Introduction to Cisco Identity Services Engine
Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure access to network resources. Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices. An administrator can then use this information to make proactive governance decisions by creating access control policies for the various network elements, including access switches, wireless controllers, Virtual Private Network (VPN) gateways, Private 5G networks, and data center switches. Cisco ISE acts as the policy manager in the Cisco Group Based Policy solution and supports TrustSec software-defined segmentation.
Cisco ISE is available on Cisco Secure Network Server appliances with different performance characterizations, virtual machines (VMs), and on the public cloud.
Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also enables the configuration and management of distinct personas and services, thereby giving you the ability to create and apply services where needed in a network, but operate the Cisco ISE deployment as a complete and coordinated system.
For detailed Cisco ISE ordering and licensing information, see the Cisco Identity Services Engine Ordering Guide.
For information on monitoring and troubleshooting the system, see the "Monitoring and Troubleshooting Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.
What Is New In This Release?
This section lists the new and changed features in Cisco ISE 3.4 and its patches.
New Features in Cisco ISE Release 3.4 - Cumulative Patch 1
Customer license usage in future Cisco Identity Services Engine (ISE) releases and patches will align with the Cisco ISE licensing tiers. Review the licensing tiers to ensure compliance.
Assign dedicated resources for join points
From Cisco ISE Release 3.4 Patch 1, you can reserve resources for the join points in each PSN. This resource segmentation will help reduce the performance impact caused by resource sharing among the join points.
For more information, see "Assign dedicated resources for join points" in the Chapter "Asset Visibility" in the Cisco Identity Services Engine Administrator Guide, Release 3.4.
Change of Authorization (CoA) for dictionary attributes using pxGrid Direct
From Cisco ISE Release 3.4 Patch 1, you can enable Change of Authorization (CoA) for dictionary attributes using pxGrid Direct. When the value of a CoA-enabled dictionary attribute changes, a CoA Port Bounce or Reauthentication is performed on the impacted endpoint. For more information, see "Change of Authorization (CoA) for dictionary attributes using pxGrid Direct" in the chapter "Asset Visibility" in the Cisco ISE Administrator Guide, Release 3.4.
Cisco pxGrid Cloud new region support
Cisco pxGrid Cloud is now supported in Europe, Asia Pacific and Japan in addition to the U.S.. For more information, see the pxGrid Cloud Solution Guide and the pxGrid Cloud Onboarding Guide.
Dynamic Reauthorization Scheduler
Starting with Cisco ISE Release 3.4 Patch 1 release, you can enhance access control by setting a predetermined expiration date and time for each session, ensuring sessions remain active only until the specified expiration, thereby preventing unauthorized access.
For more information, see "Dynamic Reauthorization Scheduler" in the chapter "Segmentation" in the Cisco Identity Services Engine Admin Guide, Release 3.4.
Enable PAP/ASCII in FIPS Mode
From Cisco ISE Release 3.4 Patch 1, Cisco ISE allows configuration of the PAP/ASCII protocol in FIPS mode. You can enable RADIUS DTLS settings when configuring network devices to support the PAP/ASCII protocol in FIPS mode.
Full and Split Upgrade Support for Patches
You can upgrade to a new Cisco ISE release with or without a patch for that release. If you have already installed a patch for your Cisco ISE release, you can use the Patch option to upgrade only the patch in your current release.
You can choose the full upgrade or split upgrade option for a patch upgrade.
-
Full Upgrade: Full upgrade is a multistep process that enables a complete patch upgrade of all the nodes in your Cisco ISE deployment at the same time.
-
Split Upgrade: Split upgrade is a multistep process that enables the patch upgrade of your Cisco ISE deployment while allowing services to remain available during the upgrade process.
For more information, see "Software Patch Upgrade" in the chapter "Install Latest Patch" in the Cisco Identity Services Engine Upgrade Guide, Release 3.4.
Inbound and Outbound SGT Domain Rules
You can create inbound SGT domain rules to map incoming SGT bindings with specific SGT domains. If no rules are defined, bindings received from workload connectors are sent to the default SGT domain.
You can create outbound SGT domain rules to designate target destinations for specific SGT bindings.
For more information, see "Add Inbound SGT Domain Rules" and "Add Outbound SGT Domain Rules" in the chapter "Segmentation" in the Cisco ISE Administrator Guide, Release 3.4.
Integrate Cisco pxGrid Cloud applications using Integration Catalog
From Cisco ISE Release 3.4 Patch 1, you can use a native integration catalog interface in Cisco ISE to integrate with Cisco pxGrid Cloud applications for a simplified integration experience. Cisco pxGrid Cloud apps can be integrated with Cisco ISE using the Integration Catalog (). You can integrate both single-instance and multi-instance Cisco pxGrid Cloud apps. For more information, see the Cisco pxGrid Cloud Solution Guide.
New pxGrid API: Endpoint topic
The Endpoint topic provides access to endpoints connected to a Cisco ISE-managed network device. For more information, see the Cisco pxGrid API Guide.
Preview Portal Customization
After making the changes in the Portal Page Customization page, you must click Render Preview to preview your content. You must click Refresh Preview every time to view the updated content.
 Note |
Rendering portal customizations with active content or scripts might pose a security risk. We strongly recommend that you review the scripts carefully before rendering. |
For more information, see "Preview Portal Customization" in the chapter "Guest and Secure WiFi" in the Cisco ISE Administrator Guide, Release 3.4.
Security Identifiers in certificates will not be used for authentication
From Cisco ISE Release 3.4 Patch 1, Cisco ISE supports a new format of certificates with Security Identifiers (SID).
The SIDs present in the Subject Alternative Name (SAN) fields will not be used for authentication in Cisco ISE. This enhancement prevents authentication failures caused due to incorrect SID parsing in the authentication process.
SSHD service cryptographic algorithms enhancement
From Cisco ISE Release 3.4 Patch 1, you can use the new algorithms under service sshd to manage a service using the Cisco ISE CLI. The following algorithms are newly added.
-
MAC-algorithm
-
Hostkey
-
Hostkey-algorithm
-
Key-exchange-algorithm
-
SSH-client-hostkey-algorithm
For more information, see the Cisco ISE CLI Reference Guide, Release 3.4.
Support ACI for Global Security Group
Note |
This update lacks migration support, so EFT customers must disable outbound rules before installing Cisco ISE Release 3.4 Patch 1 and re-enable them after completing the patch installation. |
Workload Classification Rules
Workload classification rules can be used to classify the workloads and to assign primary and secondary SGTs to the workloads. The primary SGT is marked as “Security Group” in the pxGrid session topic and is used to publish IP-to-SGT mappings via SXP. Secondary SGTs are included in the pxGrid session topic as an ordered array named “Secondary Security Groups”.
You can specify the order of classification rule execution. You can drag and drop the rules to change the order of priority.
For more information, see "Add Workload Classification Rules" in the chapter "Segmentation" in the Cisco ISE Administrator Guide, Release 3.4.
Workload Connectors
Common Policy is a framework for building and enforcing consistent access and segmentation policies, regardless of the domain. Workload Connectors are used in this framework to build secure connections with on-premise and cloud data centers, import application workload context, normalize that context into SGTs, and share the context with other domains for building policies.
For more information, see "Workload Connectors" in the chapter "Segmentation" in the Cisco Identity Services Engine Administrator Guide, Release 3.4.
Workloads Live Session
The Workloads Live Session page displays the details about the live workload sessions. To view this page, in the Cisco ISE GUI, click the Menu icon and choose Operations > Workloads > Workloads Live Session.
For more information, see "Workloads Live Session" in the chapter "Segmentation" in the Cisco ISE Administrator Guide, Release 3.4.
New Features in Cisco ISE Release 3.4
Automatic Log Bundle Generation On Upgrade
From Cisco ISE Release 3.4, a mini log bundle, which contains only debug logs specific to the upgrade, is generated automatically during the upgrade process. This log bundle is copied to the repository from where the upgrade was started and can be used to troubleshoot the upgrade in case of failure. Automatic log bundle generation is available for all three upgrade options in Cisco ISE - full upgrade, split upgrade, and upgrade using CLI.
For more information, see the chapter "Perform the Upgrade" in the Cisco Identity Services Engine Upgrade Guide, Release 3.4.
Backup Log Improvements from the Cisco ISE CLI
The backup-logs CLI command has now been updated to include all backup log options that are available on the Cisco ISE GUI such as core-files, date-from, date-to, db-logs, debug-logs, local-logs, mnt-report-logs, policy-cache-logs, policy-conf-logs, and system-logs. If no output options are included, all backup logs are generated.
For more information on this CLI command, see "backup-logs" in the chapter "Cisco ISE CLI Commands in EXEC Mode" in the Cisco ISE CLI Reference Guide, Release 3.4 .
Certificate Authority Diagnostic Tool
To diagnose certificate management related issues, use the CA Diagnostic Tool option (option 37) in the application configure ise command. This tool suggests the possible reasons and remediations for the identified issues, helps to fix the issues, and provides related logs for troubleshooting.
For more information, see "Diagnose Certificate Management Related Issues" in the "Cisco ISE CLI Commands in EXEC Mode" chapter in the Cisco Identity Services Engine CLI Reference Guide, Release 3.4.
Cisco ISE Resiliency Use Cases
From Cisco ISE Release 3.4, the Excessive RADIUS Network Device Communication and Excessive Endpoint Communication alarms have been added to maintain the resiliency of Cisco ISE. For more information, see "Cisco ISE Alarms" in the chapter "Troubleshoot" in the Cisco ISE Administrator Guide, Release 3.4.
Configure Virtual Tunnel Interfaces (VTI) with Native IPsec
From Cisco ISE Release 3.4, you can configure VTIs using the native IPsec configuration. You can use native IPsec to establish security associations between Cisco ISE PSNs and NADs across an IPsec tunnel using IKEv1 and IKEv2 protocols. The native IPsec configuration ensures that Cisco ISE is FIPS 140-3 compliant. For more information, see "Configure Native IPsec on Cisco ISE" in the "Secure Access" chapter in the Cisco ISE Administrator Guide, Release 3.4.
Create a URL Pusher pxGrid Direct Connector Type
You can create a pxGrid Direct connector using the Cisco ISE GUI and OpenAPI (REST API). From Cisco ISE Release 3.4, you can choose between a URL Fetcher pxGrid Direct connector type or a URL Pusher pxGrid Direct connector type. You can use the URL Pusher pxGrid Direct connector to push JSON data into the Cisco ISE database using pxGrid Direct Push APIs. You can use the URL Pusher pxGrid Direct connector type to push data without a server or a CMDB. This data remains in the Cisco ISE database and can be used in the authorization policy.
For more information, see "Create a URL Pusher Connector Type" in the "Asset Visibility" chapter in the Cisco ISE Administrator Guide, Release 3.4 and the Cisco ISE API Reference Guide.
Debug Log Settings
You can configure the maximum file size and the maximum number of files allowed for each debug log component. You can view the current disk space usage and the estimated space usage based on the values set for Max File Size and File Count in the Debug Level Configuration page. You can also specify the date and time after which these values must be reset to default.
