Java Applet installer helpers
-
AV/AS compliance module files
For more information on automatically downloading the software packages that are available at the Client Provisioning Update portal to Cisco ISE, see the "Download Client Provisioning Resources Automatically" section in the "Configure Client Provisioning" chapter in the Cisco Identity Services Engine Administrator Guide.
You can download Posture updates from:
In the Cisco ISE GUI, click the Menu icon () and choose
The following software elements are available at this URL:
-
Cisco-predefined checks and rules
-
Windows and Mac OS X AV/AS support charts
-
Cisco ISE operating system support
For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the "Download Posture Updates Automatically" section in the Cisco Identity Services Engine Administrator Guide.
If you do not want to enable the automatic download capabilities, you can choose to download updates offline.
Cisco ISE Offline Updates
This offline update option allows you to download client provisioning and posture updates, when direct internet access to Cisco.com from a device using Cisco ISE is not available or is not permitted by a security policy.
To download offline client provisioning resources:
Procedure
|
Step 1 |
Go to: https://software.cisco.com/download/home/283801620/type/283802505/release/3.1.0. |
|
Step 2 |
Provide your login credentials. |
|
Step 3 |
Navigate to the Cisco Identity Services Engine download window, and select the release. The following Offline Installation Packages are available for download:
|
|
Step 4 |
Click either Download or Add to Cart. |
For more information on adding the downloaded installation packages to Cisco ISE, see the "Add Client Provisioning Resources from a Local Machine" section in the Cisco Identity Services Engine Administrator Guide.
You can update the checks, operating system information, and antivirus and antispyware support charts for Windows and Mac operating systems offline from an archive in your local system, using posture updates.
For offline updates, ensure that the versions of the archive files match the versions in the configuration file. Use offline posture updates after you configure Cisco ISE and want to enable dynamic updates for the posture policy service.
To download offline posture updates:
Procedure
|
Step 1 |
Go to https://www.cisco.com/web/secure/spa/posture-offline.html. |
||
|
Step 2 |
Save the posture-offline.zip file to your local system. This file is used to update the operating system information, checks, rules, and antivirus and antispyware support charts for Windows and Mac operating systems. |
||
|
Step 3 |
In the Cisco ISE GUI, click the Menu icon ( |
||
|
Step 4 |
Click the arrow to view the settings for posture. |
||
|
Step 5 |
Click Updates. The Posture Updates window is displayed.
|
||
|
Step 6 |
Click the Offline option. |
||
|
Step 7 |
Click Browse to locate the archive file (posture-offline.zip) from the local folder in your system.
|
||
|
Step 8 |
Click Update Now. |
Configuration Prerequisites
-
The relevant Cisco ISE license fees should be paid.
-
The latest patches should be installed.
-
Cisco ISE software capabilities should be active.
Monitoring and Troubleshooting
For information on monitoring and troubleshooting the system, see the "Monitoring and Troubleshooting Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.
Ordering Information
For detailed Cisco ISE ordering and licensing information, see the Cisco Identity Services Engine Ordering Guide.
Cisco ISE Integration with Cisco Catalyst Center
Cisco ISE can integrate with Cisco Catalyst Center. For information about configuring Cisco ISE to work with Catalyst Center, see the Cisco Catalyst Center documentation.
For information about Cisco ISE compatibility with Catalyst Center, see the Cisco SD-Access Compatibility Matrix.
Cisco AI Endpoint Analytics
Cisco AI Endpoint Analytics is a solution on Cisco DNA Center that improves endpoint profiling fidelity. It provides fine-grained endpoint identification and assigns labels to various endpoints. Information gathered through deep-packet inspection, and probes from sources such as Cisco ISE, Cisco SD-AVC, and network devices, is analyzed for endpoint profiling.
Cisco AI Endpoint Analytics also uses artificial intelligence (AI) and machine learning capabilities to intuitively group endpoints with similar attributes. IT administrators can review such groups and assign labels to them. These endpoint labels are then available in Cisco ISE if your Cisco ISE account is connected to on-premises Cisco DNA Center.
These endpoint labels from Cisco AI Endpoint Analytics can be used by Cisco ISE administrators to create custom authorization policies. You can provide the right set of access privileges to endpoints or endpoint groups through such authorization policies.
Install a New Patch
For instructions on how to apply the patch to your system, see the "Cisco ISE Software Patches" section in the Cisco Identity Services Engine Upgrade Journey.
For instructions on how to install a patch using the CLI, see the "Patch Install" section in the Cisco Identity Services Engine CLI Reference Guide.
Note |
If you installed a hot patch on your previous Cisco ISE release, you must roll back the hot patch before installing a patch. Otherwise, the services might not be started due to an integrity check security issue. |
Caveats
The Caveats section includes the bug ID and a short description of the bug. For details on the symptoms, conditions, and workaround for a specific caveat, use the Cisco Bug Search Tool (BST).
Note |
The Open Caveats sections list the open caveats that apply to the current release and might apply to releases earlier than Cisco ISE 3.1. A caveat that is open for an earlier release and is still unresolved applies to all future releases until it is resolved. |
New Features in Cisco ISE Release 3.1 - Cumulative Patch 9
Localized ISE Installation
While reinstalling Cisco ISE, you can use the Localized ISE Install option (option 36) in the application configure ise command to reduce the installation time. Though this option can be used for both Cisco Secure Network Server and virtual appliances, it significantly reduces the reinstallation time for Cisco Secure Network Servers. By using this option, you can reduce the reinstallation time from an average of 5-7 hours, to approximately 1-2 hours.
For more information, see "Localized ISE Installation" in the Chapter "Cisco ISE CLI Commands in EXEC Mode" in the Cisco Identity Services Engine CLI Reference Guide, Release 3.1.
Resolved Caveats in Cisco ISE Release 3.1 - Cumulative Patch 9
|
Identifier |
Headline |
|---|---|
|
Umbrella defect to provide information for terminologies used in the Licensing page. |
|
|
Umbrella defect to display more information on Smart Lincensing registration failure. |
|
|
Data corruptions cause FailureReason=11007 or FailureReason=15022. |
|
|
Cisco ISE business logic issue - user dictionaries. |
|
|
SNMPD process causes memory leak on Cisco ISE. |
|
|
Unable to enforce Identity Access Restricted attribute during authorization. |
|
|
Invalid request page in Cisco ISE Release 3.2 Patch 5. |
|
|
Exporting the report beyond a one-month period yields no data. |
|
|
RADIUS Authentication report exported from the operational data purging page is empty. |
|
|
Interactive help throws error in console and logs. |
|
|
Aruba-MPSK-Passphrase needs encryption support. |
|
|
MAR cache replication fails between peer nodes for both NIC and non-NIC bonding interfaces. |
|
|
PAN is missing non-significant attribute updates of endpoints from PSNs. |
|
|
Cisco ISE messaging certificate generation does not replicate a full certificate chain on secondary nodes. |
|
|
Additional IPv6-SGT session binding is created for IPv6 link local address from SXP ADD operation. |
|
|
Missing step and resolution text in live logs for attribute. |
|
|
Unable to delete network device group. |
|
|
Cisco ISE Passive ID agent error "id to load is required for loading". |
|
|
Insufficient virtual machine resource alarm is observed in Cisco ISE Release 3.1 Patch 8 longevity setup. |
|
|
Apache Struts vulnerability affects Cisco products: December 2023. |
|
|
Cisco ISE 3.2 crashes when RADIUS request is received with EAP-FAST and EAP chaining. |
|
|
Decryption of session ticket received from the client fails on Cisco ISE. |
|
|
Abandoned jedis connections are not being sent back to the thread pool. |
|
|
Current value of Disable_RSA_PSS environmental value is not saved after patch installation. |
|
|
Verify existence of Per-User dACL on Cisco ISE configuration. |
|
|
PPAN rest call to MNT nodes (live logs, reports) should not be load balanced. |
|
|
Cannot set preferred Domain Controllers registry value in advanced tuning. |
|
|
Cisco ISE Serviceability - Include garbage collector logs, thread dump, heap dump. |
|
|
TrustSec update CoA and CoA-push is broken. |
|
|
Installed patches menu does not list all the patches. |
|
|
Custom attribute retention failure. |
|
|
Operational backups from the GUI fail to SFTP repositories if the PKI key pair pass phrase contains the symbol +. |
|
|
Internal system error when premier license is disabled. |
|
|
Updating DACL using ERS API does not modify last updated timestamp. |
|
|
Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability. |
|
|
PSN node crashes while assigning the cpmSessionId. |
|
|
PRA fails if the end point is within posture lease. |
|
|
ERS API takes several seconds to update a single endpoint. |
|
|
Cisco ISE Releases 3.1 or 3.2 are missing validation for existing routes during CLI configuration. |
|
|
Application server crashes due to metaspace exhaustion. |
|
|
Cisco ISE does not allow special characters in password while importing certificates. |
|
|
Cisco ISE Injection Vulnerability. |
|
|
Some internal users' passwords do not expire after the configured global password expiry date. |
|
|
Some Cisco ISE users are able to avoid mandatory password reset on the next login. |
|
|
Advance license consumption issue is seen in Cisco ISE Release 3.1 Patch 7. |
|
|
Cisco pxGrid getUserGroups API request returns empty response. |
|
|
Cisco ISE allows to save the policy when an identity store is deleted from another browser tab. |
|
|
Cisco ISE self-persistent Cross-Site Scripting (XSS) in my reports. |
|
|
8 Node longevity - intensive garbage collection observed due to SXP component. |
|
|
Profiler caches MDM attribute with wrong values. |
|
|
Cisco ISE services are stuck in initializing with secure syslog. |
|
|
Cisco ISE ERS API creates enable password option of the internal users even though enable password field is not specified. |
|
|
Nexpose Rapid 7 Strict-Transport-Security is malformed. |
|
|
Swap cleanup script to drop the swap area and program the cron. |
|
|
Failed to delete self registration portal: throws 500 server error. |
|
|
Issues with updating the CoA retry count to "0" . |
|
|
Convert TACACS persistent authorization to SQL loader approach. |
|
|
Observing cores related to jstack on the PPAN nodes of regression setup. |
New Features in Cisco ISE Release 3.1 - Cumulative Patch 8
Microsoft Intune Ends Support for UDID-Based Queries for Its MDM Integrations
From March 24, 2024, Microsoft Intune will not support UDID-based queries for its MDM integrations, as detailed in this Field Notice. The Cisco ISE APIs that fetch required endpoint information from Microsoft Intune MDM integrations have changed in response to this end of support.
From Cisco ISE Release 3.1 Patch 8, Microsoft Intune only provides the following endpoint details in response to compliance APIs:
-
Device compliance status
-
Managed by Intune
-
MAC address
-
Registration status
For more information on these changes, see Integrate MDM and UEM Servers with Cisco ISE.
Wi-Fi Device Analytics Data from Cisco Catalyst 9800 Wireless LAN Controller
You can create profiling policies, authorization conditions, and authentication conditions and policies for Apple, Intel, and Samsung endpoints, using device analytics data from the Cisco Wireless LAN Controllers integrated with your Cisco ISE.
For more information, see "Wi-Fi Device Analytics Data from Cisco Catalyst 9800 Wireless LAN Controller" in the Chapter "Asset Visibility" in the Cisco ISE Administration Guide, Release 3.1.
