Introduction to Cisco Identity Services Engine
Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure access to network resources. Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices. An administrator can then use this information to make proactive governance decisions by creating access control policies for the various network elements, including access switches, wireless controllers, Virtual Private Network (VPN) gateways, Private 5G networks, and data center switches. Cisco ISE acts as the policy manager in the Cisco Group Based Policy solution and supports TrustSec software-defined segmentation.
Cisco ISE is available on Cisco Secure Network Server appliances with different performance characterizations, virtual machines (VMs), and on the public cloud.
Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also enables the configuration and management of distinct personas and services, thereby giving you the ability to create and apply services where needed in a network, but operate the Cisco ISE deployment as a complete and coordinated system.
For detailed Cisco ISE ordering and licensing information, see the Cisco Identity Services Engine Ordering Guide.
For information on monitoring and troubleshooting the system, see the "Monitoring and Troubleshooting Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.
New and Changed Features in Cisco ISE, Release 3.4
This section lists the new and changed features in Cisco ISE 3.4.
Automatic Log Bundle Generation On Upgrade
From Cisco ISE Release 3.4, a mini log bundle, which contains only debug logs specific to the upgrade, is generated automatically during the upgrade process. This log bundle is copied to the repository from where the upgrade was started and can be used to troubleshoot the upgrade in case of failure. Automatic log bundle generation is available for all three upgrade options in Cisco ISE - full upgrade, split upgrade, and upgrade using CLI.
For more information, see the chapter "Perform the Upgrade" in the Cisco Identity Services Engine Upgrade Guide, Release 3.4.
Backup Log Improvements from the Cisco ISE CLI
The backup-logs CLI command has now been updated to include all backup log options that are available on the Cisco ISE GUI such as core-files, date-from, date-to, db-logs, debug-logs, local-logs, mnt-report-logs, policy-cache-logs, policy-conf-logs, and system-logs. If no output options are included, all backup logs are generated.
For more information on this CLI command, see "backup-logs" in the chapter "Cisco ISE CLI Commands in EXEC Mode" in the Cisco ISE CLI Reference Guide, Release 3.4 .
Cisco ISE Resiliency Use Cases
From Cisco ISE Release 3.4, the Excessive RADIUS Network Device Communication and Excessive Endpoint Communication alarms have been added to maintain the resiliency of Cisco ISE. For more information, see "Cisco ISE Alarms" in the chapter "Troubleshoot" in the Cisco ISE Administrator Guide, Release 3.4.
Certificate Authority Diagnostic Tool
To diagnose certificate management related issues, use the CA Diagnostic Tool option (option 37) in the application configure ise command. This tool suggests the possible reasons and remediations for the identified issues, helps to fix the issues, and provides related logs for troubleshooting.
For more information, see "Diagnose Certificate Management Related Issues" in the "Cisco ISE CLI Commands in EXEC Mode" chapter in the Cisco Identity Services Engine CLI Reference Guide, Release 3.4.
Create a URL Pusher pxGrid Direct Connector Type
You can create a pxGrid Direct connector using the Cisco ISE GUI and OpenAPI (REST API). From Cisco ISE Release 3.4, you can choose between a URL Fetcher pxGrid Direct connector type or a URL Pusher pxGrid Direct connector type. You can use the URL Pusher pxGrid Direct connector to push JSON data into the Cisco ISE database using pxGrid Direct Push APIs. You can use the URL Pusher pxGrid Direct connector type to push data without a server or a CMDB. This data remains in the Cisco ISE database and can be used in the authorization policy.
For more information, see "Create a URL Pusher Connector Type" in the "Asset Visibility" chapter in the Cisco ISE Administrator Guide, Release 3.4 and the Cisco ISE API Reference Guide.
pxGrid Direct Support for Arrays in Dictionary Groups for Authorization Policy
From Cisco ISE Release 3.4, you can also use pxGrid Direct Connector data with arrays as dictionary attributes to configure an authorization policy. The operators “Contains” or “Matches” (in case of REGEX) must be used while configuring the policy. The operators ”Equals” and “In” will not work when there are arrays. Multiple attributes can be nested using "AND" or "OR" conditions. For more information, see "Authorization Policies" in the chapter "Segmentation" in the Cisco ISE Administrator Guide, Release 3.4.
On-Demand pxGrid Direct Data Synchronization using Sync Now
You can use the Sync Now feature to perform on-demand synchronization of data for pxGrid Direct URL Fetcher connectors. You can perform both full and incremental syncs on-demand. On-demand data synchronization can be performed through the Cisco ISE GUI or using OpenAPI.