For more information, see "Configure Debug Log Settings" in the chapter "Troubleshoot" in the Cisco ISE Administration Guide, Release 3.4.
Enhanced Password Security
Cisco ISE now improves password security through the following enhancements:
-
You can choose to hide the Show button for the following field values, to prevent them from being viewed in plaintext during editing:
Under Network Devices,
-
RADIUS Shared Secret
-
Radius Second Shared Secret
Under Native IPsec,
-
Pre-shared Key
To do this, choose and uncheck the Show Password in Plaintext checkbox.
For more information, see "Configure Security Settings" in the chapter "Segmentation" in the Cisco ISE Administrator Guide, Release 3.4.
-
-
To prevent the RADIUS Shared Secret and Second Shared Secret from being viewed in plaintext during network device import and export, a new column with the header PasswordEncrypted:Boolean(true|false) has been added to the Network Devices Import Template Format. No field value is required for this column.
If you are importing network devices from Cisco ISE Release 3.3 Patch 1 or earlier releases, you must add a new column with this header to the right of the Authentication:Shared Secret:String(128) column, before import. If you do not add this column, an error message is displayed, and you will not be able to import the file. Network devices with encrypted passwords will be rejected if a valid key to decrypt the password is not provided during import.
For more information, see the table in "Network Devices Import Template Format" in the chapter "Secure Access" in the Cisco ISE Administrator Guide, Release 3.4.
GUI Enhancements in Cisco ISE Release 3.4
In Cisco ISE Release 3.4, the Cisco ISE GUI has the following enhancements to make the user experience more intuitive.
-
Single Click Access to Endpoint Information
Objects in the Context Visibility page, such as the attribute details of endpoints in the Cisco ISE GUI, now have detailed information available to users with a single click.
All endpoint attributes now appear on a single tab for ease-of-use and better visibility.
You can click:
-
the MAC address of an endpoint to view all endpoint attributes on a single page.
-
the See full detail option on the top right corner of this page to view all endpoint details in a new browser tab, which you can also share.
-
the link icon next to the MAC address of an endpoint to open a full-page view of all endpoint details.
The following pages have been updated to include these enhancements:
-
.
-
.
-
.
-
.
-
.
-
-
Retention of user preferences for column displays: When you change the column display of a table (adjust column width, hide or show columns, reorder columns, and so on) in the Cisco ISE GUI, your preferences are retained.
Hotpatch Details Added to Show Version Command
The show version CLI command now includes hotpatch details, if any, for a specific Cisco ISE release. For more information, see "show version" in the Chapter "Cisco ISE CLI Commands in EXEC Show Mode" in the Cisco ISE CLI Reference Guide, Release 3.4.
To view hotpatch details on the Cisco ISE GUI, click the 
icon and choose About ISE and Server.
Localized ISE Installation
While reinstalling Cisco ISE, you can use the Localized ISE Install option (option 25) in the application configure ise command to reduce the installation time. Though this option can be used for both Cisco Secure Network Server and virtual appliances, it significantly reduces the reinstallation time for Cisco Secure Network Servers.
For more information, see "Localized ISE Installation" in the Chapter "Cisco ISE CLI Commands in EXEC Mode" in the Cisco Identity Services Engine CLI Reference Guide, Release 3.4.
On-Demand pxGrid Direct Data Synchronization using Sync Now
You can use the Sync Now feature to perform on-demand synchronization of data for pxGrid Direct URL Fetcher connectors. You can perform both full and incremental syncs on-demand. On-demand data synchronization can be performed through the Cisco ISE GUI or using OpenAPI.
For more information, see "On-demand pxGrid Direct Data Synchronization using Sync Now" in the "Asset Visibility" chapter in the Cisco ISE Administrator Guide, Release 3.4.
Opening TAC Support Cases in Cisco ISE
From Cisco ISE Release 3.4, you can open TAC support cases for Cisco ISE directly from the Cisco ISE GUI.
For more information, see "Open TAC Support Cases" in the chapter "Troubleshoot" in Cisco ISE Administrator Guide, Release 3.4.
Option to Add Identity Sync After Creating Duo Connection
If you do not want to configure user data synchronization between Active Directory and Duo while creating a Duo connection, click Skip in the Identity Sync page. You will be taken to the Summary page directly.
After you create a Duo connection, you can add identity sync configurations at any time.
For more information, see "Integrate Cisco Duo With Cisco ISE for Multifactor AuthenticationIntegrate Cisco Duo With Cisco ISE for Multifactor Authentication" in the Chapter "Segmentation" in the Cisco Identity Services Engine Administrator Guide, Release 3.4.
Enforcing Domain Controller Selection With Priority
You can now choose to override Cisco ISE's selection of domain controllers in case of a preferred domain controller failover. To do this, choose . Enter the REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\PreferredDcAndGc\Priority\Enabled registry key in the Name field and 1 in the Value field. This ensures that in the case of a domain controller failover, Cisco ISE overrides the existing priority values and selects the next domain controller in the preferred list in the order of input from left to right. The value of this registry key is set to 0 by default.
When the REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\PreferredDcAndGc\Priority\Enabled registry key is enabled, you can also choose to set the failback interval (in seconds). The failback interval value can be between 60 and 86400. The default failback interval is 180 seconds.
Note |
This feature works only for direct domains that the domain controllers were configured on, and not for trust relationship domains. |
For more information, see “Active Directory Advanced Tuning” in the Chapter “Asset Visibility” in the Cisco Identity Services Engine Administrator Guide, Release 3.4.
PAC-less RADIUS Communication For TrustSec Integrations
From Cisco ISE Release 3.4, Cisco ISE supports PAC-less RADIUS communication for TrustSec integrations. This PAC-less enforcement replaces PAC-based RADIUS authentications wherever supported and is enforced through a shared secret ensuring secure communication between Cisco ISE and the TrustSec device. This feature does not require configuration changes in Cisco ISE. The network devices in the deployment may require a change in configuration. PAC-less RADIUS communication is only supported on network devices with IOS-XE version 17.15.1 or higher.
Per-user Dynamic Access Control List Behavior Change
While evaluating authorization profiles with per-user dynamic access control lists (DACLs), if a DACL does not exist in Cisco ISE configuration, authorization will fail, and Cisco ISE will send an Access-Reject response to that user. You can view this information in the Live Log Details page and the AAA Diagnostics report. From Cisco ISE Release 3.4 onwards, an authorization failure alarm is also displayed in the Alarms dashlet in the Cisco ISE dashboard.
For more information, see "Downloadable ACLs" in the "Segmentation" chapter in the Cisco ISE Administrator Guide, Release 3.4.
pxGrid Direct Support for Arrays in Dictionary Groups for Authorization Policy
From Cisco ISE Release 3.4, you can also use pxGrid Direct Connector data with arrays as dictionary attributes to configure an authorization policy. The operators “Contains” or “Matches” (in case of REGEX) must be used while configuring the policy. The operators ”Equals” and “In” will not work when there are arrays. Multiple attributes can be nested using "AND" or "OR" conditions. For more information, see "Authorization Policies" in the chapter "Segmentation" in the Cisco ISE Administrator Guide, Release 3.4.
pxGrid Filtering
From Cisco ISE Release 3.4, pxGrid supports filtering of information based on the specific requirements of the clients. The pxGrid filtering feature enables clients to only receive relevant information from the publisher on a per-subscription basis. The filtering of information is achieved using the filtering API on the pxGrid server. For more information, see "pxGrid Filtering" in the Chapter "Cisco pxGrid" in Cisco ISE Administrator Guide, Release 3.4.
RADIUS Suppression and Reports Enhancement
From Cisco ISE Release 3.4, the RADIUS suppression and reports feature has been enhanced to faciliatite easier RADIUS () configurations. For more information, see "RADIUS Settings" in the chapter "Segmentation" in the Cisco ISE Administrator Guide, Release 3.4.
New Session Directory topic available using pxGrid
You can subscribe to the Session Directory All topic using pxGrid. The sessionTopicAll is similar to the existing sessionTopic (which continues to be supported), with one key difference. The sessionTopicAll also publishes events for sessions without IP addresses. For more information, see the pxGrid API Guide.
Support for Multiple Cisco Application Centric Infrastructure Connectors
Cisco ISE enables you to create and enforce consistent access policies across multiple domains. Cisco ISE can share the SGTs and SGT bindings with Cisco Application Centric Infrastructure (Cisco ACI). Cisco ISE can also learn the endpoint groups (EPGs), endpoint security groups (ESGs), and endpoint information from Cisco ACI. You can add multiple Cisco ACI connections to Cisco ISE.
You can configure rules to manage the learned context in Cisco ISE and to optimize the context flows between Cisco ISE and Cisco ACI connectors.
Cisco ISE supports Cisco ACI Multi-Tenant, and Multi-Virtual Routing and Forwarding deployments. You can define multi-fabrics through multiple connections. This integration supports multi-pod and individual Cisco ACI fabrics.
For more information, see "Connect Cisco Application Centric Infrastructure with Cisco ISE" in the Chapter "Segmentation" in the Cisco ISE Administration Guide, Release 3.4.
Note |
Support for multiple Cisco Application Infrastructure (Cisco ACI) connectors is a controlled introduction (Beta) feature. We recommend that you thoroughly test this feature in a test environment before using it in a production environment. For best use of this Beta feature, install this hot patch. |
TLS 1.3 Support for Cisco ISE Workflows
Cisco ISE Release 3.4 allows TLS 1.3 to communicate with peers for the following workflows:
-
Cisco ISE is configured as an EAP-TLS server
-
Cisco ISE is configured as a TEAP server
Attention
TLS 1.3 support for Cisco ISE configured as a TEAP server has been tested under internal test conditions because at the time of Cisco ISE Release 3.4, TEAP with TLS 1.3 is not supported by any available client OS.
-
Cisco ISE is configured as a secure TCP syslog client
Note |
For Cisco ISE Release 3.4, the Manually Configure Ciphers List option is not supported for TLS 1.3. |
For more information, see "Configure Security Settings" in the Chapter "Segmentation" in the Cisco Identity Services Engine Administrator Guide, Release 3.4.
Cisco ISE Release 3.4 ISO, Upgrade Bundle, and Cisco ISE-PIC 3.4 ISO Files Replaced on Software Download Site
Cisco ISE Release 3.4 ISO, Cisco ISE Release 3.4 Upgrade Bundle, and Cisco ISE-PIC 3.4 ISO files have been replaced on the Cisco ISE Software Download site. The filenames of the new files are:
-
ise-3.4.0.608a.SPA.x86_64.iso
-
ise-upgradebundle-3.1.x-3.3.x-to-3.4.0.608a.SPA.x86_64.tar.gz
-
Cisco-ISE-PIC-3.4.0.608a.SPA.x86_64.iso
You can use Fedora Media Writer and BalenaEtcher USB tools in addition to Rufus to create a bootable USB device from the new ISO file.