Resolved Caveats in Cisco ISE Release 3.1 - Cumulative Patch 8
|
Identifier |
Headline |
|---|---|
|
Read-only admin group users have full accesss when logging into Cisco ISE GUI through SAML authentication. |
|
|
Cisco ISE CRL retrieval failed alarm does not mention server on which CRL download failed. |
|
|
Unable to delete custom endpoint attributes due to malfunctioning of "trash" button. |
|
|
Unable to bind Cisco ISE messaging service with SubjectAltName extension while using wildcard certificate. |
|
|
Tterrors.log and times.log are missing in support bundle. |
|
|
Unable to change TrustSec status when using Japanese UI. |
|
|
Unable to login into the secondary admin node Cisco ISE GUI using AD credentials. |
|
|
Vulnerabilities in Cisco ISE allows unwarranted arbitrary file upload. |
|
|
Cisco ISE REST API documentation provides incorrect script while creating endpoint group. |
|
|
A match authorization profile with SGT, VN name, VLAN fields empty causes port to crash. |
|
|
Expired guest accounts don't receive SMS when they try to reactivate account. |
|
|
Disabled essential license leads to limited Cisco ISE GUI page access and inability to regenerate root CA. |
|
|
During first device connection attempt, Cisco ISE does not update the Acs.Username field with the guest username. |
|
|
Unable to edit and save security group ACL. |
|
|
The OpenAPI for endpoints are not working for the existing IOT asset attributes. |
|
|
When command set includes special characters, the UI shows HTML hexadecimal instead of the character. |
|
|
Download failure for "agent resources from Cisco site". |
|
|
SXP service stuck in initializing due to H2 DB delay in querying bindings. |
|
|
API query of ERS the network device component returns primary shared secrets for primary and secondary fields. |
|
|
ANC remediation is not functioning with AnyConnect VPN. |
|
|
Unable to launch sponsor portal after edits to interface on the existing portal. |
|
|
Cisco ISE Release 3.1 and Release 3.0: Portal tag with special character faces validation issues. |
|
|
Date of last purge has a wrong timestamp. |
|
|
ISE:TACACS:PSN crashes during maximum user session authentication flow. |
|
|
MNT log processor is enabled on non-MNT admin Cisco ISE node. |
|
|
SXP Bindings report show "no data found". |
|
|
Allow launch program remediation to have a set order. |
|
|
Some items are displayed as [Test] in Japanese display. |
|
|
Inconsistency in VLAN ID results in erorr message: Not a valid ODBC dictionary. |
|
|
MNT log processor service stops to fucntion during night-time. |
|
|
UI pages are not loading properly with custom admin menu workcenter permissions. |
|
|
Cisco ISE cannot load corrupted NAS profiles that causes authorization drops due to failure Reasons 11007 and 15022. |
|
|
Drag and drop of a saved condition is unreadable. |
|
|
Numbering issues observed for DACL entries in Firefox 45 and Chrome 72, and all later issues. |
|
|
RADIUS server sequence configuration gets corrupted. |
|
|
Cisco ISE upgrade fails because of custom security group. |
|
|
Cisco ISE is unresponsive while importing certificate when the special character (%) is added in the private key password field or the friendly name field. |
|
|
Data is lost when accessing total compromised endpoints in Cisco ISE dashboard threat for TC-NAC. |
|
|
Reconfiguration of repository with credential is required after restoration of configuration backup. |
|
|
Cisco ISE Release 3.1: Administrator login report displays "administrator authentication failed" in 5 min intervals. |
|
|
Cisco ISE alarm and dashboard summary fails to load. |
|
|
Cisco ISE path traversal vulnerability detected. |
|
|
Accept client certificate without KU purpose validation as per Cisco SSL rules. |
|
|
SXP creates inconsistent mapping between IP address and SGT. |
|
|
Cisco ISE Release 3.1: Agentless posture flows fails when domain user configures for endpoint login. |
|
|
Cisco ISE SXP bindings API call returns 2xx response when the call fails. |
|
|
Cisco ISE API doesn't recognize identity groups while creating user accounts. |
|
|
From Cisco ISE CLI, read-only users can not run a show CPU usage command. |
|
|
NAD RADIUS shared secret key is incorrect when it starts with an apostrophe on Cisco ISE Release 3.1 Patches 1, 2, 3, 4, and 5. |
|
|
Cisco ISE Release 3.2 BETA: GUI is not accesible after enabling TLS 1.0. |
|
|
An endpoint's MAC address is not added to the endpoint identity group when using grace access in the guest portal. |
|
|
Vulnerabilities detected in hibernate-validator in multiple versions. |
|
|
Context Visibility: Unable to filter endpoint custom attributes with special characters. |
|
|
Cisco ISE Release 3.0: Disabled domains in allowed domains makes connection attempts to ad_agent.log domains. |
|
|
Cisco ISE sponsor portal shows invalid input error when using special characters in the guest type name. |
|
|
Cisco ISE Open API: /certs/system-certificate/import must support multi-node deployment. |
|
|
Cisco ISE Release 3.1 shows "error creating 1 domain controller" already exists, although it is a new deployment. |
|
|
Guest portal FQDN is mapped with IP address of the node in the database. |
|
|
Post SL update, Cisco ISE licensing page shows evaluation compliance status for consumed licenses. |
|
|
Hexadecimal username stays in the database even after deleting SNMPv3 username with "-" or "_" characters. |
|
|
Cisco ISE Release 3.1 Patch 5: Attempting to delete Guest portal after PAN failover fails. |
|
|
Enhancement for encryption should only send AES256 for MS-RPC calls. |
|
|
Cisco ISE Release 2.7: Unable to disable active directory diagnostic tool scheduled tests. |
|
|
Cisco ISE privilege facing escalation vulnerability. |
|
|
Cisco ISE arbitrary file upload vulnerability. |
|
|
Cisco ISE filter of REST ID store groups displays error processing this request. |
|
|
Cisco ISE messaging service flapping between "not running" and "initializing". |
|
|
Agentless posture script does not run when the endpoint is not connected to an AC power source. |
|
|
Terms and conditions checkbox disappears when portal builder is used for Cisco ISE Release 3.0 and higher. |
|
|
Cisco ISE Release 2.6 Patch 7 is not able to match "identityaccessrestricted equals true" in authorization policy. |
|
|
Cisco ISE Release 3.0 Patch 6: Policy export fails to export the policies. |
|
|
In Cisco ISE Release 3.2 , the self-registered email subject line truncates everything after the equal (=) sign on the sponsor guest portal. |
|
|
Cisco ISE: "Error 400" displaying when fetching device admin network conditions via OpenAPI. |
|
|
Cisco ISE Release 3.1 services failed to start after restoring backup from Cisco ISE Release 2.7. |
|
|
Cisco ISE certificate API fails to return trusted certificate with special characters in friendly name. |
|
|
Sponsors unable view guest account in a specific sponsor group |
|
|
Cisco ISE EasyConnect stitching does not happen when the PassiveID syslog is received by MnT before the active authentication syslog. |
|
|
Live session is stuck at "authenticated" state. |
|
|
Cisco ISE Release 3.1: Key attributes is missing in session cache when third-party network device profile is in use. |
|
|
Cisco ISE is not sending SNMPv3 disk traps to configured SNMP server. |
|
|
Unable to select Cisco ISE messaging usage for an existing certificate as it is grayed out. |
|
|
Even with disabled PSN persona the TACACS port 49 is still open. |
|
|
Insecure HTTP PUT method accepted. |
|
|
Session info is not stored in timed session cache during third party posture flow. |
|
|
ANC with Aruba switches sends incorrect AVP's when invoked. |
|
|
Aruba-MPSK-Passphrase needs encryption support. |
|
|
The user identity group and endpoint identity group description fields have a character limit of 1199. |
|
|
IoT asset information is missing when "get all endpoints" option is in use. |
|
|
Cisco ISE Release 2.7 Patch 6 is unable to filter TACACS live logs by network device IP. |
|
|
Profiling is not processing calling station ID values with the following format: XXXXXXXXXXXX. |
|
|
Static IP-SGT mapping with VN reference causes DNAC group-based policy sync to fail. |
|
|
Cisco ISE Release 3.1 Patch 5: Cannot generate pxGrid client certificate leveraging the CSR option. |
|
|
While registering node with left over certificates from deregistration, the certificates that are currently in use get deleted. |
|
|
Trash all or selected option at pxGrid policy should not touch entries for internal group. |
|
|
Cisco ISE patch GUI installation is stuck on a specific Cisco ISE node in deployment. |
|
|
Cisco ISE agentless posture does not support password containing a colon. |
|
|
SQL exception sent to the collection failure alarm is caused by NAS-Port-id length. |
|
|
Cisco ISE dispalys tomcat stacktrace when a specific URL is in use. |
|
|
Cisco ISE cannot retrieve a peer certificate during EAP-TLS authentication. |
|
|
"Export all network devices" option gives an empty file. |
|
|
"Get all endpoints" option request takes much longer time to execute since Cisco ISE Release 2.7. |
|
|
RBAC policy with custom permissions is not working when administration menu is hidden. |
|
|
Cisco ISE Release 3.2 is missing S-PAN key for PKI-based SFTP. |
|
|
EAP-TLS authentication with ECDSA certificate fails on Cisco ISE Release 3.1. |
|
|
Endpoint .csv file import displays "no file chosen" after selecting the file. |
|
|
REST AUTH services are not running after upgrade from Cisco ISE Release 3.1 to Release 3.2. |
|
|
Profiler CoA sent with the wrong session ID. |
|
|
Cisco ISE in AWS: Health check I/O bandwidth performance check false alarm. |
|
|
Launch page level help is not working for patch management, upgrade, and health checks. |
|
|
ct_engine is using 100% CPU. |
|
|
Group Based Policy Security Groups or Access Contracts with multiple backslash characters in a row in the description causes data sync failure. |
|
|
Sponsor permissions are disabled on sponsor portal when accessed from the primary PAN persona. |
|
|
Disabling "disclose invalid usernames" shows popup that states displaying app server will restart. |
|
|
Sponsored portal in Germany calendar shows Thursday (Donnerstag) as Di not Do. |
|
|
Agentless posture is not working in Windows if the username starts with the special character '$'. |
|
|
Cisco ISE authorization profile displays wrong security group and VN value. |
|
|
Using an apostrophe in the first name and/or last name field presents an invalid name error. |
|
|
Registered endpoint report shows unregistered guest devices. |
|
|
Cisco ISE Intune MDM integration may disrupt due to end of support for MAC address-based APIs from Intune. |
|
|
Cisco ISE limits connection to AMP AMQP service to TLSv1.0. |
|
|
The quick filter option for SXP domains is unusable if more than 25 rows are displayed. |
|
|
Cisco ISE includes a version of Apache Commons FileUpload that is affected by the vulnerabilities with CVE ID CVE-2023-24998 . |
|
|
Unable to disable SHA1 for ports associated with passive ID agents. |
|
|
Cisco ISE Release 3.1 Patch 7: Unable to change admin password if it contains special character '$'. |
|
|
Add the "disable EDR internet check" tag. |
|
|
Vulnerabilities in log4net 2.0.8.0. |
|
|
Cisco ISE Release 3.1 Patch 5 install hangs indefinitely, and updates timesten sys.odbc.ini for TCNAC. |
|
|
TCP sockets stuck in CLOSE_WAIT state. |
|
|
Lightweight session directory is causing high bandwidth utilization. |
|
|
Enhancement: Include a seperate log file with MNT database metrics. |
|
|
Cisco ISE IP SGT static mapping is not sent to SXP domain even after shift to another mapping group. |
|
|
During upgrade, the deregister call fails to remove all the nodes from the databse. |
|
|
Cisco ISE-PIC license expiration alarm is an error. |
|
|
Cisco ISE on AWS: Operational database has limited allocation. |
|
|
TACACS deployment with zero day evaluation does not work after registering to smart licensing. |
|
|
Attempt to delete 'Is IPSEC Device' NDG causes all subsequent RADIUS/T+ authentications to fail. |
|
|
Session gets stuck indefinitely when NAD (Meraki) misbehaves unless restarted. |
|
|
Automatic crash decoder is not decoding functions properly. |
|
|
Cisco ISE Release 3.1 Patch 7: No virtual networks visible under security group in authorization profile. |
|
|
Cisco ISE drops RADIUS request with the message "request from a non-wireless device was dropped". |
|
|
Unable to change the condition operator from AND to OR in posture policy condition. |
|
|
Fix to the bug CSCwd35608 is causing CoA calls from UI to be sent to the wrong IP. |
|
|
VLAN detection interval should not exceed 30 seconds. |
|
|
Cisco ISE Release 3.1 Patch 5: Agentless posture failures cause /tmp/ folder size increase. |
|
|
Authorization based on internal user ID group fails without the RADIUS-token authorization for VPN. |
|
|
Profiler is triggering a port bounce when multiple sessions exist on a switch port. |
|
|
Cisco ISE Admin CLI reset-configuration fails to reset bond interfaces. |
|
|
SCCM integration with Cisco ISE needs MSAL support as MS is deprecating ADAL. |
|
|
German and Italian emails cannot be saved under account expiration notification in guest type. |
|
|
TopN Device and admin reports doesn't work when TACACS incoming exceeds 40M records per day. |
|
|
Cisco ISE on AWS doesn't work if metadata (IMDS) version value "V2 only" is selected. |
|
|
Update warning message while changing timezone. |
|
|
Cisco ISE Release 3.2:Unable to receive IP-to-SGT mappings from APIC. |
|
|
TLS 1.0 or 1.1 is accepted at Cisco ISE Release 3.0 admin portal. |
|
|
User custom attributes is stuck on rendering state. |
|
|
Smart license registration failure with "communication send error" alarms displays intermittently. |
|
|
Cisco ISE changes the MAC address format to an unacceptable MAC adress format. |
|
|
Unable to edit or delete authorization profiles with parentheses in the name. |
|
|
Manually deletion of the static route causes Cisco ISE to send packet with wrong MAC in Release 3.0 patch 7. |
|
|
Cisco ISE maximum session counter time limit is not working. |
|
|
Cisco ISE Release 3.1: Previous version hotpatch is visible in the database. |
|
|
Unable to schedule or edit schedule for the configuration backup. |
|
|
Cisco ISE Release 3.2 Patch 3: PEAP and EAP-TLS does not work on FIPS mode. |
|
|
Cisco ISE Release 3.0 Patch 4 is unable to access system certificates page for the registered node. |
|
|
Unable to edit or create admin user due to "xwt.widget.repeater.DataRepeater" error. |
|
|
Vulnerable JS library issue found while executing ZAP. |
|
|
AD connector process does not shutdown. |
|
|
Permission for collector.log file is set as root automatically. |
|
|
Cisco ISE Release 3.1 Patch 7: GUI is missing custom attributes delivered via pxGrid ContextIn. |
|
|
Cisco ISE nodes intermittently triggers queue link alarm: cause=timeout. |
|
|
Static IPv6 routes are removed after a reload in Cisco ISE Release 3.2. |
|
|
RADIUS Vendor specific integer attributes are visisble as garbage in debug logs. |
|
|
The syslog audit record for the certificate authentication failure is absent due to an internal error. |
|
|
The certificates API - /admin/API/PKI/TrustCertificates is not exposed but breaks Cisco DNA Center integration with AD username. |
|
|
The RADIUS live log delay issue caused by a problem in indexation is fixed. |
|
|
All network device groups are deleted when a child item is removed from any group. |
|
|
Cisco ISE Release 3.2 API: System certificate import does not work for a Cisco ISE node in the deployment. |
Open Caveats in Cisco ISE Release 3.1 - Cumulative Patch 8
|
Caveat ID Number |
Description |
|---|---|
|
After a patch install on Cisco ISE, TC-NAC adapters will be not reachable and new adapters cannot be configured. |
|
|
In 3.1 Patch 8: Observing Insufficient Virtual Machine Resource Alarm in 3.1Patch 8 Longevity setup. |
New Features in Cisco ISE Release 3.1 - Cumulative Patch 7
Link External LDAP Users to Cisco ISE Endpoint Groups
From Cisco ISE Release 3.1 Patch 7, you can assign external LDAP user groups to Endpoint Identity Groups for guest devices using the Dynamic option. For more information, see "Create or Edit Guest Types" in the chapter "Guest and Secure WiFi" in the Cisco Identity Services Engine Administrator Guide, Release 3.1.