For more information, see "On-demand pxGrid Direct Data Synchronization using Sync Now" in the "Asset Visibility" chapter in the Cisco ISE Administrator Guide, Release 3.4.
Configure Virtual Tunnel Interfaces (VTI) with Native IPsec
From Cisco ISE Release 3.4, you can configure VTIs using the native IPsec configuration. You can use native IPsec to establish security associations between Cisco ISE PSNs and NADs across an IPsec tunnel using IKEv1 and IKEv2 protocols. The native IPsec configuration ensures that Cisco ISE is FIPS 140-3 compliant. For more information, see "Configure Native IPsec on Cisco ISE" in the "Secure Access" chapter in the Cisco ISE Administrator Guide, Release 3.4.
Debug Log Settings
You can configure the maximum file size and the maximum number of files allowed for each debug log component. You can view the current disk space usage and the estimated space usage based on the values set for Max File Size and File Count in the Debug Level Configuration page. You can also specify the date and time after which these values must be reset to default.
For more information, see "Configure Debug Log Settings" in the chapter "Troubleshoot" in the Cisco ISE Administration Guide, Release 3.4.
Enhanced Password Security
Cisco ISE now improves password security through the following enhancements:
-
You can choose to hide the Show button for the following field values, to prevent them from being viewed in plaintext during editing:
Under Network Devices,
-
RADIUS Shared Secret
-
Radius Second Shared Secret
Under Native IPsec,
-
Pre-shared Key
To do this, choose and uncheck the Show Password in Plaintext checkbox.
For more information, see "Configure Security Settings" in the chapter "Segmentation" in the Cisco ISE Administrator Guide, Release 3.4.
-
-
To prevent the RADIUS Shared Secret and Second Shared Secret from being viewed in plaintext during network device import and export, a new column with the header PasswordEncrypted:Boolean(true|false) has been added to the Network Devices Import Template Format. No field value is required for this column.
If you are importing network devices from Cisco ISE Release 3.3 Patch 1 or earlier releases, you must add a new column with this header to the right of the Authentication:Shared Secret:String(128) column, before import. If you do not add this column, an error message is displayed, and you will not be able to import the file. Network devices with encrypted passwords will be rejected if a valid key to decrypt the password is not provided during import.
For more information, see the table in "Network Devices Import Template Format" in the chapter "Secure Access" in the Cisco ISE Administrator Guide, Release 3.4.
Enforcing Domain Controller Selection With Priority
You can now choose to override Cisco ISE's selection of domain controllers in case of a preferred domain controller failover. To do this, choose . Enter the REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\PreferredDcAndGc\Priority\Enabled registry key in the Name field and 1 in the Value field. This ensures that in the case of a domain controller failover, Cisco ISE overrides the existing priority values and selects the next domain controller in the preferred list in the order of input from left to right. The value of this registry key is set to 0 by default.
When the REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\PreferredDcAndGc\Priority\Enabled registry key is enabled, you can also choose to set the failback interval (in seconds). The failback interval value can be between 60 and 86400. The default failback interval is 180 seconds.
 Note |
This feature works only for direct domains that the domain controllers were configured on, and not for trust relationship domains. |
For more information, see “Active Directory Advanced Tuning” in the Chapter “Asset Visibility” in the Cisco Identity Services Engine Administrator Guide, Release 3.4.
GUI Enhancements in Cisco ISE Release 3.4
In Cisco ISE Release 3.4, the Cisco ISE GUI has the following enhancements to make the user experience more intuitive.
-
Single Click Access to Endpoint Information
Objects in the Context Visibility page, such as the attribute details of endpoints in the Cisco ISE GUI, now have detailed information available to users with a single click.
All endpoint attributes now appear on a single tab for ease-of-use and better visibility.
You can click:
-
the MAC address of an endpoint to view all endpoint attributes on a single page.
-
the See full detail option on the top right corner of this page to view all endpoint details in a new browser tab, which you can also share.
-
the link icon next to the MAC address of an endpoint to open a full-page view of all endpoint details.
The following pages have been updated to include these enhancements:
-
.
-
.
-
.
-
.
-
.
-
-
Retention of user preferences for column displays: When you change the column display of a table (adjust column width, hide or show columns, reorder columns, and so on) in the Cisco ISE GUI, your preferences are retained.
Hotpatch Details Added to Show Version Command
The show version CLI command now includes hotpatch details, if any, for a specific Cisco ISE release. For more information, see "show version" in the Chapter "Cisco ISE CLI Commands in EXEC Show Mode" in the Cisco ISE CLI Reference Guide, Release 3.4.