The following steps are not required while creating a bootable USB device using the new ISO file:
-
Replacing the term "cdrom" with "hd:sdb1" in the following files:
-
isolinux/isolinux.cfg or syslinux/syslinux.cfg
-
EFI/BOOT/grub.cfg
-
-
Replacing the term “cdrom” with “harddrive --partition=/dev/disk/by-label/ADEOS --dir=/” in the ks.cfg file
For more information, see "SNS Appliance Reference" in the chapter "Additional Installation Information" in the Cisco Identity Services Engine Installation Guide, Release 3.4.
If you have used the previous files (for example, ise-3.4.0.608.SPA.x86_64.iso) for Cisco ISE Release 3.4 or Cisco ISE-PIC 3.4, there is no need to reinstall Cisco ISE or Cisco ISE-PIC. The new files include only changes to improve the installation process.
Deprecated Features
End of Support for Legacy IPsec (ESR)
From Cisco ISE Release 3.4, Legacy IPsec (ESR) is not supported on Cisco ISE. All IPsec configurations on Cisco ISE will be Native IPsec configurations. We recommend that you migrate to native IPsec from legacy IPsec (ESR) before upgrading to Cisco ISE Release to avoid any loss of tunnel and tunnel configurations. For more information, see "Migrate from Legacy IPsec to Native IPsec on Cisco ISE" in the chapter "Secure Access" in the Cisco ISE Administrator Guide.
Support for Transport Gateway Removed
Cisco ISE no longer supports Transport Gateway. The following Cisco ISE features used Transport Gateway as a connection method:
-
Cisco ISE Smart Licensing
If you use Transport Gateway as the connection method in your smart licensing configuration, you must edit the setting before you upgrade to Cisco ISE Release 3.4. You must choose a different connection method as Cisco ISE Release 3.4 does not support Transport Gateway. If you upgrade to Cisco ISE Release 3.4 without updating the connection method, your smart licensing configuration is automatically updated to use the Direct HTTPS connection method during the upgrade process. You can change the connection method at any time after the upgrade.
-
Cisco ISE Telemetry
Transport Gateway is no longer available as a connection method when using Cisco ISE Telemetry. The telemetry workflow is not impacted by this change.
GUI Deprecations
The following pages have been removed from the Cisco ISE GUI in Cisco ISE Release 3.4:
-
Location Services ().
-
NAC Managers ().
New and Changed APIs in Cisco ISE
For detailed information on new, changed, and deprecated APIs, see the Cisco ISE API Guide on Cisco DevNet.
System Requirements
For an uninterrupted Cisco ISE configuration, ensure that the following system requirements are fulfilled.
For more details on hardware platforms and installation of this Cisco ISE release, see the Cisco Identity Services Engine Hardware Installation Guide.
Supported Hardware
Cisco ISE 3.4 can be installed on the following Secure Network Server (SNS) hardware platforms:
|
Hardware Platform |
Configuration |
|---|---|
|
Cisco SNS-3615-K9 (small) |
For appliance hardware specifications, see the Cisco Secure Network Server Appliance Hardware Installation Guide. |
|
Cisco SNS-3655-K9 (medium) |
|
|
Cisco SNS-3695-K9 (large) |
|
|
Cisco SNS-3715-K9 (small) |
|
|
Cisco SNS-3755-K9 (medium) |
|
|
Cisco SNS-3795-K9 (large) |
Cisco SNS 3595 is not supported for Cisco ISE 3.3 and later releases. For more information, see End-of-Life and End-of-Sale Notices.
Supported Virtual Environments
Cisco ISE supports the following virtual environment platforms:
-
For Cisco ISE Release 3.0 and later releases, we recommend that you update to VMware ESXi 7.0.3 or later releases. Cisco ISE Release 3.3 is the last release to support VMware ESXi 6.7.
In the case of vTPM devices, you must upgrade to VMware ESXi 7.0.3 or later releases.
-
OVA templates: VMware version 14 or later on ESXi 7.0, and ESXi 8.0.
-
ISO file supports ESXi 7.0, and ESXi 8.0.
You can deploy Cisco ISE on VMware cloud solutions on the following public cloud platforms:
-
VMware cloud in Amazon Web Services (AWS): Host Cisco ISE on a software-defined data center provided by VMware Cloud on AWS.
-
Azure VMware Solution: Azure VMware Solution runs VMware workloads natively on Microsoft Azure. You can host Cisco ISE as a VMware virtual machine.
-
Google Cloud VMware Engine: Google Cloud VMware Engine runs software defined data center by VMware on the Google Cloud. You can host Cisco ISE as a VMware virtual machine on the software-defined data center provided by the VMware Engine.
Note
From Cisco ISE 3.1, you can use the VMware migration feature to migrate virtual machine (VM) instances (running any persona) between hosts. Cisco ISE supports both hot and cold migration. Hot migration is also called live migration or vMotion. Cisco ISE need not be shut down or powered off during the hot migration. You can migrate the Cisco ISE VM without any interruption in its availability.
-
-
Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later
Cisco ISE supports Azure Stack HCI 23H2 and later versions. The virtual machine requirements and the installation procedure for the Cisco ISE VMs in the Azure Stack HCI are the same as that of Microsoft Hyper-V.
-
KVM on QEMU 2.12.0-99 and later
Note
Cisco ISE cannot be installed on OpenStack.
-
Nutanix 20230302.100169
You can deploy Cisco ISE natively on the following public cloud platforms:
-
Amazon Web Services (AWS)
-
Microsoft Azure Cloud
-
Oracle Cloud Infrastructure (OCI)
For information about the virtual machine requirements, see the Cisco Identity Services Engine Installation Guide for your version of Cisco ISE.
Validated Browsers
Cisco ISE 3.4 is supported on the following browsers:
-
Mozilla Firefox versions 123, 124, 125, 127, and later
-
Google Chrome versions 122, 123, 124, 126, and later
-
Microsoft Edge versions 123, 124, 125, 126, and later
Note |
Currently, you cannot access the Cisco ISE GUI on mobile devices. |
Validated External Identity Sources
Note |
The supported Active Directory versions are the same for both Cisco ISE and Cisco ISE-PIC. Cisco ISE supports Microsoft Entra ID. |
|
External Identity Source |
Version |
|---|---|
|
Active Directory |
|
|
Microsoft Windows Active Directory 2012 |
Windows Server 2012 |
|
Microsoft Windows Active Directory 2012 R2 1 |
Windows Server 2012 R2 |
|
Microsoft Windows Active Directory 2016 |
Windows Server 2016 |
|
Microsoft Windows Active Directory 2019 |
Windows Server 2019 |
|
Microsoft Windows Active Directory 2022 |
Windows Server 2022 with Patch Windows10.0-KB5025230-x64-V1.006.msu |
|
Microsoft Windows Active Directory 2025 |
Windows Server 2025 |
|
LDAP Servers |
|
|
SunONE LDAP Directory Server |
Version 5.2 |
|
OpenLDAP Directory Server |
Version 2.4.23 |
|
Any LDAP v3-compliant server |
Any version that is LDAP v3 compliant |
|
AD as LDAP |
Windows Server 2022 with Patch Windows10.0-KB5025230-x64-V1.006.msu |
|
Token Servers |
|
|
RSA ACE/Server |
6.x series |
|
RSA Authentication Manager |
7.x and 8.x series |
|
Any RADIUS RFC 2865-compliant token server |
Any version that is RFC 2865 compliant |
|
Security Assertion Markup Language (SAML) Single Sign-On (SSO) |
|
|
Microsoft Azure MFA |
Latest |
|
Oracle Access Manager (OAM) |
Version 11.1.2.2.0 |
|
Oracle Identity Federation (OIF) |
Version 11.1.1.2.0 |
|
PingFederate Server |
Version 6.10.0.4 |
|
PingOne Cloud |
Latest |
|
Secure Auth |
8.1.1 |
|
Any SAMLv2-compliant Identity Provider |
Any Identity Provider version that is SAMLv2 compliant |
|
Open Database Connectivity (ODBC) Identity Source |
|
|
Microsoft SQL Server |
Microsoft SQL Server 2012 Microsoft SQL Server 2022 |
|
Oracle |
Enterprise Edition Release 12.1.0.2.0 |
|
PostgreSQL |
9.0 |
|
Sybase |
16.0 |
|
MySQL |
6.3 |
|
Social Login (for Guest User Accounts) |
|
|
|
Latest |
Cisco ISE supports all the legacy features in Microsoft Windows Active Directory 2012 R2. However, the new features in Microsoft Windows Active Directory 2012 R2, such as Protected User Groups, are not supported.
Supported Antivirus and Antimalware Products
For information about the antivirus and antimalware products supported by the Cisco ISE posture agent, see Cisco AnyConnect ISE Posture Support Charts.
Validated OpenSSL Version
Cisco ISE 3.4 is validated with OpenSSL 1.1.1x and CiscoSSL 7.3.375 with FOM 7.3a.
OpenSSL Update Requires CA:True in CA Certificates
For a certificate to be defined as a CA certificate, the certificate must contain the following property:
basicConstraints=CA:TRUE
This property is mandatory to comply with recent OpenSSL updates.
Install a New Patch
For instructions on how to apply the patch to your system, see the "Cisco ISE Software Patches" section in the Cisco Identity Services Engine Upgrade Journey.
For instructions on how to install a patch using the CLI, see the "Patch Install" section in the Cisco Identity Services Engine CLI Reference Guide.
Note |
If you installed a hot patch on your previous Cisco ISE release, you must roll back the hot patch before installing a patch. Otherwise, the services might not be started due to an integrity check security issue. |
Upgrade Information
Note |
Native cloud environments must use the Cisco ISE backup and restore method for upgrades. Upgrades cannot be performed on Cisco ISE nodes deployed in native cloud environments. You must deploy a new node with a newer version of Cisco ISE and restore the configuration of your older Cisco ISE deployment onto it. |
Upgrading to Release 3.4
You can directly upgrade to Release 3.4 from the following Cisco ISE releases:
-
3.1
-
3.2
-
3.3
If you are on a version earlier than Cisco ISE, Release 3.1, you must first upgrade to one of the releases listed above, and then upgrade to Release 3.4.
We recommend that you upgrade to the latest patch in the existing version before starting the upgrade.
Upgrade Packages
For information about upgrade packages and supported platforms, see Cisco ISE Software Download.
Upgrade Procedure Prerequisites
-
Run the Upgrade Readiness Tool (URT) before the upgrade to check whether the configured data can be upgraded to the required Cisco ISE version. Most upgrade failures occur because of data upgrade issues. The URT validates the data before the actual upgrade and reports the issues, if any. The URT can be downloaded from the Cisco ISE Download Software Center.
-
We recommend that you install all the relevant patches before beginning the upgrade.
For more information, see the Cisco Identity Services Engine Upgrade Guide.
Cisco ISE Integration with Cisco Catalyst Center
Cisco Catalyst Center
Cisco ISE can integrate with Cisco Catalyst Center. For information about configuring Cisco ISE to work with Catalyst Center, see the Cisco Catalyst Center documentation.
For information about Cisco ISE compatibility with Catalyst Center, see the Cisco SD-Access Compatibility Matrix.
Caveats
The Caveats section includes the bug ID and a short description of the bug. For details on the symptoms, conditions, and workaround for a specific caveat, use the Cisco Bug Search Tool (BST).