Resolved Caveats in Cisco ISE Release 3.1 - Cumulative Patch 7
|
Identifier |
Headline |
|---|---|
|
CPU spike due to memory leak with endpoints purge call |
|
|
Internal CA certificate chain becomes invalid if the original primary PAN is removed |
|
|
Import SAML metadata fails |
|
|
Certificate-based GUI admin login stuck |
|
|
GET/ers/config/activedirectory/{id}/getUserGroups doesn’t return group names with returned data |
|
|
Passive ID agent sends incorrect time format events |
|
|
Cannot create identity user if the user custom attribute includes characters '$' or '++' |
|
|
Unable to save launch program remediation when the parameter contains double quotes ("") |
|
|
Cisco ISE Release 3.2 ROPC basic serviceability improvements |
|
|
Cisco ISE smart licensing now uses smart transport |
|
|
Cisco ISE Release 3.1 Azure AD autodiscovery for MDM API v3 is incorrect |
|
|
Unable to enable the firewall condition in Cisco ISE Release 3.1 |
|
|
When you export a scheduled report of a large size, it is displayed as empty in the repository |
|
|
Cisco ISE-DNAC integration fails if there are invalid certificates in the Cisco ISE trusted certificates store |
|
|
Guest portal displays the error loading page when the reason for visit field contains special characters |
|
|
TrustSec PAC information field attribute values are lost when you import a network device CSV template file |
|
|
MNT authorization status API query should be optimized |
|
|
Unable to add quotation character in TACACS authorization profile |
|
|
Automatic backup stops working after 3 to 5 days |
|
|
Cisco ISE-PIC Release 3.2 FCS: smart licensing: PIC upgrade: out of compliance |
|
|
Cisco ISE Release 3.1: certificate-based login asks for license file if only the device admin license is enabled |
|
|
Qualys adapter is unable to download the knowledge base. Stuck at knowledge download in progress |
|
|
Cisco ISE cannot retrieve OU attributes from client certificate in EAP-TLS session resumption |
|
|
'/' in command arguments is not preserved after CSV import of the T+ command set |
|
|
Cisco ISE does not delete sessions from all SXP mapping tables |
|
|
Network device profile shows HTML code as name |
|
|
Unable to create scheduled backup with admin user from 'system admin' admin group |
|
|
Cisco ISE Release 3.2: SAML sign authentication request setting is unchecked upon save |
|
|
DNS cache enabling command in FQDN syslog popup needs correction |
|
|
Cisco ISE-PIC Release 3.1: PIC license: consumption 0 |
|
|
Cisco ISE fails to translate AD attribute of msRASSavedFramedIPAddress |
|
|
Cisco ISE Release 3.1: passiveID - probes agents for status of all domains being monitored |
|
|
When importing a new certificate for a portal, Cisco ISE fails to establish secure connection |
|
|
Internal CA certificate chain becomes invalid if original primary PAN is removed |
|
|
Getting pxGrid error logs in ise-psc.log after disabling pxGrid |
|
|
Cisco ISE SAML destination attribute is missing for signed AuthnRequests |
|
|
Cisco ISE debug wizard posture profile does not contain client-webapp component to DEBUG |
|
|
Posture assessment by condition generates ORA-00904: <SYSTEM_NAME>: invalid identifier |
|
|
Sponsor portal print issue for from-first-login guest account expire details |
|
|
Not able to download support bundles greater than 1 GB from the GUI |
|
|
Agentless posture fails when using multiple domain users in the endpoint login configuration |
|
|
MDM: connection to Microsoft SCCM fails after Windows DCOM server hardening for CVE-2021-26414 |
|
|
Cisco ISE3.0.458: enable_passwdless_auth.exp needs modification for mac clients |
|
|
Read-only admin is not available for Cisco ISE admin SAML authentication |
|
|
Unable to import certificates on secondary node after registration |
|
|
Session directory write fails with the alarm Cisco NAD using user-defined NAD profile |
|
|
WMI status shows progress after mapping from agent protocol to WMI protocol |
|
|
Authentication against ROPC identity store fails with RSA key generation error |
|
|
Cisco ISE Release 3.1 patch 3: sponsor portal: session cookie SameSite salue is set to none |
|
|
Unable to join node to AD by REST API if we configure a specific OU |
|
|
Admin account created from network access users cannot change dark mode setting |
|
|
CIAM: xstream 1.4.17 |
|
|
TACACS command accounting report export is not working |
|
|
SMS Javascript customization is not working for SMS email gateway |
|
|
Cisco ISE OpenApi restore displays complete long before show command displays complete |
|
|
Smart license registration is not working. Error while enabling the smart license |
|
|
Cisco ISE Release 3.1 configuration backup executed on primary MNT node |
|
|
Failed to handle API resource request: failed to convert condition |
|
|
Cisco ISE Africa/Cairo Timezone DST |
|
|
Mexico time zone incorrectly changes to daylight saving |
|
|
Cisco ISE does not remove SXP mapping when SGT is changed after CoA |
|
|
Vulnerabilities in jszip 3.0.0 |
|
|
Posture configuration detection alarms should be INFO level and reworded |
|
|
Cisco DNA Center integration issue due to more internal CA certificates |
|
|
Make MDM API v3 certificate string case insensitive |
|
|
Authorization policy evaluation fails due to NullPointerException in LicenseConsumptionUtil.java. |
|
|
Cisco ISE 3.patches 4 and 5: standalone ISE crashes if restarted after removing admin access restriction |
|
|
No validation of PBIS reg key configuration on advance tuning page |
Open Caveats in Cisco ISE Release 3.1 - Cumulative Patch 7
|
Caveat ID Number |
Description |
|---|---|
| Cisco ISE cannot retrieve a peer certificate during EAP-TLS authentication. | |
|
ISE 3.1 patch 7: no VN's under security group in authorization profile. |
|
|
In 3.1 Patch 8: Observing Insufficient Virtual Machine Resource Alarm in 3.1Patch 8 Longevity setup. |
New Features in Cisco ISE Release 3.1 - Cumulative Patch 6
Support for Cisco Secure Network Server 3700 Series Appliance
The Cisco Secure Network Server (SNS) 3700 series appliances are based on the Cisco Unified Computing System (Cisco UCS) C220 Rack Server and are configured specifically to support Cisco ISE. Cisco SNS 3700 series appliances are designed to deliver high performance and efficiency for a wide range of workloads.
The Cisco SNS 3700 series appliances are available in the following models:
-
Cisco SNS 3715 (SNS-3715-K9)
-
Cisco SNS 3755 (SNS-3755-K9)
-
Cisco SNS 3795 (SNS-3795-K9)
Cisco SNS 3715 appliance is designed for small deployments. Cisco SNS 3755 and Cisco SNS 3795 appliances have several redundant components such as hard disks and power supplies and are suitable for larger deployments that require highly reliable system configurations.
For more information, see the Cisco Secure Network Server 3700 Series Appliance Hardware Installation Guide.
Note |
Cisco ISE 3.1 patch 6 and later versions support Cisco SNS 3700 series appliances. Hence, you cannot rollback to ISE 3.1 after installing the first patch (ISE 3.1 patch 6 or later) on an SNS 3700 series appliance. Rollback will fail in this case. You can re-install ISE 3.1 patch 6 or later from the CLI to recover the node. |
Bulk Update and Bulk Delete Support for Context-In API in pxGrid Cloud
From Cisco ISE Release 3.1 Patch 6, you have context-in API support in pxGrid Cloud for bulk updation and bulk deletion of endpoints. For more information, see the Cisco pxGrid Cloud Onboarding Guide and the Cisco ISE API Reference Guide.
Resolved Caveats in Cisco ISE Release 3.1 - Cumulative Patch 6
|
Identifier |
Headline |
|---|---|
|
Configuration Changed is not working when assigning an endpoint to a group |
|
|
ADE-OS Sensitive Information Disclosure Vulnerability |
|
|
ISE 3.1 TFTP copy times out |
|
|
ISE-PIC does not show Queue Link Errors |
|
|
ISE 3.1 AD Retrieve Groups shows a blank page when loading a big number of AD groups 400+ |
|
|
Toggle to enable/disable RSA PSS cipher based on policy under Allowed Protocols |
|
|
ISE is sending old Audit Session ID in reath CoA after previously successful port-bounce CoA |
|
|
Unable to retrieve groups/attr from diff LDAP when defined per node |
|
|
PRRT should be sending unfragmented messages to MnT if IMS is enabled to avoid merge |
|
|
ERS API internal error seen while creating existing NDG |
|
|
ISE is unable to save the Subnet/IP Address Pool Name for voice vlans. |
|
|
UI crashed while loading authz policy on chrome and edge browser |
|
|
Radius Token Server config accepts empty host IP for Secondary Server |
|
|
Self-reg portal does not support nodes fqdns for the Approve/Deny links sent to the sponsors. |
|
|
Device Administration using Radius does not consume base license |
|
|
ISE 3.0 patch 6 : Missing Scheduled Reports |
|
|
ISE 3.1: Application server crashes if CRL is downloaded frequently having size 5 MB or more. |
|
|
Multiple requests for same IP+VN+VPN combinations with diff session ID creating duplicate records |
|
|
ISE 3.1 patch 5 : No dictionary attribute with id [11055] |
|
|
Radius Server Sequence page showing "no data available" |
|
|
SXP service gets stuck in initializing due to an exception on 9644. |
|
|
31p5 : app server and api gateway service not running |
|
|
ISE Authentication latency from devices with no mac address |
|
|
ISE - Network device captcha only prompting when filter matches only 1 Network device |
|
|
ISE 3.1 patch 4 : GUI : Certificate Authentication : Permissions |
|
|
ISE scheduled radius authentication repots failed while exporting to SFTP repository |
|
|
Fix for CSCvz85074 breaks AD group retrieval in ISE |
|
|
[ENH] Session stitching support with ISE PIC Agent |
|
|
Unable to download rest-id-store from Download Logs on GUI |
|
|
vulnerable jQuery version found in Admin UI |
|
|
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability |
|
|
High CPU Utilization Due To Agentless Posture Configured |
|
|
3.1Respin: interface status is showing UP even after shutdown |
|
|
ISE 3.2 ERS POST /ers/config/networkdevicegroup fails - broken attribute othername/type/ndgtype |
|
|
ISE 3.1 patch 3 unable to import endpoints from csv file if SAML is used |
|
|
[CFD] Mapped SGT entry cleared from AuthZ Rules on ISE if SG name is modified in Cisco DNA Center |
|
|
ISE 3.1 creates cni-podman0 interface with IP 10.88.0.1 and ip route for 10.88.0.0/16 |
|
|
URI not Accepted as Group attribute or as Name in Assertion of attributes for SAML IdP in 3.1/3.2 |
|
|
ENH: Allow Guest Portal HTTP Requests Containing Content-headers with {} Characters |
|
|
Queue Link Errors "Unknown CA" when utilizing third-party signed certificate for IMS |
|
|
Issues when changing ISE IP address. |
|
|
ISE with 2 interfaces configured for portal access is broken |
|
|
ISE vPSN with IMS performance degrades by 30-40% compared to UDP syslog |
|
|
ISE openAPI HTTP repo patch install fails when dir listing is disabled |
|
|
Vertical Scrollbar Bug - ISE 3.1 |
|
|
Primary Admin PPAN application server stuck at initializing state |
|
|
ISE upgrade tab shows upgrade in progress after installing patch |
|
|
Error Loading Page error is output when creating a guest account in the Self-Registered Guest Portal |
|
|
ISE 3.2 : APIC Integration : missing fvIP subscription |
|
|
Cisco Identity Services Engine Interface Feature Insufficient Access Control Vulnerability |
|
|
Open API Endpoint Post returns 200 instead of 201 |
|
|
Posture Requirements only show the default entry |
|
|
Cisco Identity Services Engine Command Injection Vulnerability |
|
|
GUI TCPDUMP gets stuck on Stop_In_Progress |
|
|
IndexRebuild.sql script ran over MNT |
|
|
ISE 3.1 p1 : Entering incorrect password on GUI shows end user agreement |
|
|
Save button for SAML configuration grayed out |
|
|
OpenAPI for EP create/update should work same as ERS API in addition to providing more functionality |
|
|
Sec_txnlog_master table should be truncated post 2M record count |
|
|
Cisco Identity Services Engine Insufficient Access Control Vulnerability |
|
|
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability |
|
|
ISE 3.1p5 verifies CA certificate EKU causing "unsupported certificate" error |
|
|
ISE cannot retrieve repositories and scan policies of Tenable Security Center |
|
|
ISE not sending hostname attribute to DNAC |
|
|
PUT operation failing with payload via DNAC to ISE (ERS) |
|
|
Not able to access Time Settings Configuration Export on ERS API |
|
|
ISE Change Configuration Audit Report does not clearly indicate SGT create and delete events |
|
|
Unable to add Network Access Device. Reason: "There is an overlapping IP Address in your device" |
|
|
ISE 3.1 BH Context visibility shows \\ in username where as live logs show correct single \ |
|
|
ISE TCPDUMP stuck at "COPY_REPO_FAILED" state when no repository is selected |
|
|
ISE 3.1 ENH "Illegal hex characters in escape (%) pattern ? For input string: ^F" |
|
|
Cisco Identity Services Engine XML External Entity Injection Vulnerability |
|
|
pxGrid session publishing stops when reintergrating FMC while P-PIC is down |
|
|
Network Device Port Conditions -IP Addresses/Device Groups- doesn’t accept valid port strings. |
|
|
ISE 3.1 P4 Passive DC configuration failing to save username correctly |
|
|
ISE 3.1 P3 SAML SSO Doesn't work if active PSN goes down |
|
|
Not able to add too many Authorization Profiles with active session alarm setting |
|
|
All NADs are getting deleted while doing Filter on NDG Location and IP |
|
|
ISE abruptly stops consuming passive-id session from a 3rd party Syslog server |
|
|
ERS API Schema for Network Device Group Creation |
|
|
Incorrect SLR out of compliance error reported in ISE |
|
|
Getting System Error : Null while editing the groups and adding Name in Assertion under SAML |
|
|
"The phone number is invalid" when trying to import users from csv file. |
|
|
ISE 3.1 certain SFTP servers stopped working after upgrade to patch 4/5 |
|
|
Add ability to disable TLS 1.0 and 1.1 on ISE PIC node |
|
|
ISE 3.1: Installation of P3 doesnt upgrade the v$timezone_file from 32 to 34 |
|
|
Persisting of Reprofiling result is not updating to Oracle/VCS after feed incremental update |
|
|
ISE 3.2/3.1/3.0 displays mismatched information on "Get All Endpoints" report |
|
|
Mismatched Information between CLI export and Context Visibility |
|
|
Context Visibility CVS exported from CLI not showing IP Addresses |
Open Caveats in Cisco ISE Release 3.1 - Cumulative Patch 6
|
Identifier |
Headline |
|---|---|
|
31P6:Unable to launch sponor portal with eth1 FQDN(diff dns)- when existing portal is edited. |
|
|
Wild card Certificate imported on PPAN not replicated to other nodes in deployment. |
|
|
In 3.1 Patch 8: Observing Insufficient Virtual Machine Resource Alarm in 3.1Patch 8 Longevity setup. |
New Features in Cisco ISE, Release 3.1 - Cumulative Patch 5
Automatically Assign Logical Profiles to Endpoints
When an endpoint goes through Cisco ISE profiling workflows, if the endpoint matches an endpoint profiling policy with an associated logical profile, the endpoint is automatically assigned the logical profile.