To view hotpatch details on the Cisco ISE GUI, click the 
icon and choose About ISE and Server.
Localized ISE Installation
While reinstalling Cisco ISE, you can use the Localized ISE Install option (option 25) in the application configure ise command to reduce the installation time. Though this option can be used for both Cisco Secure Network Server and virtual appliances, it significantly reduces the reinstallation time for Cisco Secure Network Servers.
For more information, see "Localized ISE Installation" in the Chapter "Cisco ISE CLI Commands in EXEC Mode" in the Cisco Identity Services Engine CLI Reference Guide, Release 3.4.
New Session Directory topic available using pxGrid
You can subscribe to the Session Directory All topic using pxGrid. The sessionTopicAll is similar to the existing sessionTopic (which continues to be supported), with one key difference. The sessionTopicAll also publishes events for sessions without IP addresses. For more information, see the pxGrid API Guide.
Opening TAC Support Cases in Cisco ISE
From Cisco ISE Release 3.4, you can open TAC support cases for Cisco ISE directly from the Cisco ISE GUI.
For more information, see "Open TAC Support Cases" in the chapter "Troubleshoot" in Cisco ISE Administrator Guide, Release 3.4.
Option to Add Identity Sync After Creating Duo Connection
If you do not want to configure user data synchronization between Active Directory and Duo while creating a Duo connection, click Skip in the Identity Sync page. You will be taken to the Summary page directly.
After you create a Duo connection, you can add identity sync configurations at any time.
For more information, see "Integrate Cisco Duo With Cisco ISE for Multifactor AuthenticationIntegrate Cisco Duo With Cisco ISE for Multifactor Authentication" in the Chapter "Segmentation" in the Cisco Identity Services Engine Administrator Guide, Release 3.4.
PAC-less RADIUS Communication For TrustSec Integrations
From Cisco ISE Release 3.4, Cisco ISE supports PAC-less RADIUS communication for TrustSec integrations. This PAC-less enforcement replaces PAC-based RADIUS authentications wherever supported and is enforced through a shared secret ensuring secure communication between Cisco ISE and the TrustSec device. This feature does not require configuration changes in Cisco ISE. The network devices in the deployment may require a change in configuration. PAC-less RADIUS communication is only supported on network devices with IOS-XE version 17.15.1 or higher.
Per-user Dynamic Access Control List Behavior Change
While evaluating authorization profiles with per-user dynamic access control lists (DACLs), if a DACL does not exist in Cisco ISE configuration, authorization will fail, and Cisco ISE will send an Access-Reject response to that user. You can view this information in the Live Log Details page and the AAA Diagnostics report. From Cisco ISE Release 3.4 onwards, an authorization failure alarm is also displayed in the Alarms dashlet in the Cisco ISE dashboard.
For more information, see "Downloadable ACLs" in the "Segmentation" chapter in the Cisco ISE Administrator Guide, Release 3.4.
pxGrid Filtering
From Cisco ISE Release 3.4, pxGrid supports filtering of information based on the specific requirements of the clients. The pxGrid filtering feature enables clients to only receive relevant information from the publisher on a per-subscription basis. The filtering of information is achieved using the filtering API on the pxGrid server. For more information, see "pxGrid Filtering" in the Chapter "Cisco pxGrid" in Cisco ISE Administrator Guide, Release 3.4.
RADIUS Suppression and Reports Enhancement
From Cisco ISE Release 3.4, the RADIUS suppression and reports feature has been enhanced to faciliatite easier RADIUS () configurations. For more information, see "RADIUS Settings" in the chapter "Segmentation" in the Cisco ISE Administrator Guide, Release 3.4.
Support for Multiple Cisco Application Centric Infrastructure Connectors
Cisco ISE enables you to create and enforce consistent access policies across multiple domains. Cisco ISE can share the SGTs and SGT bindings with Cisco Application Centric Infrastructure (Cisco ACI). Cisco ISE can also learn the endpoint groups (EPGs), endpoint security groups (ESGs), and endpoint information from Cisco ACI. You can add multiple Cisco ACI connections to Cisco ISE.
You can configure rules to manage the learned context in Cisco ISE and to optimize the context flows between Cisco ISE and Cisco ACI connectors.
Cisco ISE supports Cisco ACI Multi-Tenant, and Multi-Virtual Routing and Forwarding deployments. You can define multi-fabrics through multiple connections. This integration supports multi-pod and individual Cisco ACI fabrics.