Note |
The Open Caveats sections list the open caveats that apply to the current release and might apply to releases earlier than Cisco ISE 3.4. A caveat that is open for an earlier release and is still unresolved applies to all future releases until it is resolved. |
Resolved Caveats
Resolved Caveats in Cisco ISE Release 3.4 - Cumulative Patch 1
The following table lists the resolved caveats in Cisco ISE Release 3.4 Patch 1.
|
Caveat ID Number |
Description |
|---|---|
|
From Cisco ISE Release 3.2 and later, bond interfaces need MTU as configured on primary interfaces. |
|
|
There is a data mismatch when opening live logs or live session details in Cisco ISE. |
|
|
Data upgrade or restore fails from Cisco ISE Release 3.3 to Cisco ISE Release 3.4 if REST ID store is configured without a suffix. |
|
|
Unable to change the password policy on Cisco ISE under internal identity user authentication settings. |
|
|
Cisco ISE should not allow updating the existing library conditions with conditions that are not allowed in the policy set. |
|
|
When a previous mandatory policy fails, the audit policy fails and shows skipped conditions. |
|
|
Cisco ISE CLI or SSH user does not follow password policy. |
|
|
Cybervision receives DDOS getAssets calls post Cisco ISE integration. |
|
|
pxGrid JMESPath filter bulk download client timeout. |
|
|
RPC calls made through Active Directory probe for ODBC authentications. |
|
|
Domain name does not update in the system file (etc/hosts) when bond is configured. |
|
|
Not all Cisco ISE SRV records have IP due to UDP size limit (length = 548). |
|
|
Backup restoration is stuck at 75 percent. |
|
|
In Cisco ISE Release 3.3 Patch 2, Endpoint incorrectly shows as a "Rejected Endpoint" after it is released. |
|
|
The swapon or swapoff cron should be removed as it causes high load every 6 hours. |
|
|
Empty GPG files are exported if there is no data to purge. |
|
|
If PAN failover is enabled in deployment page, PAN-HA precheck fails. |
|
|
Cisco ISE internal users account disable policy feature does not work after one day of inactivity. |
|
|
Cisco ISE Release 3.4 incorrectly marks RADIUS packets as duplicates. |
|
|
In Cisco ISE Release 3.3 Patch 3, the external identity sources show "no data available" after Cisco ISE Release 3.3 Patch 3 installation. |
|
|
IP domain-name validation is too strict and does not accept valid domains. |
|
|
In Cisco ISE Release 3.3, TACACS data is not retained and everything gets purged. |
|
|
In Cisco ISE Release 3.2, Cisco ISE counters reports are empty for secondary nodes. |
|
|
Page-level help for inbound and outbound SGT Domain Rules page does not work. |
|
|
Cisco ISE EAP-FAST PAC-less session timeout, value does not get saved. |
|
|
In Cisco ISE Release 3.2 Patch 6, PSN does not update the database with the correct posture lease expiry time. |
|
|
Users pending account is not displayed in the Sponsor Manage Account page. |
|
|
Cisco ISE profiler is unable to read the MAC from the LLDP port ID subtype 7 received through SNMP probe response. |
|
|
SXP binding is stuck on Cisco ISE during re-authentication of endpoint between multiple VNs. |
|
|
Authentication using the name of the profile fails when the default device is used. |
|
|
DNS cache timeout is not honored. |
|
|
Heap space is fully utilized by RMQ Consumer. |
|
|
Cisco ISE does not connect with external RADUIS server when proxy-state attribute is missing. |
|
|
Agentless posture and endpoint logs are exported as HTM instead of a zip file. |
|
|
Custom portal files previews do not load properly. |
|
|
Cisco ISE skips authentication against the child domain controller when the AD Forest is marked offline. |
|
|
The backup file is not displayed in the GUI. |
|
|
Numeric overflow exception encountered during restart of replication client. |
|
|
MDM significant attributes causes database persistent events during authentication flow. |
|
|
Vulnerable JS Library issue found while executing ZAP in Cisco ISE Release 3.3. |
|
|
When you try to edit or add a description for network access users, the description field closes. |
|
|
All rules of source and destination tree under TrustSec policy in Cisco ISE GUI are not visible. |
|
|
Allow enabling of PAP when FIPS is enabled for RADIUS DTLS compatibility. |
|
|
SGTs are not deleted when an ACI connection is deleted. |
|
|
The ise.psc.log does not print the incoming API request's URI in DEBUG mode. |
|
|
Imported endpoints show incorrect endpoint IDs causing data mismatch. |
|
|
SXP bulk download missing entries after SXP node reload. |
|
|
Slow ERS API endpoint call. |
|
|
TACACS authorization details do not work when SMNT is on the same node as primary PAN. |
|
|
Endpoint check result remains unreachable after passive ID login event. |
|
|
Unable to replace SSH key for Cisco ISE AWS EC2 instances. |
|
|
Getting higher counts external active directory logs on syslog server. |
|
|
IP address 169.254.4.3 seen when using certificate-based authentication for Cisco ISE administration. |
|
|
ODBC query in authorization policy does not return result with Postgres. |
|
|
In Cisco ISE Release 3.2, Cisco ISE_Internal_Operations_Diagnostics triggers FATAL logging message stating system has reached low disk space limit due to localstore directory size issue. |
|
|
Proposed profiled rule download button throws 400 error. |
|
|
The graph is not shown when you click on Cisco ISE report in launchpad from prime infrastructure. |
|
|
While enabling or disabling IPv6, multiple empty lines are created in sysctl.conf file. |
|
|
Passive session is not published to FMC as Cisco ISE tries to stitch session always. |
|
|
Getting misleading error prompt "Unable to send email". |
|
|
Cisco ISE Business Logic Issue - User Dictionaries. |
|
|
In CDP, multiple SGT IP bindings are missing from Cisco ACI to Cisco ISE; Cisco ACI has mdpEps. |
|
|
Additional fix to LSD class. |
|
|
Posture state synchronization feature use cases and validation steps need to be documented. |
|
|
Cisco ISE says CLI maximum password size is 127. |
|
|
Optimize the indexing for 'EDF_MDM_GUID' lookups for 'EDF_MDM_GUID' to eliminate full table scans. |
|
|
High CPU on admin node post accessing "Endpoint Identity Groups" page on Cisco ISE. |
|
|
Cisco ISE Formula Injection. |
|
|
Cisco ISE portals show Ukrainian when browser language is Russian. |
|
|
SXP mappings is not learned for VPN users private IP. |
|
|
RBAC admin user able to add user without static assignment group. |
|
|
Cisco ISE Release 3.4 GuestAPI query fails with an admin account who has sponsor privileges. |
|
|
In Cisco ISE Release 3.2 Patch 6, Cisco ISE does not query MDM intermittently if it receives a 404 response from the MDM server. |
|
|
PIV/CAC authentication for Cisco ISE admin access causes System 360 permission issues. |
|
|
In Cisco ISE Release 3.3 Patch 2, error occurs when certificate details are retrieved. |
|
|
ODBC advanced attributes does not work if two or more inbound attributes are selected. |
|
|
System 360 does not show Cisco ISE nodes with different DNS domain names other than primary Cisco ISE. |
|
|
Due to CoA reauth getting stuck, BYOD devices are on WebAuth pending state even when devices are registered. |
|
|
The health check fails on input or output bandwidth performance check and returns a NULL result. |
|
|
The GUI does not ask confirmation of old password for password change. |
|
|
Cisco ISE Release 3.2 Patch 6 health check input or output bandwidth fails even when it is within the supported guidelines. |
|
|
Cisco ISE 360 Monitoring dashboard displays average CPU time percentage instead of summing the rate. |
|
|
Cisco ISE /ers/config/endpoint/getrejectedendpoints does not have pagination and returns only 100 endpoints. |
|
|
Cisco ISE passiveid-agent.log should include information about the user when logon event is shared. |
|
|
The pxGrid direct triggers sync at last restart time instead of scheduled time. |
|
|
Cisco ISE internal user lock or suspend on incorrect attempts counter does not work as expected. |
|
|
ODBC advanced setting sent in procedure call should be logged. |
|
|
Post upgrade MFC profiler dashboard shows no data. |
|
|
List of installed patches does not show under patch management page due to admin certificate issue. |
|
|
Cisco ISE missing rate limiting protection. |
|
|
ConfD generates endless localhost:9888.access.1.1.1.1... and so on. |
|
|
Device admin license does not allow Cisco ISE admin user to reset first login password. |
|
|
Health check fails for MDM flow. |
|
|
With less than 3000 SGTs, Cisco ISE throws "This Custom View has exceeded the maximum number of SGTs (3000)." error. |
|
|
Cisco ISE Evaluate OpenSSH CVE-2024-6387 "regreSSHion". |
|
|
Change in local log settings does not trigger old files deletion. |
|
|
Sysaux tablespace allocation should be done based on the profile of the node. |
|
|
Cisco ISE Release 3.2 API does not validate if a join point is being used when deleting it over the ERS API. |
|
|
TC-NAC_Tenable throws "Scan Failed: Error in connecting to host: 403 Forbidden" error. |
|
|
The pxGrid live log serviceability. |
|
|
Update pi-profiler prometheus configuration without app server restart. |
|
|
Blanket bug to commit Cisco ISE XDR integration changes. |
|
|
Blanket bug to add multi-ACI report for CDP. |
|
|
Cisco ISE Reflected Cross-Site Scripting Vulnerability. |
|
|
Cisco ISE Reflected Cross-Site Scripting Vulnerability. |
|
|
Cisco ISE XML External Entity Injection Vulnerability. |
|
|
Cisco ISE Arbitrary File Read and Delete Vulnerability. |
|
|
Cisco ISE Arbitrary File Read and Delete Vulnerability. |
|
|
Cisco ISE services are getting initialized due to dangling LOCK_FILE. |
|
|
Cisco ISE redirection bypass may lead to XSS. |
|
|
For SMS gateway GET requests, the URL mapping is not visible in the guest.log. |
|
|
FMC integration with Cisco ISE Release 3.3 Patch 3 is breaking for Azure sessions. |
|
|
Cisco ISE Release 3.4 Active Directory diagnostic tool tests are failing. |
|
|
In CDP or CSDAC, bindings to SXP devices are no longer sent after workload classification rule changes. |
|
|
In CDP, IPv6 traffic loss to the data center occurs after a PSN reload or an SXP move. |
|
|
The installation time extension has impacted the CI. |
|
|
In Cisco ISE Release 3.3, a delay occurs when logging into the PAN while it is in not-in-sync mode, as it does not respond on TCP port 443. |
|
|
Despite having MDM attributes, the authentication session does not align with the MDM policy. |
|
|
IP address 169.254.4.3 is seen when using certificate-based authentication for Cisco ISE administration. |
|
|
Cisco ISE Release 3.4 port 80 is not in the listening state. |
|
|
Static identity group cannot be changed for endpoints. |
Resolved Caveats in Cisco ISE Release 3.4
The resolved caveats in Cisco ISE Release 3.4 have parity with these Cisco ISE patch releases: 3.3 Patch 3, 3.2 Patch 6, and 3.1 Patch 9.