pxGrid Cloud Support for Context-in
From Cisco ISE Release 3.1 Cumulative Patch 5, pxGrid support for context-in is available. pxGrid Cloud context-in support is provided through ERS and Open APIs. For more information, see the pxGrid Cloud Onboarding Guide.
Support for Cisco Secure Client
Cisco ISE 3.1 Patch 5 supports both AnyConnect and Cisco Secure Client for Windows, macOS, and Linux operating systems. The following Cisco Secure Client versions are supported for these operating systems:
-
Windows: Cisco Secure Client version 5.00529 and later
-
macOS: Cisco Secure Client version 5.00556 and later
-
Linux: Cisco Secure Client version 5.00556 and later
You can configure both AnyConnect and Cisco Secure Client for your endpoints on these operating systems but only one policy will be considered at run time for an endpoint.
Required URL for Smart Licensing
Cisco ISE Release 3.1 Patch 5 uses https://smartreceiver.cisco.com to obtain Smart Licensing information.
Resolved Caveats in Cisco ISE Release 3.1 - Cumulative Patch 5
The following table lists the resolved caveats in Release 3.1 cumulative patch 5.
|
Identifier |
Headline |
|---|---|
|
ise hourly cron should cleanup the cached buffers instead of the 95% memory usage |
|
|
ENH: ISE with Twilio MessagingServiceSid for SMS gateway |
|
|
ISE ERS SDK network device bulk request documentation is not correct |
|
|
NetworkSetupAssistance.exe digital signature certificate expired in BYOD flow using Windows SPW |
|
|
Error with SNMPv3 Privacy Password on ISE 3.1 only |
|
|
ISE Config Backup Fails due to SYS_EXPORT_SCHEMA_01 |
|
|
GUI not validating default value while adding custom attributes |
|
|
ISE 3.1 REST API typo in SNMP password parameters |
|
|
ISE 3.2 displays the error: "TypeError: Cannot read properties of undefined (reading 'attr')" |
|
|
HTTP 400 response in Repo OpenAPI when an SFTP/FTP repo user password contains ! (exclamation mark) |
|
|
Latency observed during query of Session.PostureStatus |
|
|
ISE TrustSec Logging - SGT create event is not logged to ise-psc.log file |
|
|
SYS.DBMS_RCVMAN too old |
|
|
Unable to add SAML ID provider on 3.1 p1 when we did config restore from older ISE |
|
|
Save button for SAML configuration grayed out |
|
|
Passive Easy connect does not work in ISE with Dedicated MnT nodes |
|
|
ISE 3.1 | Metaspace exhaustion causes crashes on ISE node |
|
|
scheduled backup failure when ISE indexing engine backup failed |
|
|
ERS API doesn't allow for use of minus character in "Network Device Group" name. |
|
|
Deleted network device groups still showing up in the policy sets |
|
|
Cisco Identity Services Engine Unauthorized File Access Vulnerability |
|
|
ISE 3.0 NFS share stuck |
|
|
Changing Parent Identity Group name breaks authorization references |
|
|
Cisco Identity Services Engine Cross-Site Scripting Vulnerability |
|
|
Inconsistent IP to SGT mapping after several re-authentications when VN value is changing |
|
|
ISE AD Connector fails during join |
|
|
Unable to change the Identity source from internal to external RSA/RADIUS-token server |
|
|
Precheck may get timedout with optimistic locking failed in ise-psc.log on ppan |
|
|
Slowness on Support Bundle page due to Download Logs page loading in the background. |
|
|
Error handling/ messaging for mobile number format not clear |
|
|
CSV NAD import is rejected if += characters are at the beginning of the RADIUS shared secret |
|
|
Profiler Condition not displaying the Attribute Value |
|
|
Duplicate Manager doesn't remove packet when there is an exception in reading config |
|
|
Intermittent issues with App activation or App not receiving events |
|
|
Guest locations do not load in ISE Guest Portal |
|
|
Supported HTTP methods are visible |
|
|
RMQForwarder thread to control based on hardware Appliance in platform.properties on 2.7 p7 |
|
|
ISE-2.x: Intune MDM Alarm for connectivity || 401 Unauthorized |
|
|
"All devices were successfully deleted" after trying to delete one particular NAD by filtering |
|
|
ISE is showing Incorrect VLAN assignment Information in Authorization profile > Attributes Details |
|
|
ISE RADIUS and PassiveID session merging |
|
|
Add serviceability & fix "Could not get a resource since the pool is exhausted" Error on ISE 3.0 |
|
|
ISE sending SXP MSG size > 4096 bytes in SXP Ver 4 |
|
|
Auth Step latency for policy evaluation due to GC activity |
|
|
RMQ TLS syslogs related to internal docker ip 169.254.2.2 are sent to Audit logs |
|
|
Tacacs responses are not sent sometimes with single connect enabled |
|
|
ISE ERS SDK the authenticationSettings are not disabled via API call |
|
|
"File path field must contain a valid file name" error when configuring file conditions for posture. |
|
|
Getting page not accessible pop-up message on ISE-PIC |
|
|
"Invalid Length" TACACS Auth Failures within Live Logs for non-TACACS traffic |
|
|
EAP-TEAP with EAP-TLS unable to match condition that has "CERTIFICATE.Issuer - Common Name" |
|
|
ISE 3.0 not saving SCCM MDM server object with new password, works when new instance is use |
|
|
Licensing only displays one reserved count if licenses reserved in CSSM have multiple expiry dates |
|
|
The change of profiling policy name is not reflected on the policy set conditions automatically |
|
|
Schema upgrade failed while modifying constraints for 3.1->3.2.0.804 upgrade |
|
|
Unable to export certificate with private key using API |
|
|
ISE: SAML flow with loadbalancer is failing due to incorrect token handling on ISE |
|
|
ANC COA is sent to the NAS ip address instead of the Device ip address. |
|
|
LSD is causing high CPU |
|
|
Using "Export Selected" under Network Devices aborts to login screen w/ more than X selections |
|
|
Windows Server 2022 is actually working as the target domain controller to be monitored |
|
|
Profiler should ignore non-positive RADIUS syslog messages for forwarding from default RADIUS probe |
|
|
Device Administration using Radius does not consume base license |
|
|
ISE : Static default route with gateway of interfaces other than Gig 0 breaks network connectivity |
|
|
CONTEXT VISIBILITY ENDPOINT AUTHENTICATION TAB NOT SHOWING DATA ISE 3.1 |
|
|
My Devices Portal doesn't open after reloading the node unless we do CRUD. |
|
|
Certificate signing request shoule not be case sensitive |
|
|
ISE detects large VMs as Unsupported |
|
|
ISE 3.1 Patch 1 does not created the Rest ID/ROPC folder logs |
Open Caveats in Cisco ISE Release 3.1 - Cumulative Patch 5
The following table lists the open caveats in Release 3.1 - Cumulative Patch 5
| Bug ID | Description |
|---|---|
| CSCwd70346 | After a full upgrade to Cisco ISE Release 3.1 patch 5, the precheck page loads with old selected data, and the start button is disabled. |
| CSCwd97582 | Cisco ISE Release 3.1 Patch 5 verifies CA certificate EKU causing Unsupported Certificate error. |
|
In 3.1 Patch 8: Observing Insufficient Virtual Machine Resource Alarm in 3.1Patch 8 Longevity setup. |
New Features in Cisco ISE, Release 3.1 - Cumulative Patch 4
Enhancement to the Groups tab in the REST Identity Store
You can now retrieve, filter, and delete REST identity store groups while configuring Resource Owner Password Credentials in Cisco ISE.
While adding the groups, click Retrieve Groups to import the user groups from the connected identity source. Check the check boxes next to the groups that you want to select and click Save. You can also select all the groups, if needed. The selected groups are listed in the Groups tab.
You can filter the results using the filter option.
To delete a user group, check the check box next to the group that you want to delete and click Delete.
For more information, see "Configure Resource Owner Password Credentials Flow" in the Chapter "Asset Visibility" in the Cisco ISE Administrator Guide, Release 3.1
.
Changes to IP Default Gateway Require Restart
Cisco ISE 3.1 Patch 4 onwards, when you add or change a gateway, the CLI warns the administrator that service restart may be required, and proceeds to execute the comand only if the Yes option is selected.
For more information, see the Cisco ISE CLI Commands in Configuration Mode chapter in the Cisco ISE CLI Reference Guide, Release 3.1
Resolved Caveats in Cisco ISE Release 3.1 - Cumulative Patch 4
The following table lists the resolved caveats in Release 3.1 cumulative patch 4.