For more information, see "Connect Cisco Application Centric Infrastructure with Cisco ISE" in the Chapter "Segmentation" in the Cisco ISE Administration Guide, Release 3.4.
Note |
Support for multiple Cisco Application Infrastructure (Cisco ACI) connectors is a controlled introduction (Beta) feature. We recommend that you thoroughly test this feature in a test environment before using it in a production environment. For best use of this Beta feature, install this hot patch. |
TLS 1.3 Support for Cisco ISE Workflows
Cisco ISE Release 3.4 allows TLS 1.3 to communicate with peers for the following workflows:
-
Cisco ISE is configured as an EAP-TLS server
-
Cisco ISE is configured as a TEAP server
Attention
TLS 1.3 support for Cisco ISE configured as a TEAP server has been tested under internal test conditions because at the time of Cisco ISE Release 3.4, TEAP with TLS 1.3 is not supported by any available client OS.
-
Cisco ISE is configured as a secure TCP syslog client
Note |
For Cisco ISE Release 3.4, the Manually Configure Ciphers List option is not supported for TLS 1.3. |
For more information, see "Configure Security Settings" in the Chapter "Segmentation" in the Cisco Identity Services Engine Administrator Guide, Release 3.4.
Deprecated Features
End of Support for Legacy IPsec (ESR)
From Cisco ISE Release 3.4, Legacy IPsec (ESR) is not supported on Cisco ISE. All IPsec configurations on Cisco ISE will be Native IPsec configurations. We recommend that you migrate to native IPsec from legacy IPsec (ESR) before upgrading to Cisco ISE Release to avoid any loss of tunnel and tunnel configurations. For more information, see "Migrate from Legacy IPsec to Native IPsec on Cisco ISE" in the chapter "Secure Access" in the Cisco ISE Administrator Guide.
Support for Transport Gateway Removed
Cisco ISE no longer supports Transport Gateway. The following Cisco ISE features used Transport Gateway as a connection method:
-
Cisco ISE Smart Licensing
If you use Transport Gateway as the connection method in your smart licensing configuration, you must edit the setting before you upgrade to Cisco ISE Release 3.4. You must choose a different connection method as Cisco ISE Release 3.4 does not support Transport Gateway. If you upgrade to Cisco ISE Release 3.4 without updating the connection method, your smart licensing configuration is automatically updated to use the Direct HTTPS connection method during the upgrade process. You can change the connection method at any time after the upgrade.
-
Cisco ISE Telemetry
Transport Gateway is no longer available as a connection method when using Cisco ISE Telemetry. The telemetry workflow is not impacted by this change.
GUI Deprecations
The following pages have been removed from the Cisco ISE GUI in Cisco ISE Release 3.4:
-
Location Services ().
-
NAC Managers ().
System Requirements
For an uninterrupted Cisco ISE configuration, ensure that the following system requirements are fulfilled.
For more details on hardware platforms and installation of this Cisco ISE release, see the Cisco Identity Services Engine Hardware Installation Guide.
Supported Hardware
Cisco ISE 3.4 can be installed on the following Secure Network Server (SNS) hardware platforms:
|
Hardware Platform |
Configuration |
|---|---|
|
Cisco SNS-3615-K9 (small) |
For appliance hardware specifications, see the Cisco Secure Network Server Appliance Hardware Installation Guide. |
|
Cisco SNS-3655-K9 (medium) |
|
|
Cisco SNS-3695-K9 (large) |
|
|
Cisco SNS-3715-K9 (small) |
|
|
Cisco SNS-3755-K9 (medium) |
|
|
Cisco SNS-3795-K9 (large) |
Cisco SNS 3595 is not supported for Cisco ISE 3.3 and later releases. For more information, see End-of-Life and End-of-Sale Notices.
Supported Virtual Environments
Cisco ISE supports the following virtual environment platforms:
-
For Cisco ISE Release 3.0 and later releases, we recommend that you update to VMware ESXi 7.0.3 or later releases. Cisco ISE Release 3.3 is the last release to support VMware ESXi 6.7.
In the case of vTPM devices, you must upgrade to VMware ESXi 7.0.3 or later releases.
-
OVA templates: VMware version 14 or later on ESXi 7.0, and ESXi 8.0.
-
ISO file supports ESXi 7.0, and ESXi 8.0.
You can deploy Cisco ISE on VMware cloud solutions on the following public cloud platforms:
-
VMware cloud in Amazon Web Services (AWS): Host Cisco ISE on a software-defined data center provided by VMware Cloud on AWS.
-
Azure VMware Solution: Azure VMware Solution runs VMware workloads natively on Microsoft Azure. You can host Cisco ISE as a VMware virtual machine.