The following table lists the resolved caveats in Release 3.4.
|
Caveat ID Number |
Description |
|---|---|
|
Microsoft Azure AD has been officially renamed as Microsoft Entra ID. |
|
|
The aging time of Cisco ISE Passive ID is always 1 hour regardless of the configuration. |
|
|
Cisco ISE Release 3.3: The automatically generated SNMPv3 engine ID is identical on all the nodes. The ID displayed is AKHGCM5MKGF. |
|
|
Account extension is not properly defined in the Sponsor-based Guest Portal. |
|
|
The Cisco ISE PAN is missing updates of nonsignificant attributes for endpoints from the Cisco ISE PSN. |
|
|
Cisco ISE CLI upgrade fails with the error "Internal error during command execution". |
|
|
Syslogs for Cisco ISE MnT purge events are incorrectly formatted. |
|
|
The Sponsor Portal displays the error "400 Bad Request" when you click the Contact Support option on the Cisco ISE GUI. |
|
|
Cisco ISE SNMP polling doesn’t work with privacy protocol AES 192 or AES 256. |
|
|
Adding the second NTP authentication key removes all authentication keys from the Cisco ISE GUI. |
|
|
If the Account Expiration notification has special characters, you can’t save the Guest Type. |
|
|
The MnT log processor service occasionally runs on other Cisco ISE admin nodes. |
|
|
In Cisco ISE Release 3.2, SNMP doesn’t work after a node restart. |
|
|
When posture lease is enabled, Cisco ISE PSN doesn’t update the database with the correct posture expiry time. |
|
|
Guest portal removal failure and integrity constraint in Cisco ISE Release 3.1 Patch 5. |
|
|
Removal of EPS from Cisco ISE code. |
|
|
TLS is restricted to use only a few ciphers in Cisco ISE Release 3.3, but the ports 8905, 9094, and 9095 use all TLS ciphers. |
|
|
Cisco ISE couldn’t find the selected authorization profile if the profile has been created using API. |
|
|
Strict transport security is incorrectly formed in Cisco ISE Release 3.2. |
|
|
NFS repository stops working suddenly on a single node in a distributed deployment in Cisco ISE Release 3.2. |
|
|
Listening noted on port TCP and 67 in Cisco ISE Release 3.2. |
|
|
Administrator login report displays the error "Administrator authentication failed" every five minutes in Cisco ISE Release 3.1. |
|
|
The pxGrid Databases Synchronization Test on Cisco ISE displays the error "Out of Sync". |
|
|
Unable to create a user with auth-password and priv-password equal to 40 characters in Cisco ISE Release 3.2 Patches 2 and 3. |
|
|
When using an LDAP connection to connect to AD, Cisco ISE can’t translate the value of AD attribute "msRASSavedFramedIPAddress" or "msRADIUSFramedIPAddress". |
|
|
The attributes TotalAuthenLatency and ClientLatency don’t work for TACACS+ in Cisco ISE. |
|
|
Unable to add an endpoint's MAC address to Endpoint Identity Group when using grace access in the Guest portal. |
|
|
Additional IPV6-SGT session binding created for IPV6 to link local address from SXP ADD operation. |
|
|
The authorization policy feature isn’t working in Cisco ISE Release 3.2. |
|
|
Guest portal FQDN is mapped with the IP address of the node in the database. |
|
|
Cisco ISE database doesn’t update the email field for Sponsor accounts. |
|
|
Cisco ISE can’t retrieve a peer certificate during EAP-TLS authentication. |
|
|
Enhancement for encryption to only send AES256 for MS-RPC calls. |
|
|
Cisco ISE restarts services directly without a prompt with the error "no ip name-server" displayed. |
|
|
Unable to disable Active Directory Diagnostic Tool scheduled tests in Cisco ISE Release 2.7. |
|
|
The error "No session available" is displayed in Cisco ISE Release 3.3 Patch 2. |
|
|
Unable to match "identityaccessrestricted equals true" in the authorization policy in Cisco ISE Release 2.6 Patch 7. |
|
|
The Device Network Conditions GUI page doesn’t load. |
|
|
The "iselocalstore" logs aren’t getting collected in the support bundle logs obtained from the Cisco ISE CLI. |
|
|
The pxGrid getUserGroups API request returns an empty response. |
|
|
Enabling the SXP role on the Cisco ISE PSN causes high CPU load and utilization. |
|
|
Endpoints having a null key value pair in the attributes section are interrupting the purge flow. |
|
|
Cisco ISE times out when using the Export All option on the Network Devices page to export more than 90,000 network devices. |
|
|
Space " " characters in the command arguments are being replaced by forward slash "/" characters after the command set is exported as a CSV file. |
|
|
The endpoint is losing the static identity group assignment after reauthentication. |
|
|
You need to disable the unbound-anchor while starting Cisco ISE. |
|
|
The external RADIUS server list doesn’t show up after upgrading to Cisco ISE Release 3.2. |
|
|
An excess number of AD groups being mapped to sponsor groups is causing latency in sponsor login |
|
|
During the registration of a node that was previously registered to the deployment, it’s observed that all the certificates of the deployment were deleted and that all the nodes in the deployment were restarted. |
|
|
Unable to delete a support bundle from the Cisco ISE GUI in Cisco ISE Release 3.1 Patch 7. |
|
|
An issue with the Insufficient Virtual Machine Resources Alarm on AWS is seen in Cisco ISE Release 3.2 Patch 6. |
|
|
In Cisco ISE Release 3.2 Patch 4, the search for MAC address in the format is ignored. |
|
|
When Cisco ISE has pxGrid enabled on two nodes, the integration fails with the error "pxGrid not enabled on ISE". |
|
|
The ise-duo.log isn’t collected at the time of support bundle creation. |
|
|
Profiler CoA sent with the wrong session ID. |
|
|
The agent rule defaults to the default rule setting while editing an existing agent. |
|
|
Cisco ISE CLI admin user is unable login after not logging in over a two-month period. |
|
|
The ct_engine root is using 100% of the CPU. |
|
|
Cisco ISE URT bundle upgrade fails with the error "RADIUS dictionary attribute duplicate entry exists". |
|
|
The PRA fails if the endpoint is in a posture lease. |
|
|
Location group information is missing from policy sets. |
|
|
The mobile number format field for JavaScript code doesn’t support more than 100 characters. |
|
|
The AnyConnect posture script isn’t attempted when the script condition name contains a period. |
|
|
Scheduled backup configuration details aren’t visible to Read-only user in Cisco ISE Release 3.1 Patch 7. |
|
|
The row of "Manage SXP Domain filters" only displays a maximum of 25 filters. |
|
|
Unable to load the authorization policy due to duplicate portal entries. |
|
|
When upgrading to Cisco ISE Release 3.4, the Duo seeder is missing in the MnT table post the upgrade. |
|
|
The application remediation disappears after editing. |
|
|
In Cisco ISE Release 3.2, the SMS is not sent during the "Reset Password" flow when using a custom "SMTP API Destination Address". |
|
|
In Cisco ISE Release 3.3, the PAN failover component is missing from the debug log configuration. |
|
|
In Cisco ISE PIC Release 3.1, the live session shouldn’t show the terminated sessions. |
|
|
Posture client provisioning resources display an HTTP error when the dictionary attribute contains "-". |
|
|
Cisco ISE is reaching the context limit in proxy flows when querying LDAP groups for authorization policies. |
|
|
Cisco ISE automatic crash decoder isn’t decoding functions properly. |
|
|
Post ADEOS restore, the app server is stuck at the initializing phase. |
|
|
Add an option to delete temporary files from "/opt/backup" if the CLI backup process fails during transfer. |
|
|
When joining multiple Cisco ISE nodes to the domain controller simultaneously duplicate accounts are created. |
|
|
profiler is triggering Port Bounce when there are multiple sessions exist on a switch port |
|
|
In Cisco ISE Release 3.1, the detailed report doesn't show both user and machine authentication policies for EAP chaining. |
|
|
In Cisco ISE Release 3.2 and later releases, the System 360 monitoring debug log level needs to be reduced. |
|
|
German and Italian emails can’t be saved under Account Expiration Notification in Guest Types. |
|
|
In Cisco ISE Release 3.1Patch 8, the Installed Patches menu doesn’t list all the patches. |
|
|
An identity store added using uppercase FQDN can’t be removed from the CLI. |
|
|
In Cisco ISE Release 3.1, there’s an intermittent failure in displaying Live Log details and the error "No Data available for this record" is displayed. |
|
|
Bulk Creating Egress Matrix Policy Via ERS Fails With an Error |
|
|
An attempt to delete an "Is IPSEC Device" NDG causes all subsequent RADIUS and TACACS+ authentications to fail. |
|
|
If the configured synflood-limit is beyond 10000, the limit isn’t working. |
|
|
Show CLI commands throw an exception after configuring log level up to five. |
|
|
Unable to integrate to prime Infrastructure due to a wrong password error. |
|
|
Cisco ISE displaying "Invalid IP or hostname" error. |
|
|
The PRA fails if the endpoint is within posture lease. |
|
|
Apache Struts Vulnerability affecting Cisco products: December 2023 |
|
|
Not able to schedule or edit schedule for a configuration backup. |
|
|
Cisco ISE Release 3.2 Patch 2 provides no response from SNMP when the "snmp-server host" is configured. |
|
|
Intensive GC observed due to the SXP component causing node longevity issues in Cisco ISE Release 3.4. |
|
|
Cisco ISE drops a RADIUS request with the error message "Request from a nonwireless device was dropped". |
|
|
Provide a comprehensible description for the error displays while editing internal users. |
|
|
Context Visibility for pxGrid ContextIn is missing custom attributes in Cisco ISE Release 3.1 Patch 7. |
|
|
Swap memory usage is high. |
|
|
Data corruptions causing FailureReason=11007 or FailureReason=15022 in Cisco ISE. |
|
|
The deployment SEC_TRNREP_STATUS isn’t getting updated from the "In Progress" state. |
|
|
In the Context Visibility page, the Endpoint Custom Attributes can’t be filtered using special characters. |
|
|
In Cisco ISE Release 3.2, there’s limited GUI access and an inability to regenerate root CA when Essentials licenses are disabled. |
|
|
The Cisco ISE GUI doesn't load when trying to edit the Client Provisioning Portal configuration. |
|
|
CVE-2023-48795 seen in OpenSSH in Cisco ISE. |
|
|
Unable to match Azure AD group if the user belongs to more than 99 groups. |
|
|
Discrepancy in the count of identity groups between the CV and Oracle databases. |
|
|
Enabling only "User Services" also enables admin GUI access. |
|
|
The application server is crashing as a result of Metaspace exhaustion. |
|
|
Cisco ISE doesn’t allow special characters in passwords while importing certificates. |
|
|
Inconsistence on VLAN ID or name with the error "Error: Not a valid ODBC dictionary". |
|
|
In Cisco ISE Release 3.1 Patch 5, the passwords of a few internal users aren’t expiring even after the configured global password expiry date. |
|
|
In Cisco ISE Release 3.3, TACACS data isn’t retained and is purged. |
|
|
The Cisco ISE Alarm and Dashboard Summary doesn’t load. |
|
|
The message description for message code 13036 has a misspelled word. |
|
|