|
Caveat ID Number |
Description |
|---|---|
| CSCwc62413 | Cisco Identity Services Engine Cross-Site Scripting Vulnerability |
|
64-character limit is not enough to accommodate external user identities, such as user principal name |
|
|
Unable to edit certificates imported to ISE Trusted Certificate |
|
|
Path traversal vulnerability |
|
|
Cross-site request forgery vulnerability |
|
|
Stored cross-site scripting vulnerability |
|
|
Unauthorized file access vulnerability |
|
|
OS privilege escalation issue |
|
|
CIAM: python-pip 9.0.3 |
|
|
When Essential License is disabled on the Cisco ISE GUI, the Smart Licensing Portal does not report license consumption. |
|
|
Unable to import network device configured with SNMPv3 SHA2 authorization |
|
|
CIAM: libcurl 7.61.1 |
|
|
Cisco ISE-PIC does not forward live sessions beginning with special characters |
|
|
CIAM: libjpeg-turbo 1.5.3 |
|
|
Cisco ISE does not allow user to change the admin password without validating current password |
|
|
Certificate based admin login does not work when the client or browser send more than one certificate |
|
|
CIAM: sqlite 3.26.0 |
|
|
CIAM: ncurses 6.1 |
|
|
Special characters are not supported in Attributes |
|
|
Underscore is vulnerable in Guest Portals |
|
|
REST ID does not filter groups based on name or SID for Azure AD groups |
|
|
Having a single quote (') in the middle of the password on Proxy settings causes the page to become un-editable |
|
|
No Replication Stopped Alarm triggered |
|
|
Create a nested endpoint group using ERS API |
|
|
OpenAPI Error 400 while fetching Nested Conditions |
|
|
Failure to import Internal CA and key from ISE 2.7P2 to 3.0 |
|
|
ADE-OS CLI TCP parameters fail to make changes and are no longer relevant |
|
|
Disable temporary management persona on upgraded node fails in split upgrade |
|
|
CIAM: cyrus-sasl 2.1.27 |
|
|
Unable to edit PAN Auto Failover alarms |
|
|
CIAM: libdnf 0.39.1 |
|
|
Ping-node call causes application server to crash (OOM exception) during CRL validation |
|
|
PGA memory used by the instance exceeds PGA_AGGREGATE_LIMIT on MNT node |
|
|
NTP Sync Failure Alarms with more than 2 NTP Servers Configured. |
|
|
Session Directory Write failed, SQLException: String Data right truncation on ISE3.0P4 |
|
|
"File path field must contain a valid file name" error when file conditions are configured for posture |
|
|
CIAM: jszip 2.5.0 |
|
|
High latency observed for TACACS+ requests with date or time condition in authorization policies |
|
|
High Operations DB Usage Alarm percentage needs to be configurable |
|
|
Guest users (AD or internal) cannot delete or add their own devices on a specific node |
|
|
Context Visibility Endpoints And NADs from an existing deployment are not removed after Restore |
|
|
Frequent Insufficient Virtual Machine Resources alarms |
|
|
Unable to get message option in Posture remediation actions |
|
|
Unable to download a created support bundle from GUI if logged in using the DomainName\UserName format |
|
|
Inconsistent behaviour on handling of SSH host keys |
|
|
ISE PRA failover |
|
|
SAML certificates should not be marked as Stale if PAN is removed from deployment |
|
|
SHA-2 option is not available for NAD creation using REST API |
|
|
TrustSec Dashboard Refresh Call causes High CPU on MNT |
|
|
Race condition causes registration or sync failure in Cisco ISE 3.1 |
|
|
$ui_time_left$ variable shows the wrong duration |
|
|
Cisco ISE adds six additional hours to nextUpdate date for CRL |
|
|
System summary does not get updated post Patch RollBack and Patch Install |
|
|
Guest portal registration page shows "error loading page" error when the email address contains apostrophe |
|
|
DNA Center - ISE Integration: ISE shows an old DNAC certificate for pxGrid endpoint |
|
|
Admin access is allowed for ISE GUI with secondary interfaces GigabitEthernet 1 and Bond 1 |
|
|
P1 Stale nodes in TCPDump Menu |
|
|
Compatibility problems with Hyper-V Gen-2 |
|
|
Error when network device groups are created using REST APIs |
|
|
Unable to enter ipv6 address for on-premise SSM server |
|
|
ERS call /ers/config/sgmapping/{id} does not return SGT value for custom SGT's |
|
|
CIAM: openssh 7.6 |
|
|
Max Sessions are not enforced with EAP-FAST-Chaining |
|
|
CIAM: bind 9.11.4 |
|
|
Multiline issues for guest SMS notification in Cisco ISE Portal |
|
|
NTP Service Failure |
|
|
Unable to host SSH/SFTP with newer HostKeyAlgorithms (e.g. RSA-SHA2-512) |
|
|
CIAM: jackson-databind 2.9.8 |
|
|
After ppgrade, the files in the rabbitmq certificate directory show incorrect permissions |
|
|
CIAM: openssl upgrade to 1.0.2ze and 1.1.1o |
|
|
ISE ERS Validation Error - [validDays] mandatory field is missing |
|
|
BH Healthcheck and full upgrade pre-check times out when third party CA certificate is used for admin |
|
|
Patch 2 - Services do not start due to "Integrity check failed" error |
|
|
Guest redirect with authentication virtual LAN no longer works on ISE 3.1 |
|
|
After fixing failed pre-upgrade check, Proceed button is still not available |
|
|
ISE Deployment : All nodes throw OUT_OF_SYNC error as a result of incorrect certificate expiry check |
|
|
CIAM: glib 2.56.4 |
|
|
CIAM: openssl 1.1.1g |
|
|
CIAM: libgcrypt 1.5.3 |
|
|
PermSize attribute on sysodbcini file is missing |
|
|
Cisco ISE does not send $mobilenumber$ value in the SMTP API body |
|
|
Sponsor Portal shows error 500 when "Allow kerberos SSO" portal setting is enabled |
|
|
Key Performance Metrics report has no entries for 8 AM and 9 AM every day |
|
|
ISE PSN nodes crash due to incorrect cryptoLib initialization |
|
|
Queue size needs to be capped on RMQ in 3.x |
|
|
Spring Hibernate TPS upgrade (Hibernate 5.5.2, Spring 5.3.8) |
|
|
ODBC Behavior Failover Issues |
|
|
Unable to restore CFG backup from linux SFTP repository if the file is owned by a group name without space |
|
|
ISE Evaluation for Struts2 CVE-2021-31805 |
|
|
Posture policy page does not load for SAML login |
|
|
Configuration backup fails due to "EDF_DB_LOG" |
|
|
Data dump transfer between nodes fail during upgrade due to connection error |
|
|
Duplicated column "Failure Reasons" is found in RADIUS Authentications Report |
|
|
ISE Evaluation log4j CVE-2021-44228 |
|
|
Location of "Location" and "Device Type" fields keep changing whenever Network Devices tab is clicked |
|
|
CIAM: glibc 2.17 |
|
|
Default domain configuration in Passive-Syslog provider does not work in ISE 3.1 |
|
|
Cisco ISE GUI does not load after login |
|
|
Upgrade External Radius Server List does not show up after upgrading to Cisco ISE 3.0 or above |
|
|
Unable to login into GUI of MnT nodes using RSA 2FA in distribusted deployment |
|
|
CIAM: cups 1.6.3 |
|
|
SSH to Cisco ISE fails on maually imported SSH Public Keys |
|
|
Cisco ISE must avoid sending Empty Cisco AV-Pairs in access-accept packets |
|
|
Invalid character error in Admin Groups |
|
|
Unable to delete endpoint identity group created via REST API if no description is set |
|
|
Cannot disable "Dedicated MnT" Option from GUI after it is enabled |
|
|
Default route is on the incorrect interface if bonding is configured |
|
|
Default route is removed or tied to the wrong interface after upgrading |
|
|
T+ ports (49) are still open if disable Device admin process under deployment page |
|
|
Improvement to logs needed with Conflict handling SGT-IP mapping with Virtual Networks |
|
|
From address to send email is invalid if it does not end with .com or .net |
|
|
Application Server is stuck in the initializing state after configuration backup is restored |
|
|
Cisco ISE does not update expiry date after SLR license is updated |
|
|
CIAM: nettle 3.4.1 |
|
|
Invalid Characters in External RADIUS Token Shared Secret. |
|
|
Services fail to start after backup from old ISE vrsion 2.6 is restored |
|
|
Timezone update should happen automatically |
|
|
AD User SamAccountName parameter is null for user sessions |
|
|
Application Server stays in Initializing state after installing Cisco ISE 3.1 Patch 3 on Cisco ISE Patch 2 |
|
|
Cisco ISE can login to GUI with disabled shadow admin accounts with external identity source |
|
|
Sorting internal users based on User Identity Groups does not work in Identities under Identity Mangement tab |
|
|
CIAM: samba 4.13.3 |
|
|
Services auto restart fail with an internal error during IP address change in eth 1 |
|
|
CIAM: samba 4.8.3 |
|
|
Inaccurate dictionary word evaluation for passwords |
|
|
Unable to edit or remove Scheduled Reports if the admin who created them is no longer available |
|
|
CIAM: cryptography 2.3 |
|
|
TrustCertQuickView gives the same information for all trusted certificates |
|
|
400 Bad Request error is thrown when Internal User is enabled with external password type using Rest API. |
|
|
Application server restart on all nodes after changing the Primary PAN Admin certificate |
|
|
Add ability to disable TLS 1.0 and 1.1 on ISE PIC node |
|
|
Removing an IP Access list from ISE destroys the distributed deployment |
|
|
3.2 BETA : ISE GUI is not accesible after enabling TLS 1.0. |
Open Caveats in Cisco ISE Release 3.1 - Cumulative Patch 4
The following table lists the open caveats in Release 3.1 - Cumulative Patch 4
| Bug ID | Description |
|---|---|
| CSCwc62413 | Cisco Identity Services Engine Cross-Site Scripting Vulnerability. |
|
In 3.1 Patch 8: Observing Insufficient Virtual Machine Resource Alarm in 3.1Patch 8 Longevity setup. |
New Features in Cisco ISE, Release 3.1 - Cumulative Patch 3
Support for Cisco pxGrid Cloud
Cisco ISE 3.1 patch 3 supports Cisco pxGrid Cloud. Cisco pxGrid Cloud is a new Cisco cloud offer that extends pxGrid, ERS and OpenAPI access to cloud-based applications. To allow connectivity between a Cisco ISE deployment and Cisco pxGrid Cloud, pxGrid Cloud service must be enabled on one or more pxGrid nodes in the Cisco ISE deployment. For more information on Cisco pxGrid Cloud, see Cisco pxGrid Cloud Solution Guide.
Update of OCSP Responder Certificates
From Cisco ISE Release 3.1 Cumulative Patch 3 onwards, the following rules are applicable for the renewal of OCSP certificates:
-
For a multi-node Cisco ISE deployment, OCSP certificates are renewed automatically if you install the patch through the Cisco ISE GUI. If you install the patch through the Cisco ISE CLI, we recommend you to renew the OCSP certificate manually.
-
For a standalone Cisco ISE deployment, OCSP certificates are renewed automatically irrespective of whether you install the patch through the Cisco ISE GUI or the Cisco ISE CLI.
-
If you uninstall Patch 3, you have to renew the OCSP certificate manually.
This one-time OCSP certificate renewal process is because of the change in certificate hierarchy. For more information, see Update of OCSP Responder Certificates in the "Basic Setup" chapter of the Cisco Identity Services Engine Administrator Guide, Release 3.1.
Microsoft Intune Integration Changes Due to Microsoft Graph Updates
Microsoft is deprecating Azure Active Directory (Azure AD) Graph and will not support Azure AD Graph-enabled integrations after June 30, 2022. You must migrate any integrations that use Azure AD Graph to Microsoft Graph. Cisco ISE typically uses the Azure AD Graph for integration with the endpoint management solution Microsoft Intune.
For more information on the migration from Azure AD Graph to Microsoft Graph, see the following resources:
Cisco ISE Release 3.1 Patch 3 supports Microsoft Intune integrations that use Microsoft Graph. To avoid any disruption in the integration between Cisco ISE and Microsoft Intune, update your Cisco ISE to Cisco ISE Release 3.1 Patch 3. Then, update your Cisco ISE integration in Microsoft Azure to use Microsoft Graph instead of Azure AD Graph, before June 30, 2022. In Cisco ISE, you must update your Microsoft Intune integrations to update the Auto Discovery URL field—Replace https://graph.windows.net<Directory (tenant) ID> with https://graph.microsoft.com.
See Connect Microsoft Intune to Cisco ISE as a Mobile Device Management Server for more information on the configuration steps.
Opening TAC Support Cases in Cisco ISE
You can now open TAC Support Cases for Cisco ISE and other Cisco products from the Cisco ISE GUI.
For more information, see "Open TAC Support Cases in Cisco ISE" in the Chapter "Troubleshoot" in Cisco ISE Administrator Guide, Release 3.1.
SHA1 Ciphers Disabled by Default
From Cisco ISE Relase 3.1 Patch 2, SHA1 ciphers on port 443 are disabled by default.
Resolved Caveats in Cisco ISE Release 3.1 - Cumulative Patch 3
The following table lists the resolved caveats in Release 3.1 cumulative patch 3.
|
Caveat ID Number |
Description |
|---|---|
| After installing patch 2 services are stuck due to "Integrity check failed" error | |
|
New objects do not exist in the condition studio |
|
|
WLC failed to validate EAPOL Key M2 with ISE 3.1 |
|
|
Unable to fetch the attributes from ODBC after upgrading to ISE 3.0 patch 3 |
|
|
Could not create Identity User if username includes $ |
|
|
Single Byod Flow with Internal CA failing with "12557 User Auth failed because OCSP status is unknown" error |
|
|
Upgrade from ISE 2.4 patch 13 to ISE 2.7 fails if external RADIUS server is configured |
|
|
backup-logs using public key encryption on the ISE CLI does not allow for caputure of core files |
|
|
Local Log Settings tooltip on all fields shows irrelevant and unuseful Trust Certificates |
|
|
ISE 3.1 SAML admin authentication fails when user assertion contains multiple values in the "Groups" claim |
|
|
ISE 2.7 Authentication success settings shows success/success url |
|
|
TACACS authorization policy querying for username fails because username from session cache is null |
|
|
nextPage field is missing from the json response of API 'GET /ers/config/radiusserversequence' |
|
|
Device Port Network Conditions does not validate interface ID |
|
|
CIAM: gnutls 3.6.14 |
|
|
CIAM: libx11 1.6.8 |
|
|
CIAM: python 3.6.8 |
|
|
CIAM: file 5.33 |
|
|
CIAM: sysstat 11.7.3 |
|
|
Cisco Identity Services Engine Assessment of CVE-2021-4034 Polkit |
|
|
Node database utilization information is not properly displayed in Operational Data Purging > Database Utilization window |
|
|
Microsoft Intune Graph Url change from graph.windows.net/tenant to graph.microsoft.com |
|
|
Get-By-Id server sequence returns empty server list after first change made on the sequence via GUI |
|
|
Reports are unusable due to misshandling fields with multiple values |
|
|
Sponsor Portal admin unable to create random guest accounts with 1 hour duration or less |
|
|
CIAM: nss - multiple versions |
|
|
Queue Link Error:WARN:{socket_closed_unexpectedly;'connection.start'} |
|
|
GRUB2 Arbitrary Code Execution Vulnerability |
|
|
CIAM: openssh 7.6 |
|
|
Internal users using External Password Store are getting disabled if we create users using API flow |
|
|
Enabling cookies for POST /ers/config/internaluser/ causes Identity Group(s) does not exist error |
|
|
ISE 3.0 checks only the first SAN entry |
|
|
IP-SGT mapping does not link with new network access device group |
|
|
ISE authorization profiles option get truncated during editing/saving (Chrome only) |
|
|
RCM and MDM flows fail because of session cache not being populated |
|
|
Full upgrade not working with patch when CLI or disk repository is used |
|
|
CSV NAD import is rejected due to special symbol @ at the beginning of RADIUS shared secret |
|
|
Fix for CSCvu35802 breaks AD group retrieval with certificate attribute as identity in EAP-Chaining |
|
|
ISE 3.1 Guest Username/Password Policy is not modifiable |
|
|
Multiple runtime crashes seen due to memory allocation inconsistency |
|
|
AD security groups cannot have their OU end with dot character in Posture Policy |
|
|
CIAM: binutils 2.30 |
|
|
CIAM: json-c 0.13.1 |
|
|
Posture firewall remediation action unchangeable |
|
|
RegEx expressions in TACACS Command Sets malformed |
|
|
Session service unavailable for pxGrid Session Directory with dedicated MnT |
|
|
PEAP session timeout value restricted to max 604800 |
|
|
ISE 3.1 is requesting ISE-PIC licenses from Smart account |
|
|
CIAM: nss - multiple versions |
|
|
ISE 3.1 on AWS gives a false negative on the DNS check for Health Checks |
|
|
Attribute value dc-opaque causing issues with Live Logs |
|
|
ISE CPP not loading correctly for some languages |
|
|
ISE unable to fetch the url attribute value from improper index during posture flow |
|
|
ERS API does't allow for use of dot character in "Network Device Group" name or create / update |
|
|
Eap-chaining authorization failure due to machine authentication flag set to true incorrectly |
|
|
GET for dacls using /ers/config/downloadableacl does not return a value for nextPage or previousPage |
|
|
ISE 3.0 & 3.1: Device Admin License alone should allow access to all TACACS menus |
|
|
CIAM: lz4 1.8.3 |
|
|
CIAM: glibc 2.28 |
|
|
IPv6 changes the Subnet to /128 when using the duplicate option from Network device tab |
|
|
Unknown NAD and Misconfigured Network Device Detected alarms |
|
|
Inconsistent sorting on ERS APIs for endpoint group |
|
|
MDM intune integration broken for vpn user on ISE 3.1 |
|
|
ISE client pxGrid certificate is not delivered to DNAC |
|
|
Unable to create network device group with name Location or Device Type |
|
|
Endpoint stuck in posture unknown state |
|
|
ISE displays an alarm stating an invalid response from licensing cloud |
|
|
Deleted Root Network Device groups are still referenced in the Network Devices exported CSV report |
|
|
SNMPv3 COA request is not issued by ISE 2.7 |
|
|
ISE API add user operation with long custom attribute string takes around 4 minutes using Curl |
|
|
Updated fields list for PUT on /erc/config/authorizationprofile/{id} usually empty |
|
|
Unable to change network Device group Name and Description at the same time |
|
|
Existing routes are not installed in routing table after MTU change |
|
|
ISE Conditions Studio - Identity Groups Drop-down limited to 1000 |
|
|
DELETE /ers/config/networkdevicegroup/{id} not working; CRUD exception |
|
|
CIAM: tcp-dump 4.9.3 |
|
|
Authorization profile throws an error when special characters are used |
|
|
ISE Evaluation log4j CVE-2021-44228 |
|
|
CoA was not initiated for switches for which matrix was not changed, hence Policy sync failed |
|
|
Empty User Custom attribute included in Authorization Advanced Attributes Settings results in incorrect AVP |
|
|
ISE replacing pxGrid certificate when generating ISE internal CA |
|
|
"Queue Link Error: Message=From Node1 To Node2; Cause=Timeout" error seen when NAT is used |
|
|
ISE 3.1 Patch 1: Unable to connect to ISE via SSH when FIPS is enabled |
|
|
Catalina.out file is huge because of SSL audit events |
|
|
CIAM: sqlite 3.18.2 |
|
|
When SNMP config is set on the network device, a delay of 20 seconds is introduced while processing SNMP record |
|
|
Deployment-RegistrationPoller causing performance issues on PAN node with 200+ internal certificates |
|
|
ISE 3.1: Unable to generate pxGrid certificates with Active Directory superadmin |
|
|
ISE configured with 15 Collection filters hides the 15th filter |
|
|
Optimize bouncy-castle class to improve performance on PAN |
|
|
Serviceability: "DNS Resolution Failure" alarm should show ISE server |
|
|
Session cache must be updated during EAP chaining flow to handle relevant identities |
|
|
Guest Portal fields causing words to be repeated for Apple VoiceOver |
|
|
Success page is blank and Done button not enabled in Hotspot Guest Portals |
|
|
Sessions are not removed when the Tacacs+ requests resulted in "Could not find selected service" error |
|
|
Unable to add more than one ACI IP address/hostname when trying to enable ACI integration in ISE |
|
|
ISE 3.1 - GUI is not working when IPv6 disabled globally |
|
|
CIAM: pcre 8.41 |
|
|
Guest portal does not load if hosted on a different interface from Gig0 |
|
|
REST ID is fetching the groups from Cloud when the connector settings page is opened |
|
|
ISE 3.0p2 - Monitor All setting displays incorrectly with multiple matrices and different views |
|
|
AD security groups cannot have their OU end with dot character in Client Provisioning Policy |
|
|
CIAM: libsolv 0.7.16 |
|
|
High Active Directory latency during high TPS causes HOL Blocking on ADRT |
|
|
Reauthentication issue seen in third party devices |
|
|
ISE 3.0 APIC Integration: Failed to create security groups |
|
|
Need to handle Posture expiry when 8 octet MAC is present in endpoint on the deployment node |
|
|
Cannot export SAML provider info xml file from ISE GUI |
|
|
Inconsistent sorting on ERS API for identity groups |
Open Caveats in Cisco ISE Release 3.1 - Cumulative Patch 3
|
Caveat ID Number |
Description |
|---|---|
|
SXP service is not starting after restart from ISE UI |
|
|
Getting "Page not accessible" pop-up message in ISE-PIC node. |
|
|
ISE PSN nodes crashing due to incorrect cryptoLib initialization. |
|
|
In 3.1 Patch 8: Observing Insufficient Virtual Machine Resource Alarm in 3.1Patch 8 Longevity setup. |
New Features in Cisco ISE, Release 3.1 - Cumulative Patch 1
Cisco ISE on AWS
-
The software version Cisco ISE 3.1 Patch 1 is available on Amazon Web Services.
-
You can now install Cisco ISE in evaluation mode in the AWS instance named t3.xlarge. For more information about using Cisco ISE in evaluation mode in AWS, see the section "Cisco ISE Evaluation Instance on AWS" in the Cisco ISE Installation Guide, Release 3.1.
t3.xlarge instances only support Cisco ISE Release 3.1 Patch 1 and later releases.
OpenAPI Service
The following OpenAPIs have been introduced in Cisco ISE Release 3.1 Cumulative Patch 1:
For more information, see "Enable API Service" in the Chapter "Basic Setup" in Cisco ISE Administrator Guide, Release 3.1.
Signed SAML Authentication Request for Cisco ISE
Cisco ISE now only accepts signed SAML requests and assertions for authentication.
For more information, see "Configure SAML ID Provider" in the Chapter "Asset Visibility" in Cisco ISE Administrator Guide, Release 3.1.
Resolved Caveats in Cisco ISE Release 3.1 - Cumulative Patch 1
The following table lists the resolved caveats in Release 3.1 cumulative patch 1.
|
Caveat ID Number |
Description |
|---|---|
|
MnT log processor is not running because collector log permission. |
|
|
/ers/config/<obj>/bulk/submit returning invalid Location URI /ers/config/<obj>/bulk/submit/<bulkID> |
|
|
Blanket bug for code enhancements for MnT component |
|
|
2.4p12 patch install stuck forever |
|
|
A race condition was found in the mkhomedir tool shipped with the oddjo |
|
|
ISE 3.0 BH : TACACS live logs do not give an option select Network Device IP |
|
|
DOC: unknown maximum time difference for thisUpdate of OCSP response |
|
|
CIAM found poi vulnerable |
|
|
Auth Passed live logs are not seen when using a profile name with more than 50 characters |
|
|
Multiple Vulnerabilities in glibc |
|
|
3.0P2:Accounting Report Export is taking more time to complete. |
|
|
CIAM found netty vulnerable |
|
|
CTS-SXP-CONN : ph_tcp_close from device to ISE SXP connection - Hawkeye |
|
|
[CFD] User unable to create a guest SSID during Portal Creation step - ISE is busy error |
|
|
Certificate Validation Syslog Message Sent During Specific Certificate Audits--ISE |
|
|
CIAM: openjdk - multiple versions |
|
|
CIAM: libx11 1.6.8 |
|
|
CIAM: glibc 2.28 |
|
|
CIAM: gnupg 2.2.9 |
|
|
CIAM: systemd 219 |
|
|
CIAM: vim 8.0.1763 |
|
|
CIAM: nettle 3.4.1 |
|
|
CIAM: unbound 1.7.3 |
|
|
CIAM: pcre2 10.32 |
|
|
CIAM: cpio 2.12 |
|
|
CIAM: libarchive 3.3.2 |
|
|
CIAM: network-manager 1.22.8 |
|
|
Customer fields in guest portal contains & - $ # |
|
|
Cisco Identity Services Engine XML External Entity Injection Vulnerability |
|
|
CIAM: librepo 1.11.0 |
|
|
ISE Guest SAML authentication fails with "Access rights validated" HTML page |
|
|
Incorrect Posture Compound Condition Hotfixes |
|
|
CTS PAC not activating on Switch: via ISE 3.1 build 3.1.0.477 |
|
|
CIAM: go 1.15.7 CVE-2021-33194 |
|
|
ISE restore popup menu displays wrong text |
|
|
ISE 3.0 Device Admin License alone should allow access to Administration > System > Logging menu |
|
|
Possible to choose SPAN without Policy persona in NAD Send configuration changes to device CoA |
|
|
posture lease breaks for eap chaining from 2.7 |
|
|
TACACs report showing duplicate entries due to EPOCH time being null |
|
|
TACACS Authentication report shows duplicate entries |
|
|
EP's incorreclty profiled as "cisco-router" due to nmap performing aggressive guesses |
|
|
SessionCache not cleared for Tacacs AuthZ failures results in high heap usage and auth latency |
|
|
Special characters in Banner blocking SFTP repo |
|
|
ISE 2.7 patch 4 unable to upload .json file for Umbrella security profile. |
|
|
P1PNSBaseline: SuperMnT: on last 30days Radius Auth report takes ~5mins with filter |
|
|
ISE 2.6 p 9, Default permissions can't go back to default group Internal after adding a new group |
|
|
ISE GUI stuck at loading if AD group does not exist when using cert based auth for GUI access |
|
|
ise 2.7 Failed to add endpoint to group |
|
|
Not able to scroll to different pages in Issued certficates page |
|
|
ISE GUI shows all the licenses as Out of Compliance - Smart Licensing |
|
|
Agentless posture breaks for locale |
|
|
Okta redirection fails for first ID store and works when second ID store is assigned |
|
|
Unable to see the UI pxgrid pages, if we enabled&disabled pxgrid at deployment tab on secondary node |
|
|
ISE: Application server stuck initializing after backup restore due to mdm configuration |
|
|
User unable to generate support bundle |
|
|
menu access customization is not working |
|
|
ISE Health Check MDM Validation false alarm |
|
|
NTP (' - ') source state description missing in ISE CLI |
|
|
CIAM: libxml 2.9.1 |
|
|
CIAM: jspdf 2.3.0 |
|
|
CIAM: systemd - multiple versions |
|
|
CIAM: podman 1.6.4 |
|
|
Sponsor Permissions are not passed to Guest REST API for "By Name" calls. |
|
|
ISE manage account selection issue |
|
|
ISE PIC 3.1 Request traditional license |
|
|
CIAM: jsoup 1.10.3 |
|
|
ISE 3.0 TimesTen connection closed when an SQLException is encountered |
|
|
ISE GUI : net::ERR_ABORTED 404 : /admin/ng/nls/fr-fr/ |
|
|
CIAM: bind 9.11.20 |
|
|
Cisco:cisco-av-pair AuthZ conditions stopped working |
|
|
Inability to import ISE certificates issued for PAN to other nodes in spite of the SAN field fqdn. |
|
|
ISE3.1 No response when click "choose file" on import Endpoints from CSV file page. |
|
|
ISE 2.7: EndpointPersister thread getting stopped |
|
|
CIAM: libgcrypt 1.5.3 |
|
|
If we set mtu greater than 1500 then the mtu value is not setting persistently across reboot. |
|
|
Local disk management UI for uploading file is broken |
|
|
Local Log Settings tooltip on all fields shows irrelevant and unuseful 'Trust Certificates' |
|
|
Configuration changes to Guest types is not updated in audit reports |
|
|
ISE 3.1:While updating Network Device from DNAC, Shared Secret/password is empty or masked |
|
|
Pxgrid shown disabled on Summary page for ISE-PIC |
|
|
ISE 3.1 : Authentication tab shows blank result in Context Visivility |
|
|
adding FQDN in discovery host, Discovery host: invalid ip address or host name |
|
|
Agentless Posture for Windows 10 devices not passing AntiMalware check - |
|
|
ISE 3.0 Can't deselect the 'location' settings as part of the guest self registration portal |
|
|
Version pre-check fails for 3.2 full upgrade. |
|
|
ISE Health Check I/O bandwidth performance check false Alarm |
|
|
Unsupported message code 91104 and 91105 Alarms |
|
|
All NADs got deleted due to one particular NAD deletion |
|
|
live log/session not showing latest data due to "too many files open" error |
|
|
AD users in Super Admin group can't create/edit admin user with error "Operation is not permitted" |
|
|
Radius reports older than 7 days are empty (regression of CSCvw78289) |
|
|
Oracle process are increasing and gettingTNS:connection closed |
Open Caveats in Cisco ISE Release 3.1 - Cumulative Patch 1
|
Caveat ID Number |
Description |
|---|---|
|
Single Byod Flow with Internal CA failing "12557 User Auth failed because OCSP status is unknown". |
|
|
In 3.1 Patch 8: Observing Insufficient Virtual Machine Resource Alarm in 3.1Patch 8 Longevity setup. |
Cisco ISE 3.1 Files Replaced on Software Download Site
Cisco ISE 3.1 OVA, ISO, and upgrade bundle files have been replaced on the Cisco ISE Software Download site.