In Cisco ISE Release 3.2, the TACACS+ end-station network condition has high step latency while accessing the NAD using the console. |
|
|
Resend the user account details for all guest users or specific guest users to the sponsor. |
|
|
pxGrid doesn’t show topic registration details. |
|
|
During the TrustSec deployment verification, the policy difference alarm is triggered while policy the is identical on Cisco ISE and the NAD. |
|
|
The text of the Out of Compliance for 30 days alarm needs to be updated. |
|
|
Cisco Identity Services Engine Arbitrary File Upload Vulnerability. |
|
|
In Cisco ISE Release 3.1, the NAD RADIUS shared secret key is incorrect when it starts with ' (apostrophe). |
|
|
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability. |
|
|
1000 database connections are exhausted due to "Dashboard System Status" query. |
|
|
Cisco ISE Sponsor Portal is showing an invalid input when special characters are used in the Guest Type. |
|
|
High CPU usage caused by RMQforwarder. |
|
|
The User Account search and Manage Accounts functionality has been enhanced. |
|
|
Decryption of session tickets received from the client fails on Cisco ISE. |
|
|
TrustSec update with CoA or CoA-push is broken. |
|
|
AD group retrieval fails while evaluating authorization policies. |
|
|
Cisco ISE Release 3.2 Patch 4 displays a "deleteCertFromStore:- Failed to parse certificate" error. |
|
|
The Profiler NetworkDeviceEventHandler failed to add a device as a result of the input containing "0-255" in the string. |
|
|
The error "Name or service not known'" is displayed when you try to reach the configured IP host under certain procedures. |
|
|
The Docker Metrics Report needs to be changed. |
|
|
Cisco ISE displays a 400 error when fetching the device administration network conditions using OpenAPI. |
|
|
Right COA to be triggered in VPM flow when posture and MDM flows are configured together. |
|
|
An upgrade to Cisco ISE Release 3.2 fails with the error - integrity constraint (CEPM.REF_HOSTCONFIG_HA_PEER1) violated. |
|
|
The TopN device administration reports don’t work when incoming TACACS records exceed 40 million records per day. |
|
|
Cisco ISE Passive ID agent displays error "id to load is required for loading". |
|
|
Cisco ISE can't create an authentication policy with DenyAccess identity source using OpenAPI. |
|
|
Unable to retrieve the endpoint IP address using API calls. |
|
|
The command "show cpu usage" doesn’t display information in Cisco ISE 3.x releases. |
|
|
Cisco ISE Missing Rate Limiting Protection. |
|
|
Authentication fails and the advanced options are ignored in Cisco ISE. |
|
|
There’s a spelling mistake in API gateway settings in Cisco ISE 3.x releases. |
|
|
Aruba-MPSK-Passphrase needs encryption support. |
|
|
User and Endpoint Identity Groups description fields become not editable when using long-form text. |
|
|
In Cisco ISE Release 3.1 Patch 5, the pxGrid client certificate can’t be generated by using CSR. |
|
|
Unable to delete Network Device Group. |
|
|
Cisco ISE agentless posture doesn’t support passwords containing ":" character. |
|
|
A misleading pop-up seen while setting the password lifetime as more than 365 days. |
|
|
Cisco ISE Get All Endpoints request takes a long time to execute since Cisco ISE Release 2.7. |
|
|
In Cisco ISE Release 3.2 and later releases, System 360 Monitoring debug log rotation isn’t working. |
|
|
Unable to trigger COA and is stuck at the dispatcher queue. |
|
| The Context Visibility pages open drawer action displays an error while loading subtitles in Cisco ISE Release 3.3 Patch 1. | |
|
Security groups and contracts with multiple backslash characters in a row in the description can’t sync to Cisco ISE. |
|
|
This Cisco ISE ERS API is taking several seconds to update a single endpoint. |
|
|
The requirement to enter the current password during a password update can be bypassed in Cisco ISE. |
|
|
Connection attempts to domains in the "not allowed domains" list are observed in Cisco ISE Release 3.0. |
|
|
The 'accountEnabled' attribute is causing authentication issues for EAP-TLS with Azure AD. |
|
|
In Cisco ISE, the authorization rule evaluation appears to be broken for authorization attempts that use EAP-chaining and Azure AD groups. |
|
|
An error is displayed while launching the Log Analytics page. |
|
|
Cisco ISE authorization profile displays the wrong security group and VN value. |
|
|
After the Import button is clicked, the .csv file shouldn’t be selected and the Import button shouldn't work. |
|
|
Cisco ISE should perform a NSLookup again when FQDN is the token server. |
|
|
SXP creates inconsistent mapping between IP address and SGT. |
|
|
The first name and last name fields in Network Access User doesn't allow for "'OR" in the names. |
|
|
Cisco ISE limits connection to AMP - AMQP service to TLSv1.0. |
|
|
Unable to disable SHA1 for ports associated with Passive ID agents. |
|
|
Unable to change the admin password if it contains "$" in Cisco ISE Release 3.1 Patch 7. |
|
|
The filter field 'name' isn’t supported for downloadable ACLs through Cisco ISE ERS APIs. |
|
|
Issues seen when the COA retry count is updated to "0". |
|
|
TCP socket exhaustion. |
|
|
Assigned logical profile is repeated in the endpoint attributes and reports on the Context Visibility page. |
|
|
Evaluation of Open VM tools CVE-2023-20900. |
|
|
Unable to create a new internal user and the error "couldn’t execute statement; SQL [n/a]; constraint [CEPM.BKUPSLASTAUTHTIMEENTRY]" is displayed on the Cisco ISE GUI. |
|
|
Evaluation of TACACS deployment with zero days won’t work following smart licensing registration. |
|
|
Extra pop-up screen appears while viewing the RADIUS and TACACS key after enabling "Require Admin password" to view sensitive data. |
|
|
IP access list control in Cisco ISE Release 3.2 isn’t visible. |
|
|
The Cisco ISE admin isn’t alerted about incorrect engineID format in snmp-server host during SNMPv3 configuration. |
|
|
Cisco ISE Release 3.2 couldn’t find selected authorization profiles. |
|
|
Errors encountered while editing AnyConnect configurations and Posture agent profiles. |
|
|
0.0.0.0 default static routes configured on all interfaces are deleted post Cisco ISE reload. |
|
|
Duplicating network devices recreate the devices without RADIUS settings in Cisco ISE Release 3.3 Patch 2. |
|
|
In pxGrid Direct, if the user data information is stored in nested objects within the data array, Cisco ISE is unable to them and it won’t be visible in the pxGrid Direct Connector information in the Context Visibility page. |
|
|
Custom attribute failure seen in Cisco ISE Release 3.1 Patch 7. |
|
|
Cisco ISE on AWS doesn't work if Metadata (IMDS) version value "V2 only" selected. |
|
|
Static IPV6 routes are removed after a reload in Cisco ISE Release 3.2. |
|
|
Cisco ISE Release 3.3 can’t switch the administration certificate role. |
|
|
The user custom attributes are stuck in the rendering stage. |
|
|
Manually deleting the static routes cause Cisco ISE to send packets with wrong MAC addresses in Cisco ISE Release 3.0 Patch 7. |
|
|
In Cisco ISE Release 3.2 and later releases, conditions from Condition Studio has a default disabled icon in the information pop-up. |
|
|
Cisco ISE SAML ID provider configuration attributes are deleted even when they are referenced elsewhere. |
|
|
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability. |
|
|
PEAP and EAP-TLS don't work on FIPS mode in Cisco ISE Release 3.2 Patch 3. |
|
|
Can’t edit or create admin user due to the error "xwt.widget.repeater.DataRepeater". |
|
|
IPv6 default route disappears from the routing table after modifying the IPv6 address. |
|
|
Cisco ISE isn’t sharing posture-compliant session properly over pxGrid. |
|
|
Cisco ISE context visibility doesn't validate static MAC entries if a separator like colon is omitted. |
|
|
Cisco ISE services are stuck in the initializing state with secure syslogs. |
|
|
Custom attributes used in the Never Purge rule are still purging the endpoints. |
|
|
Interrupting execution of "show tech-support" causes services to stop on Cisco ISE. |
|
|
Primary Guest Report shows duplicate entries of title when exported to an external repository. |
|
|
Cisco ISE AD Diagnostic Tool stops working upon upgrade and you can’t retrieve the list of available tests. |
|
| Cisco ISE incorrectly routes RADIUS Traffic when multiple static default routes are present. | |
|
Dedicated MnT nodes in Cisco ISE don’t replicate SMTP configuration. |
|
|
The script provided for creating endpoint group in the Cisco ISE REST API document is incorrect. |
|
|
Matching authorization profiles with SGT, VN name, and VLAN causes PRRT to crash. |
|
|
Expired guest accounts don't receive SMS when they try to reactivate their accounts. |
|
|
Stale lock files are blocking the API gateway and the Context Visibility page. |
|
|
Toggle to enable or disable RSA PSS cipher based on policies under Allowed Protocols. |
|
|
When a guest user connects for to Cisco ISE for the first time, Cisco ISE doesn’t update the ACS.Username field with the guest username. |
|
|
CRL download failure seen in Cisco ISE Release 3.2 Patch 3. |
|
|
The "Save" option under Advanced filters isn’t working for filtering Client Provisioning resources. |
|
|
Replication error "Error synchronizing object: EDF2EndPoint: Operation: Update" is displayed during replication in Cisco ISE. |
|
|
In Cisco ISE Release 3.1, the endpoints purging rule is automatically created after duplicating the My Devices portal in Cisco ISE BYOD configuration causing endpoints to be deleted from the Cisco ISE database after 30 days. |
|
|
The abandoned Jedis connections aren’t being sent back to the thread pool in Cisco ISE. |
|
|
Cisco ISE GUI packet captures that were taken from CLI can’t be deleted. |
|
|
Cisco ISE date of last purge has the wrong time stamp. |
|
|
Internal system error for posture is seen when premier license is disabled in Cisco ISE. |
|
|
Allow Launch program remediation to have a set order. |
|
|
Unsupported message codes 91092 and 91103, and respective alarms seen in syslogs. |
|
|
Cisco ISE Release 3.2 custom filters for TACACS reports don't work as expected. |
|
|
Deregistering a Cisco ISE node should verify whether the process has been initiated by the primary PAN. |
|
|
When configuring "TROUBLESHOOTING.EncryptionOffPeriod" advanced tuning with any nonzero value of minutes for decrypting the communication with Active Directory for troubleshooting, then RPC net logon fails for all Active Directory authentications on that Cisco ISE node. |
|
|
The numbering of DACL entries is off in Mozilla Firefox 45 and above. |
|
|
Hotpatches aren’t getting installed when both patches and hotpatches are in ZTP configuration. |
|
|
RADIUS server sequence configuration is corrupted. |
|
|
In Cisco ISE Release 3.2, the RMQ is sending outgoing RST packets with APIPA IP 169.254.2.2. |
|
|
Initial setup fails if the default gateway and configured IP address are on different subnets. |
|
|
Windows Agentless Posture isn’t working if the username starts with $ (dollar sign). |
|
|
In Cisco ISE Release 3.1, the Agentless Posture flows fail when the domain user is configured for endpoint login. |
|
|
Cisco ISE API doesn't recognize identity groups while creating user accounts. |
|
|
In Cisco ISE Release 2.6, it’s impossible to create static IP-SGT mapping for EPGs imported from ACI. |
|
|
In Cisco ISE 3.x releases, Interactive Help throws an error in the console and logs. |
|
|
The portal name and results filters aren’t working in the Primary Guest report. |
|
|
CRL retrieval is failing. |
|
|
Unable to use the advanced filter in Cisco ISE Release 3.2 for "Empty" and "Not Empty" filters. |
|
|
Cisco ISE Release 3.3 on Cloud (Azure, AWS, OCI) isn’t reading disk size properly and always defaults to 300 GB. |
|
|
Failure due to case-sensitive check when new mobile device managers are created with the same name but with a different case. |
|
|
Get-All Guest User API isn’t retrieving all the guest accounts. |
|
|
All network device groups are deleted after a child item is removed from any group. |
|
|
After restoring a configuration backup, you must reconfigure the repository with new credentials. |
|
|
Validation is missing on the Cisco ISE server. |
|
|
No alarm is generated for a failed scheduled backup. |
|
|
Invalid IP or hostname error is displayed when using "_" as the first character in the NSLookup request. |
|
|
Evaluation Period Expired alarm is observed when the SLR license is out of compliance due to overconsumption. |
|
|
The AD connector in not joined status update. |
|
|
Korean support issue on Context Visibility page. |
|
|
Only superadmin users can edit or delete endpoints when Cisco ISE has more than 1000 identity groups. |
|
|
Guest accounts can’t be seen by sponsors in a specific sponsor group. |
|
|
When the PassiveID syslog is received by the MnT before the Active Authentication syslog, session integration isn’t happening in Cisco ISE. |
|
|
NA PRRT needs to be decoupled from logging using the main thread pool. |
|
|
The ise-messaging.log not visible for download on the Cisco ISE GUI. |
|
|
The warning "Configuration Missing" is seen when navigating to the Log Analytics page. |
|
|
When nonmandatory attributes aren’t included in the body of Update PUT requests, their values are reset to empty or the default value. |
|
|
Vulnerabilities in OpenSSL 1.0.2o. |
|
|
Wild-card certificate imported on primary PAN isn’t replicated to other nodes in deployment. |
|
|
Cisco ISE Release 2.7 Patch 6 is unable to filter NAD IP by IP address. |
|
|
Profiling isn’t processing the Calling Station ID values that are in the format "XXXXXXXXXXXX". |
|
|
PSN node crashed during assignment of CPMSessionID. |
|
|
The Cisco ISE GUI is showing the HTML Hexadecimal code for the characters in the command set. |
|
|
Cisco Identity Services Engine Server-Side Request Forgery Vulnerability. |
|
|
Export of all network devices gives an empty file in Cisco ISE. |
|
|
RBAC policy with custom permissions is working when the administration menu is hidden. |
|
|
Both agentprobeoom.sh & restprobeoom.sh need to clean up their own OOM Heap files to optimize Cisco ISE database usage. |
|
|
Cisco-av-pair throws an error when using % for PSK. |
|
|
Endpoint .csv file import displays the error "No file chosen" after selecting the file. |
|
|
Garbage collector logs, thread dump, and HEAP dump are missing from the support bundle. |
|
|
Operational backups from the Cisco ISE GUI fail with the following status: "Backup Failed; copy to repository failed". |
|
|
Cisco ISE maximum session counter time limit isn’t working. |
|
|
The API ers/config/sessionservicenode is returning the incorrect total. |
|
|
Unable to log in to the secondary admin node's Cisco ISE GUI using AD credentials. |
|
|
pxGrid Direct service is stuck in the initializing state because the lock file isn’t removed. |
|
|
Using an apostrophe in the First Name and Last name fields displays an invalid name error. |
|
|
Upgrade to Cisco ISE Release 3.2 with LSD disabled before the upgrade workflow is causing a profiler exception. |
|
|
In Cisco ISE Release 3.2 Patch 3, the adapter log information remains constant. |
|
|
While using the SMS HTTP method as the SMS gateway the attribute name in the SMS HTTP URL causes problems. |
|
|
The DumpClearOnExceed files are using excessive disk space on the Cisco ISE PSN nodes. |
|
|
Addition of the "Disable EDR Internet Check" tag is a feature enhancement. |
|
|
Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability. |
|
|
Addition of a mechanism to fetch user data for pxGrid connectors. |
|
|
The GCMP256 authorization with the SHA384withRSA4096 certificate, a requirement in Android 12 for authorization, is failing the authorization process. |
|
|
Verify the existence of per-user DACL on Cisco ISE configurations in Cisco ISE Release 3.2. |
|
| Cisco ISE-PIC license expiration alarms. | |
|
Exporting a report for a time period of over one month provides a report with no data. |
|
|
HS_err files are being generated on the MnT nodes. |
|
|
Cisco ISE is constantly requesting internal super admin users in response to external RADIUS token servers. |
|
|
A COA port-bounce must take place when an ANC policy with PORT_BOUNCE is removed. |
|
|
Operational data purging only shows the name of the primary monitoring node. |
|
|
After performing a reset configuration with the FQDN value, a mismatch occurs between the GUI and the CLI. |
|
|
Cisco ISE AD connector fails during a join operation. |
|
|
There are changes to the hostname during printing on the CLI. |
|
|
The debug profile isn’t removed when the "reset to default" option is used in the debug log configuration. |
|
|
Old Cisco ISE nodes are shown in the TCP dump and debug profile configuration after a restore operation. |
|
|
Cisco ISE Release 3.2 is sending outgoing RST packets with APIPA IP 169.254.4.x. |
|
|
Cisco ISE PSN crashes when maximum number of users are a part of the user session authentication flow using TACACS. |
|
|
Authorization based on internal user ID group is failing without the RADIUS-token authorization for VPN. |
|
|
Corruption in the Cisco ISE portal due to inconsistencies in the database. |
|
|
Cisco ISE is sending misleading messages when it’s unable to send an email to a guest after sponsor approval. |
|
|
Cisco ISE is stuck in a profiling loop, slowing down replication, and causing errors. |
|
|
TLS 1.0 or TLS 1.1 is accepted in the admin portal of Cisco ISE Release 3.0. |
|
|
Unable to edit or delete authorization profiles which have parentheses in their names. |
|
|
Compress restprobe-OOMHeap dumps. |
|
|
ANC remediation isn’t functioning properly with AnyConnect VPN. |
|
|
Cisco ISE allows a policy to be saved even when the corresponding ID store is deleted from another browser tab. |
|
|
Cores related to jstack can be observed on the primary PAN nodes in a regression setup. |
|
|
AD connector process doesn’t shut down. |
|
|
You can’t set the value of the preferred domain controllers registry during advanced tuning. |
|
|
Threads get blocked on primary PAN if the port 1521 isn’t available. |
|
|
The endpoint details in the pxGrid Endpoints page are incorrect. |
|
|
Read-only permissions provided for Cisco ISE admin access during SAML authentication. |
|
|
COA is triggered using a Guest Flow when Cisco Catalyst Center or Endpoint Analytics dictionary attributes are updated on Cisco ISE. |
|
|
The deleted MDM server is still listed in the allowed values under MDMServerName attribute. |
|
|
The erl_crash.dump must be handled in a better way. |
|
|
MAR cache replication fails between peer nodes for both NIC and Non-NIC bonding interfaces. |
|
|
Unable to update the profiling settings as the PriorityType is mandated. |
|
|
Posture feed update error is incorrect when there’s a problem with the proxy. |
|
|
Cisco ISE ERS Guest documentation should be updated to exclude the Portal ID from GET calls. |
|
|
Endpoint import fails for RBAC when Azure SAML is used for administration access. |
|
|
The TCP Dump diagnostic tool doesn’t allow for simultaneous multiple interface captures on a node. |
|
|
Problems seen with Cisco ISE CLI access as it fails to connect to the server. |
|
|
Live log events 5422 and 5434 don’t show any data in the Authentication and Authorization columns. |
|
|
Unable to enforce the IdentityAccesssRestricted attribute in the authorization policy. |
|
|
Cisco ISE shouldn’t allow a user to save the Allowed Protocols when no protocols have been checked. |
|
|
Lack of cross-origin HTTP security headers in Cisco ISE. |
|
|
Sponsor portal shows the wrong days of week information in the "Setting date" tab when using the Japanese GUI. |
|
|
Cisco ISE GUI pages aren’t loading properly with custom administration menu work center permissions. |
|
|
Cisco ISE can’t load corrupted NAD profiles causing authorization drops due to failure reasons 11007 and 15022. |
|
|
In Cisco ISE Release 3.2, the subject line of the self-registration email truncates everything after the"=" sign on the Sponsor-Guest portal. |
|
|
Cisco ISE HSTS header vulnerability on port 8084. |
|
|
Cisco ISE can’t download Passive ID agent. |
|
|
Cisco ISE REST authorization service isn’t running due to an error in the IP tables. |
|
|
MDM configuration fails when the GUID in the client certificate is used to validate the compliance of the device. |
|
|
With the ADE-OS restore option, the Cisco ISE GUI and CLI aren’t accessible in Cisco ISE Release 3.2 Patch 1 and later releases. |
|
|
The debug elements repeat three or more times in the debug profile configuration in Cisco ISE Release 3.3. |
|
|
Accept client certificate without KU purpose validation as per CiscoSSL rules. |
|
|
The TrustSec deployment request fails as the CoA request gets stuck while fetching NAD information. |
|
|
Cisco ISE SXP Bindings API call returns 2x response when the call fails. |
|
|
The ea.log file must be included in the support bundle. |
|
|
In Cisco ISE Release 3.2 Patch 3 and Cisco ISE Release 3.3, the portals don’t initialize if "IPV6 is enable" is the only IPV6 command on the interface. |
|
|
MDM compliance check fails when there are multiple MAC addresses with VMware Workspace One as the mobile device management server. |
|
|
Nodes in Cisco ISE Release 3.2 running on Hyper-V are being assigned a DHCP address in addition to the static IP configured during the initial setup. |
|
|
SNMPD process causes memory leak on Cisco ISE. |
|
|
Agentless posture script is not running if the computer isn't connected to an AC power source. |
|
|
Recreating the undo-tablespace causes URT to fail in Cisco ISE Release 3.1 Patch 7. |
|
|
Policy export fails to export the policies in Cisco ISE Release 3.0 Patch 6. |
|
|
Unable to add multiple tasks within quotes "" in the launch program remediation. |
|
|
Cisco ISE Release 3.1 on AWS gives a false negative on the DNS check under health checks. |
|
|
Cisco ISE database only allows for 100 characters in the email field for a Sponsor account. |
|
|
In Cisco ISE Release 3.1, the services fail to start after restoring a backup from Cisco ISE Release 2.7. |
|
|
AD Credentials fail to integrate with Cisco ISE with 2.2.1.x and later releases. |
|
|
Cisco ISE includes a version of libcurl that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2023-27536,CVE-2023-27535,CVE-2023-27538. |