What Changes are Made?
-
The following bugs are resolved in this build:
-
CSCwa04370: ISE 3.1 shows incorrect outgoing interface for the default interface if two interfaces are configured with IP addresses and the default gateway references the subnet on eth1
-
CSCwa82553: ISE 3.1 default route is on the incorrect interface if bonding is configured
-
-
Option to skip ICMP, DNS, and NTP checks in the ZTP tool. For more information, see "Zero Touch Provisioning" in the Chapter "Additional Installation Information" in Cisco ISE Installation Guide, Release 3.1.
Note |
|
Resolved Caveats in Cisco ISE Release 3.1
The resolved caveats in Cisco ISE Release 3.1, have parity with these Cisco ISE patch releases: 2.6 Patch 9, 2.7 Patch 4, and 3.0 Patch 2.
|
Caveat ID Number |
Description |
|---|---|
|
ISE 3.1 shows incorrect outgoing interface for the default interface if two interfaces are configured with IP addresses and the default gateway references the subnet on eth1 |
|
|
ISE 3.1 default route is on the incorrect interface if bonding is configured |
|
|
RADIUS maximum session-timeout value restricted to 65535 |
|
|
ERS Create/Update for "Authorization Profile" failing XML schema validation |
|
|
Blank guest portal window seen in portal created in portal builder |
|
|
Customization for support information in Client Provisioning portal is missing |
|
|
No logo in guest approval email when portal is set to Sponsored-Guest Portal |
|
|
Guest Remember Me RADIUS accounting and access accept not sending guest username |
|
|
Account used for AD join may become locked after passive-id service is enabled |
|
|
Unable to see complete list of AD groups when using scrollbar |
|
|
Problem with renaming the reports |
|
|
Unable to configure grace period for more than 1 day because of posture lease |
|
|
MnT API call with admin credentials disables the account |
|
|
Ability to suppress session information pop up when logging in to GUI |
|
|
Profiling and conditions studio not loading or taking up to 30 minutes |
|
|
Error when attempting to change ISE-PIC GUI admin user settings |
|
|
When running a report for endpoint purge, no reports are shown if the purged endpoint count is 0 |
|
|
Bad Request error when refreshing My Devices portal |
|
|
Incorrect DNS configuration can lead to TACACS or RADIUS authentication failure |
|
|
Show running-config fails to complete |
|
|
Import NAD is failing with an error when shared secret key has special character |
|
|
Changes to Network Device Groups not reflected in Change Audit logs |
|
|
Unable to manage ISE internal network access users without an Identity Group |
|
|
RADIUS Authentication Troubleshooting window not filtering properly |
|
|
Cisco ISE 2.4 patch 5 crashing frequently and generating core files |
|
|
PassiveID alarms should be triggered for inactivity for each DC separately |
|
|
PSN should be capable of identifying delays in mappings from PassiveID agent |
|
|
Application server takes more time to initialize |
|
|
While updating the Profile Description field in Client Provisioning Resources window, if Enter is used to create a new line, "Fail to receive server response due to the network error" message is displayed |
|
|
Posture Condition failed with "Check vc_visInst_v4_CiscoAnyConnectSecureMobility Client_4_x is not found" error |
|
|
"Plus License is out of compliance" message seen while regenerating the ISE Root CA |
|
|
Suspected memory leak in io.netty.buffer.PoolChunk |
|
|
Guest email not sent after changing SMTP server |
|
|
Sponsor group membership removed when adding or removing AD group |
|
|
ISE with DUO as External RADIUS Proxy drops access-reject |
|
|
ISE 2.4 patch 6: REST API MnT query to get device by MAC address taking more than 2 minutes |
|
|
Change Configuration Audit report missing IP Address and modified properties in CSV export |
|
|
Posture fails when primary PSN or PAN is unreachable |
|
|
Certificate chain is not sent on the guest portal |
|
|
Cisco Identity Services Engine Cross-Site Scripting Vulnerability |
|
|
Guest password policy settings cannot be saved when set to ranges for alphabets or numbers |
|
|
Time Vs Throughput chart in ISE Health Summary report using wrong units |
|
|
ISE Radius Live Sessions window showing No Data Found |
|
|
ISE not doing lookup for all MAC addresses causing redirectless Posture to fail |
|
|
ISE should either allow IP only for syslog targets or provide DNS caching |
|
|
ISE 2.4 Application server going to Initializing state on enabling endpoint debugs |
|
|
Application server crashes while transitioning into stopping state |
|
|
MAC 11 Big sur BYOD flow failed |
|
|
Endpoint data not visible on secondary Admin node |
|
|
GRUB2 Arbitrary Code Execution Vulnerability |
|
|
Log Collection Error alarms appear |
|
|
Guest API allows restricted sponsor to create guest accounts even for the unallowed guest type |
|
|
Session cache for dropped session not getting cleared and causing High CPU on the PSNs |
|
|
Authorization profile not saved with proper attributes when Security Group selected under common tasks |
|
|
Max Sessions Limit is not working for Users and Groups |
|
|
Going back to network list removes the applied filter |
|
|
pxGrid internal client ping failed |
|
|
Not able to see the guest identity in the DNAC Assurance window |
|
|
Modify TCP settings to enhance TACACS+ and TCP on ISE |
|
|
While renewing ISE certificate for HTTPS, EAP, DTLS, PORTAL, only Portal and Admin roles gets applied |
|
|
BYOD Flow is broken in iOS 14 beta |
|
|
DNA ACA Security Groups sync fails with JDBCException error |
|
|
Discovery host description text is misleading |
|
|
Live session details report show incorrect authorization profile and policy for VPN Posture scenario |
|
|
Livelog sessions show incomplete authorization policy for VPN Posture scenario |
|
|
Context Visibility shows incorrect authorization profile and policy for VPN Posture scenario |
|
|
ISE Guest portal registration and expiration email need to maintain format entered in the portal |
|
|
Cannot start CSV exporting for Selected User in internal ID Store |
|
|
RADIUS passed-auth live logs not sent due to invalid IPv6 Address |
|
|
Manual NMAP not working when only custom ports are enabled |
|
|
Unable to create posture condition for LANDESK |
|
|
PSK cisco-av-pair throws an error if the key contains < or > symbols |
|
|
NFS repository is not working from GUI |
|
|
Generate self-signed certificates and CSR default parameters doesn't match with pre-installed self-signed certificate |
|
|
Internal CA Certificate not getting deleted when node is removed from deployment |
|
|
Error storing the running-config lead to loss of startup config |
|
|
Device admin service is getting disabled when updating TACACS configuration |
|
|
TrustSec enabled NADs not showing in TrustSec Matrices when NDG column exceeds 255 characters |
|
|
Mapped SGT entry cleared from Authorization Rules if Security Group name is modified in Cisco DNA Center |
|
|
Heap Dump generation fails post reset-config of ISE node |
|
|
ISE must allow Posture Grace Period more than 30 days |
|
|
Can't get the download link of NetworkSetupAssistant.exe using Aruba dynamic URL redirect |
|
|
ISE Hotspot guest portal flow broken |
|
|
Application server marked as Initializing when ISE_EST_Local_Host RADIUS shared secret is empty |
|
|
Export of current active session reports only shows sessions that has been updated since midnight |
|
|
Context Visibility CSV exported from CLI not showing IP addresses |
|
|
ISE 2.6/2.7 Repositories get deleted post ISE node reload |
|
|
Suspended Guest User is not automatically removed from Endpoint Group |
|
|
Saving command with parenthesis in TACACS command set gives an error |
|
|
Group lookup failed as empty value was appended to the context |
|
|
Certificate Authority Service initializing EST Service not running after upgrade to ISE 2.7 patch 2 |
|
|
ISE RADIUS Live Log details missing AD-Group-Names under Other Attributes section |
|
|
Operational backup throws error if available free space in /opt folder is 1 TB or greater |
|
|
Authentication summary report gets stuck if the total records are more than 5M |
|
|
ISE SXP should have a mechanism to clear stale mappings learned from session |
|
|
Need to add the ability to use a forward slash in the IP data type of internal user custom attribute |
|
|
Unable to create unique community string for different SNMP servers |
|
|
Proxy bypass settings does not allow upper characters |
|
|
Custom Attribute from Culinda not showing in endpoint GUI page |
|
|
Network Device API call throws error 500 if you query an non-existent network device |
|
|
PSN rmi GC collection not working properly causing memory leak in PassiveID flow |
|
|
Case sensitivity on User Identity Groups causes "Select Sponsor Group Members" window to not load |
|
|
Memory Leak on PSN nodes |
|
|
Radius Server Sequence window showing "no data available" |
|
|
Cisco Identity Services Engine Untrusted File Upload Vulnerability |
|
|
Posture Assessment by Condition report displays No Data with Condition Status filter |
|
|
Security Group values in Authorization Profile disappear shortly after fetching |
|
|
Can't modify AUP Text |
|
|
ISE not consuming plus license when using local or global exceptions |
|
|
ISE 3.0 REST ID log file not included in support bundle |
|
|
ISE 3.0 Health Check License validation false Alarm |
|
|
ISE constantly sending internal Super Admin user requests to external RADIUS token server |
|
|
Unable to retrieve LDAP Groups/Subject Attributes when % character is used twice or more in bind password |
|
|
Client Provisioning window does not show current settings properly |
|
|
Bulk certificate generation failed with "An unexpected error occurred" message after primary PAN failure |
|
|
Missing local disk utilization information |
|
|
ISE generating CSR with hostname-x in SAN gives an error |
|
|
Posture auto-update not running |
|
|
Need DigitCert Global Root G2 in CTL for ROPC |
|
|
Network Device IP filter does not match IPs that are inside subnets |
|
|
Upgrade failing at RuleResultsSGTUpgradeService step |
|
|
High memory usage on the PSN nodes with PassiveID flow |
|
|
Smart Licensing Entitlement tab gets stuck at "Refreshing" if there is connection failure |
|
|
ISE 2.6 scheduled reports are not working when primary MnT is down |
|
|
ISE collection filters not displayed in GUI |
|
|
"NetworkAuthZProfile with entered name already exists" message seen while trying to create an SGT with name "Employees" |
|
|
Users that do not belong to the sponsor group are able to login in the sponsor portal |
|
|
Cannot configure scheduled config and operational backup with start date same as current day |
|
|
Double Slash "//" added in File Path for SFTP servers |
|
|
GBAC configuration not synced between DNAC and ISE |
|
|
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability |
|
|
ISE PIC Licensing window is not loading |
|
|
Maximum time difference not specified for "thisUpdate of OCSP response" |
|
|
ISE nodes intermittently trigger Queue Link alarms |
|
|
Unable to load Context Visibility window for custom view in ISE 2.7 patch 2 |
|
|
ISE configuration restore fails at 40% with "DB Restore using IMPDP failed" error |
|
|
ISE GUI login page shows error while using Chrome version 85/86 |
|
|
Memory leak after adding AD Groups for PassiveID flow |
|
|
NTP does not work because internal user 'chrony' not created |
|
|
Sponsor is unable to view the list of created guest users |
|
|
ACI mappings are not being deleted after a delete message |
|
|
Posture does not work with dynamic redirection on third party NADs |
|
|
Not throwing error for IP overlap case |
|
|
High CPU on PSN node |
|
|
Scheduled operational data backups not being triggered after Primary MnT reload |
|
|
Pushing IP to SGT mapping from ISE to switch doesn't work if default route is tagged |
|
|
Editing external data source posture condition is showing always the wrong AD |
|
|
NAD Location is not updated in Context Visibility ElasticSearch |
|
|
Agent marks DC as down if agent service comes up before windows network interface |
|
|
Authorization Profiles showing "No data available" after NAD profile is deleted |
|
|
Endpoints not purged due to an exception |
|
|
Cisco Identity Services Engine Untrusted File Upload Vulnerability |
|
|
PassiveID is not working stable with multi-connect syslog clients |
|
|
ISE 3.0 not importing certificates missing CN and SAN into Trusted Certificate Store |
|
|
International Phone Number dropdown box not working in ISE 2.7 |
|
|
NADs shared secrets are visible in the logs while using APIs |
|
|
Internal User custom attributes are not sent in CoA-Push |
|
|
SAML groups do not work if they are applied in the Sponsor Portal Groups |
|
|
ISE MnT Live Session status is not changing to Postured in VPN use case |
|
|
Enabling Essentials licenses only block access to Network Devices tab |
|
|
GUI not accessible after applying IP Access restrictions |
|
|
ISE Service Account Locked and WMI not established due to special characters in password |
|
|
ANC CoA not working as ISE uses hostname for internal calls |
|
|
Exception shown in ise-psc.log for repository while loading Backup and Restore window |
|
|
Sophos 10.x definition missing from Anti-malware condition for MAC OSX |
|
|
Guest portal creation failure with ISE 3.0 |
|
|
ISE 3.0 Syslog provider cannot apply configuration |
|
|
Cisco ADE-OS Local File Inclusion Vulnerability |
|
|
ISE is not processing gathered SNMP information for endpoint |
|
|