|
|
Cisco ISE isn’t sending SNMPv3 disk traps to configured SNMP servers. |
|
|
The endpoint probe doesn’t clean up SXP mappings. |
|
|
Maximum concurrent CLI sessions don’t work in Cisco ISE Release 3.4. |
|
|
Gig 0 always participates in the TCP handshake of the sponsor FQDN. |
|
|
RADIUS Authentication reports exported from the Operational Data Purging page are empty. |
|
|
Redirect URLs using FQDN that end with the IP address have the IP address replaced by the Cisco ISE hostname. |
|
|
Unable to delete existing devices in the My Device portal after restoring from Cisco ISE Release 2.7. |
|
|
Cisco ISE AD User SamAccountName parameter is null for user sessions in Cisco ISE Release 3.2 Patch 3. |
|
|
Cisco ISE DNS Resolvability Health Check fails due to a duplicated entry (IP, name, and FQDN). |
|
|
Methods used for retrieving policy details use the internal method and aren’t cached in Cisco ISE Release 3.1 Patch 6. |
|
|
Profiling isn’t suppressing CoA even if the option to suppress CoA for specific logical groups is enabled. |
|
|
The session information isn’t stored in the time session cache during third-party posture flows. |
|
|
Endpoint details in the Cisco ISE Context Visibility page don’t match with the RADIUS live logs or sessions during the MDM flow. |
|
|
Agentless posture fails for EAP-TLS flows with multiple domains configured for endpoints to log in. |
|
|
Unable to select hotspot portal if an existent or duplicated authorization profile is selected. |
|
|
The Cisco ISE Release 3.1 Patch 5 install stalls indefinitely. |
|
|
The Log Analytics page isn’t launching in Cisco ISE. |
|
|
Cisco ISE Release 3.3 can’t register new nodes to the deployment after an upgrade as the node exporter password isn’t found. |
|
|
Impact on the authentications that use Active Directory as the identity source. |
|
|
Updating the DACL doesn’t modify the last update timestamp in the Cisco ISE ERS API. |
|
|
Profiler is caching the MDM attributes with wrong values. |
|
|
Sponsor permissions are disabled on the sponsor portal when they are accessed from the primary PAN. |
|
|
In Cisco ISE Release 3.1 Patch 7, the removed device types can still be selected in the policy set. |
|
|
Changes in rank cause the authorization rule to be committed to the database table which triggers the save call from the G UI |
|
|
A critical error seen in Client Provisioning Portal customization. |
|
|
Cisco ISE authorization profiles don’t persist data with "Security Group" and "Reauthentication" common tasks. |
|
|
The Sysaux tablespace is full due to the growth size of the AUD$ table. |
|
|
Multiple entries of DockerMetric seen in reports in Cisco ISE Release 3.3. |
|
|
Cisco ISE - Intune MDM integration may be disrupted due to the end of support for MAC address-based APIs from Intune. |
|
|
In Cisco ISE Release 3.2, the order of the IP name-servers in the running configuration isn’t respected. |
|
|
Some VNs from the Author node aren’t synced to the Reader node. |
|
|
Endpoint description in the Context Visibility page is updated with the Static Identity Group description. |
|
|
In Cisco ISE Release 3.2, the guest user API gives incorrect results when the filter is used. |
|
|
Cisco ISE audit reports log APIPA addresses as the source of the API requests. |
|
|
In Cisco ISE Release 3.2 Patch 3, the CoA Disconnect call is sent instead of the CoA Push call during a Posture Assessment when the RSD is disabled. |
|
|
After the administration certificate change, Cisco ISE doesn’t restart the services if the Bond interface is configured. |
|
|
Cisco ISE Release 3.3 doesn't invoke MFA for the user with UPN (User Principle Name). |
|
|
Cisco ISE and CVE-2023-24998. |
|
|
An error with custom attribute special characters in Cisco ISE. |
|
|
The Cisco ISE default portal is deleted from the database and is needed for SAML configuration. |
|
|
Observing the Insufficient Virtual Machine Resource alarm in Cisco ISE Release 3.1 Patch 8. |
|
|
No report or alarm is triggered for changes in the Device Administration settings. |
|
|
IP or SXP mappings aren’t created for VPN clients. |
|
|
REST authorization services won’t be enabled when hosts have multiple entries. |
|
|
Cisco ISE Self-Persistent Cross-Site Scripting (XSS) is seen in My Reports. |
|
|
Primary PAN REST calls to MnT nodes for live logs and reports aren’t loaded balanced. |
|
|
Cisco ISE to evaluate OpenSSH CVE-2024-6387. |
|
|
Cisco ISE allows duplicate interface IP addresses. |
|
|
Cisco ISE messaging certificate generation doesn’t replicate the full certificate chain on secondary nodes. |
|
|
Running the URT shows cosmetic warnings or errors. |
|
|
The DumpClearOnExceed files can be seen by using the "dir" command in the Cisco ISE CLI. |
|
|
Backups triggered rom the Cisco ISE GUI have errors saying that backups were triggered from the CLI. |
|
|
Smart license registration failure with "communication send error" alarms triggered intermittently. |
|
|
Cisco ISE is changing the MAC address format according to the selected MAC address format even when it isn’t a MAC device. |
|
|
Cisco ISE monitoring GUI is stuck at the "Welcome to Grafana" page. |
|
|
The main thread pool in Cisco ISE is stuck due to the ACE third-party library ContextIn leak. |
|
|
The detailed Live Log page isn’t loading for the TACACS+ authorization flow. |
|
|
SAML Provider can’t be added in Cisco ISE Release 3.2 and later releases. |
|
|
Unable to save changes in the patch management condition. |
|
|
Cisco ISE doesn’t use the license during authorization. |
|
|
The "Enable Password" of the internal users is created even when it’s specified through ERS API. |
|
|
The System Certificate Import doesn’t work for Cisco ISE nodes in a deployment in Cisco ISE Release 3.2. |
Open Caveats
Open Caveats in Cisco ISE Release 3.4 - Cumulative Patch 1
The following table lists the open caveats in Cisco ISE Release 3.4 Patch 1.
|
Caveat ID Number |
Description |
|---|---|
|
When configuring an AWS workload connector, only public and private IPv4 addresses are detected, while IPv6 addresses are not recognized. |
|
|
If you use a workload connector in a workload classification rule as the source attribute with "Contains" operator, you can not delete the connector. |
|
|
After rolling back to version Cisco ISE Release 3.4 Patch 1, only session data is being published, while SXP data is not. |
|
|
The configuration drift alarm message is not appearing on the dashboard following the bulk deletion of Endpoint Groups (EPGs) in the destination ACI. |
|
|
pxGrid Direct sync now is taking more time than baseline and is also causing memory issues. |
|
|
SXP nodes need to be deregistered from deployment and ACI connection should be reconnected when ACI connections are suspended. |
|
|
When importing SGTs, the process overwrites existing names instead of failing for those created by ACI. |
|
|
The "Contains" filter is taking too long to save when applied to large-scale data. |
|
|
In CDP or CSDAC, partial search for IPv6 address has issues on SGT Bindings page. |
|
|
SGTs from default classification page gets appended to the bindings from other rules. |
|
|
In CDP or CSDAC, Secondary Security Group filter does not work in SGT Bindings page. |
|
|
In Log Analytics, error comes in Radius Step latency dashboard. |
|
|
Default classification rule is not created on PSN's Database. |
|
|
In Cisco ISE Release 3.3 Patch 2, multi-factor authentication is not working with MSCHAPv2. |
|
|
After rolling back to Cisco ISE Release 3.4 Patch 1 in an upgraded setup, the legacy patch page fails to load. |
|
|
In CDP, IPv6 prefix is not getting removed after performing "Purge Endpoint" operation in outbound filter. |
|
|
CRL information download through proxy fails. |
Open Caveats in Cisco ISE Release 3.4
The following table lists the open caveats in Release 3.4.
|
Caveat ID Number |
Description |
|---|---|
|
After upgrade, the MFC Profiler dashboard displays no data. |
|
|
SGTs are not deleted when an ACI connection is deleted. |
|
|
Duo MFA with VPN login does not work with MS-CHAP-v2. |
|
|
RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS). |
|
|
SXP bulk download missing entries after SXP node reload. |
|
|
Endpoints are not listed in the Context Visibility page, but they are listed in the Live Logs and Live Sessions pages, when a standalone node is assigned both PPAN and PSN personas. |
|
|
Page-level help for Inbound and Outbound SGT Domain Rules page is not working. |
|
|
Authorization fails if DACL is not found in the ISE configuration. |
|
|
The following error is received under Administration > Identity Management > External Identity Sources > SAML Id Providers: |
|
|
Data Upgrade and Restore from Cisco ISE 3.3 to 3.4 fails if the username suffix is not configured in the REST ID store. |
|
|
After exporting network devices from the Cisco ISE GUI, the values under Network Device Groups in the CSV file are different from the values in the Cisco ISE GUI. |
|
|
With the Bring Your Own Device (BYOD) workflow on MacOS 15.1 Beta 2, when you download the Cisco Network Setup Assistant application and try to open it, the following error is generated: |
|
|
Getting '500 internal error' when sending ISE 9060/ers/config/endpoint/{MAC address}/releaserejectedendpoint. |
Known Limitations in Cisco ISE Release 3.4 - Cumulative Patch 1
Usage of IPv6 addresses in ACI connections
You must suspend the ACI connections before installing Cisco ISE Release 3.4 Patch 1 to ensure that the IPv6 addresses are maintained in the same format across the integrations.
Patch rollback flow with newly supported operators
From Cisco ISE Release 3.4 Patch 1, IP Equals, IP Not Equals, In, Not In, Contains, and Not Contains operators are supported for workload classification rules and inbound SGT domain rules. When you use the Patch Rollback option for Cisco ISE Release 3.4 Patch 1, the workload classification rules and inbound SGT domain rules that contain these operators will be deleted during the patch rollback flow, because these operators are not supported in Cisco ISE Release 3.4.
Additional References
See Cisco ISE End-User Resources for additional resources that you can use when working with Cisco ISE.
Communications, Services, and Additional Information
-
To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
-
To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
-
To submit a service request, visit Cisco Support.
-
To discover and browse secure, validated enterprise-class apps, products, solutions, and services, visit Cisco DevNet.
-
To obtain general networking, training, and certification titles, visit Cisco Press.
-
To find warranty information for a specific product or product family, access Cisco Warranty Finder.
Cisco Bug Search Tool
Cisco Bug Search Tool (BST) is a gateway to the Cisco bug-tracking system, which maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. The BST provides you with detailed defect information about your products and software.
Documentation Feedback
To provide feedback about Cisco technical documentation, use the feedback form available in the right pane of every online document.
Feedback