API IP SGT mapping not returning result for [No Devices] |
|
|
No TACACS Command Accounting report for third party device with a space before TACACS command |
|
|
CoA-disconnect is not issued by ISE for Aruba WLC when grace access is expired |
|
|
AD security groups cannot have their OU end with dot character on RBAC policies |
|
|
ISE is not allowing to import CA signed certificate on top of self-signed certificate |
|
|
Session which was previously having Postured Live Session state is moving to Started upon receiving Accounting Interim Update from NAD |
|
|
SB should collect Hibernate.log |
|
|
ISE does not display Full Authorization rules if it has 50 rules or more in Japanese GUI |
|
|
ISE fails to send CoA from PSNs with "Identifier Allocation Failed" error |
|
|
RADIUS requests dropped after deleting policy sets |
|
|
All Processes need to be stopped before dropping schema objects |
|
|
ISE 3.0 policy condition studio GUI bug |
|
|
RADIUS server sequence gets corrupted when selected external server list is modified |
|
|
Total mappings not displayed properly when using multiple SXP nodes in ISE deployment |
|
|
Guest user is created with incorrect lifetime |
|
|
Sponsor portal shows wrong week information on setting date while using Chinese language |
|
|
"All SXP Mapping" table contains terminated sessions on ISE |
|
|
NTP sync failure alarms that are not relevant need to be changed |
|
|
MnT node name set to NULL when IP access enabled |
|
|
HotSpot Guest portal displays Error Loading Page when passcode field contains special characters |
|
|
ISE Conditions Library corruption during Pen test |
|
|
Dot1x authentication failed due to duplicate manager |
|
|
NTP out of sync after upgrade to ISE 2.7 |
|
|
CWE-20: Improper input validation for Create Node Group |
|
|
Authentication Passed live logs are not seen when using a profile name with more than 50 characters |
|
|
"Radius Authentication Details" report takes time when ISE Messaging Service is disabled |
|
|
Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities |
|
|
Sorting based on username doesn't work in User Identity Groups |
|
|
TACACS+ Endstation Network Conditions scrollbar not working |
|
|
Authorization profile CWA option does not work correctly with some network device profiles |
|
|
Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities |
|
|
Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities |
|
|
Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities |
|
|
Configuration Audit detail does not show which Policy Set was modified |
|
|
TACACS+ Device Network Conditions and Device Port Network Conditions tabs scrollbar not working |
|
|
ISE pxGrid exceptions should have ERROR log level instead of DEBUG |
|
|
Live session is not showing correct active session |
|
|
MAB authorization is failing if AD object representing the MAC address is in disabled state |
|
|
MAB authentication via Active Directory passes with AD object disabled |
|
|
DB Clean up hourly cron acquiring DB lock causing deployment registration failure |
|
|
For PKI based SFTP, exporting GUI key for MnT node is only possible when it is promoted as PAN |
|
|
Cisco Identity Services Engine Sensitive Information Disclosure Vulnerabilities |
|
|
RBAC rules not enforced in ISE 2.7 |
|
|
Unable to edit, duplicate, or delete guest portals. |
|
|
Change in Polling interval not taking effect for external MDM server (Microsoft_intune) |
|
|
Static policy and group assignment are lost from EP when updating custom attributes from API |
|
|
Internal user export feature shows no error for invalid characters in password |
|
|
Itune integration throws error while Test Connection works fine in MDM window |
|
|
Unable to fetch Azure AD groups |
|
|
Generate bulk certificates do not include ISE self-signed certificate |
|
|
Adding a network device gives "Unable to load NetworkDevices" error |
|
|
Admin access with certificate based authentication can be bypassed by going directly to login.jsp |
|
|
Creating a node group named "None" breaks replication |
|
|
Error seen when trying to sort endpoint's Applications by "Running process" in Context Visibility |
|
|
ISE remains in eval expire state even after registering with Smart Licensing |
|
|
Latency in loading certain pages due to stale certificate entries in ISE TrustCert Store |
|
|
DNS Resolvability in Health Checks: False failures with ISE FQDN as CNAME |
|
|
Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021 |
|
|
"ipv6 address autoconfig" gets removed when changing IP address of bond interface |
|
|
Authorization should look up MAC address in format configured in ODBC Stored-Procedures window |
|
|
Support bundle does not capture ise-jedis.log files on ISE 2.7 and later |
|
|
On recreating Root CA, Jedis DB connection pool is not recreated |
|
|
Authentication Method conditions not matching in Policy Set entry evaluation |
|
|
SGA value under-provisioned for SNS 3515 running all personas on same node |
|
|
Error 400 while authenticating to Sponsor portal with Single Sign-on/Kerberos user account |
|
|
Sponsor portal gives "Invalid Input" if the "mobile number" field is unchecked in portal settings |
|
|
Unable to get all tenable adapter repositories with Tenable SC 5.17 |
|
|
No login fail log when using external username and wrong password |
|
|
Receiving acct stop without NAS-IP address keeps session in started state |
|
|
ISE AD runtime should support rewrite a1-a2-a3-a4-a5-a6 to a1a2a3a4a5a6 |
|
|
CoA failure upon endpoint change to a new switch-port and Endpoint Identity Group change |
|
|
In EAP chaining scenario, posture policy failed to retrieve machine AD group membership |
|
|
Session Directory topic does not update user SGT attribute after a dynamic authorization |
|
|
AMP events for new endpoints are not correctly mapped |
|
|
Memory leak on TACACS flow |
|
|
NIC bonding prevents MAR cache replication |
|
|
Authorization policy conditions are not correctly formatted |
|
|
Default Network Devices window requires Plus license to allow configuration |
|
|
TrustSec policy matrix allows limited scrolling in ISE 3.0 |
|
|
isedailycron temp1 tracking is causing delay in AWR reports |
|
|
Clicking a network device in Top N Authentication by Network Device report is redirecting to TACACS Authentication instead of RADIUS Authentication |
|
|
ERS self-registration portal update is not deleting fields as expected in PSN |
|
|
ISE Log Collection error "Session directory write failed" |
|
|
ISE not updating the Json file information in the AnyConnect output config file |
|
|
"Invalid phone number format" error seen on mobile devices using the Country-code drop-down option |
|
|
Deployment went out of sync due to unavailabiltiy of database connections |
|
|
ISE does not accept % in EXEC or Enable Mode password in network device trustsec configuration |
|
|
REST authentication service is disabled when backup interface is configured |
|
|
Emails sent for all system alarms using legacy data even when there is no email address configured in current deployment |
|
|
Qualys integration is failing with ISE |
|
|
MacOS Big Sur 11.x BYOD failing EAP-TLS when using a CA signed certificate |
|
|
Increase the maximum allowable value of the posture grace period from 30 to 90 days |
|
|
Internal user inactivity timer is not updated due to login letter case |
|
|
ISE can't handle deletion/addition of SXP-IP mappings propagation due to race condition |
|
|
Smart license of de-registration flow is not working in ISE and ISE-PIC |
|
|
The instruction box should be removed when the login-page message is empty |
|
|
UI issues on TrustSec window |
|
|
RADIUS Token Identity Source Prompt vs Internal User prompt for TACACS authentication |
|
|
EST service not running on ISE 2.7 patch 2 and above |
|
|
Top Authorization report does not show filter in scheduled reports |
|
|
PAN should not be listening on port 8905 |
|
|
ROPC authentication is failing with non Base64 characters in the password |
|
|
Internal ERS user attempting to authenticate via external ID store causing REST delays |
|
|
NAD IP definitions using - or * do not perform full IP comparison |
|
|
MNT REST API for ReAuth fails when used in distributed deployment (with separate MnT) |
|
|
TACACS Reports Advance filters not working when matching full numeric ID entries |
|
|
All SXP Mappings window not displaying IPv6 mappings learned via Session |
|
|
Manual Active Session report is empty |
|
|
Agentless Posture doesn't install CA certificate chain in endpoint Trusted Store |
|
|
Agentless Posture fails if ISE admin certificate CN is not equal to FQDN |
|
|
Agentless posture breaks if Windows username includes a space |
|
|
High CPU seen on PSN nodes from ISE 2.6 patch 3 onwards due to PIP query evaluation |
|
|
Unable to update domains to be blocked/allowed via API |
|
|
Cisco Identity Services Engine Self Cross-Site Scripting Issue |
|
|
ISE REST API returns duplicate values for IP-SGT mappings |
|
|
RADIUS Accounting Details report does not display Accounting details |
|
|
Special characters allowed previously in Descriptions field for few objects no longer can be used |
|
|
Maximum height of Description field in ISE authorization profile UI too small in FF 88 |
|
|
ISE not accepting more than 6 attributes to be modified in RADIUS server sequence configuration |
|
|
"/opt/CSCOcpm/config/cpmenv.sh:line 396:<ipv6>:command not found" error seen during CLI backup |
|
|
ISE does not accept name of custom attribute for Framed-IPv6-Address in the authorization profile |
|
|
LDAP groups disappear from Sponsor group when making other changes to options |
|
|
Sponsor user cannot edit data when phone/email fields are filled |
|
|
Application Server stuck on initializing state due to certificate template curve type P-192 |
|
|
ISE 2.3 and later version do not support "cariage return" <cr> character in command-set |
|
|
ISE 2.7 patch 3 GUI doesn't show all device admin authorization policies |
|
|
AAA requests without Framed-IP value will cause exception in SXP process |
|
|
Updating a custom attribute through ERS request updates another attribute as well |
|
|
TACACS custom AV pair as condition in policies is not working |
|
|
ISE Application server crash/restart due to cancellation of configuration backup |
|
|
ISE Guest Self-Registration error for duplicate user when "Use Phone number as username" option is enabled |
|
|
Intermittent error on Cisco DNA Center while trying to deploy policy |
|
|
ISE installation fails with Database Priming Failed error when All Numbers subdomain is used |
|
|
ISE authorization profile ERS update ignores accessType attribute changes |
|
|
While editing a NAD, wrong device profile is being mapped |
|
|
Setup wizard password does not supports hyphen after reset of config via CLI |
|
|
ISE 2.7 Patch 3 ERS call is not accepting RADIUS shared secret with 3 characters |
|
|
Generate key pair accepts space but cannot export key |
|
|
[ 400 ] Bad Request error with SAML SSO OKTA on Apple devices |
|
|
REST API for CoA works with any server IP |
|
|
Configuring WMI with an AD account password containing % results in an error |
|
|
Customer fields in guest portal contains & - $ # |
|
|
Authentication via ISE fails with "Invalid login credentials" error |
|
|
ISE internal users are not getting disabled after hitting inactivity timer |
|
|
ISE DACL Syntax validator does not comply with ASA's code requirements |
|
|
Delete 'All' function showing incorrect number of endpoints on confirmation popup |
|
|
Need the Select ALL device option with or without filter in NAD page |
|
|
Incorrect Posture Compound Condition Hotfixes |
|
|
First/Last name wrongly displayed as Unicode of Chinese in Network Access Users window after upgrade |
|
|
Duplicated RADIUS vendor ID can cause PSN to crash |
|
|
The log level for OcspClient must be changed to ERROR instead of WARN |
|
|
Inconsistency between ISE syslog level and message level |
Open Caveats in Cisco ISE Release 3.1
|
Caveat ID Number |
Description |
|---|---|
|
Accounting report export is taking more time to complete. |
|
| CSCwc83059 | Post full upgrade VCS information is missing. |
|
Version negotiation fails as new SXP version is unrecognizable in ISE. |
|
|
Android BYOD flow with EST and StaticIP/Hostname/FQDN fails. |
|
|
Policy change doesn’t get pushed to the network device after ISE HA. |
|
|
Okta redirection happens only after the initially added SAML configuration is deleted and reconfigured. |
|
|
Unable to see the pxGrid pages in GUI, after pxGrid is enabled and disabled in Deployment tab on secondary node. |
|
|
Timestamps need adjustment whenever timezone is changed. |
|
|
Live logs and live sessions pages are displayed in incorrect sorting order when timezone is changed on PSN and MnT nodes. |
|
|
Session data is shown at the bottom when PSNs are in different timezones. |
|
|
In 3.1 Patch 8: Observing Insufficient Virtual Machine Resource Alarm in 3.1Patch 8 Longevity setup. |
Communications, Services, and Additional Information
-
To receive timely and relevant information from Cisco, sign up at Cisco Profile Manager.
-
To get the business impact you are looking for with the technologies that matter, visit Cisco Services.
-
To submit a service request, visit Cisco Support.
-
To discover and browse secure and validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.
-
To obtain information about general networking, training, and certification titles, visit Cisco Press.
-
To find warranty information for a specific product or product family, access Cisco Warranty Finder.
Feedback