-
Google Cloud VMware Engine: Google Cloud VMware Engine runs software defined data center by VMware on the Google Cloud. You can host Cisco ISE as a VMware virtual machine on the software-defined data center provided by the VMware Engine.
Note
From Cisco ISE 3.1, you can use the VMware migration feature to migrate virtual machine (VM) instances (running any persona) between hosts. Cisco ISE supports both hot and cold migration. Hot migration is also called live migration or vMotion. Cisco ISE need not be shut down or powered off during the hot migration. You can migrate the Cisco ISE VM without any interruption in its availability.
-
-
Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later
-
KVM on QEMU 2.12.0-99
Note
Cisco ISE cannot be installed on OpenStack.
-
Nutanix AHV 20220304.392
You can deploy Cisco ISE natively on the following public cloud platforms:
-
Amazon Web Services (AWS)
-
Microsoft Azure Cloud
-
Oracle Cloud Infrastructure (OCI)
For information about the virtual machine requirements, see the Cisco Identity Services Engine Installation Guide for your version of Cisco ISE.
Validated Browsers
Cisco ISE 3.4 is supported on the following browsers:
-
Mozilla Firefox versions 123, 124, 125, 127, and later
-
Google Chrome versions 122, 123, 124, and later
-
Microsoft Edge versions 123, 124, 125, and later
-
Safari 18.0
Note |
Currently, you cannot access the Cisco ISE GUI on mobile devices. |
Validated External Identity Sources
Note |
The supported Active Directory versions are the same for both Cisco ISE and Cisco ISE-PIC. |
|
External Identity Source |
Version |
|---|---|
|
Active Directory |
|
|
Microsoft Windows Active Directory 2012 |
Windows Server 2012 |
|
Microsoft Windows Active Directory 2012 R2 1 |
Windows Server 2012 R2 |
|
Microsoft Windows Active Directory 2016 |
Windows Server 2016 |
|
Microsoft Windows Active Directory 2019 |
Windows Server 2019 |
|
Microsoft Windows Active Directory 2022 |
Windows Server 2022 with Patch Windows10.0-KB5025230-x64-V1.006.msu |
|
Microsoft Windows Active Directory 2025 |
Windows Server 2025 |
|
LDAP Servers |
|
|
SunONE LDAP Directory Server |
Version 5.2 |
|
OpenLDAP Directory Server |
Version 2.4.23 |
|
Any LDAP v3-compliant server |
Any version that is LDAP v3 compliant |
|
AD as LDAP |
Windows Server 2022 with Patch Windows10.0-KB5025230-x64-V1.006.msu |
|
Token Servers |
|
|
RSA ACE/Server |
6.x series |
|
RSA Authentication Manager |
7.x and 8.x series |
|
Any RADIUS RFC 2865-compliant token server |
Any version that is RFC 2865 compliant |
|
Security Assertion Markup Language (SAML) Single Sign-On (SSO) |
|
|
Microsoft Azure MFA |
Latest |
|
Oracle Access Manager (OAM) |
Version 11.1.2.2.0 |
|
Oracle Identity Federation (OIF) |
Version 11.1.1.2.0 |
|
PingFederate Server |
Version 6.10.0.4 |
|
PingOne Cloud |
Latest |
|
Secure Auth |
8.1.1 |
|
Any SAMLv2-compliant Identity Provider |
Any Identity Provider version that is SAMLv2 compliant |
|
Open Database Connectivity (ODBC) Identity Source |
|
|
Microsoft SQL Server |
Microsoft SQL Server 2012 Microsoft SQL Server 2022 |
|
Oracle |
Enterprise Edition Release 12.1.0.2.0 |
|
PostgreSQL |
9.0 |
|
Sybase |
16.0 |
|
MySQL |
6.3 |
|
Social Login (for Guest User Accounts) |
|
|
|
Latest |
Cisco ISE supports all the legacy features in Microsoft Windows Active Directory 2012 R2. However, the new features in Microsoft Windows Active Directory 2012 R2, such as Protected User Groups, are not supported.
Supported Antivirus and Antimalware Products
For information about the antivirus and antimalware products supported by the Cisco ISE posture agent, see Cisco AnyConnect ISE Posture Support Charts.
Validated OpenSSL Version
Cisco ISE 3.4 is validated with OpenSSL 1.1.1t and Cisco SSL 7.3.265.
OpenSSL Update Requires CA:True in CA Certificates
For a certificate to be defined as a CA certificate, the certificate must contain the following property:
basicConstraints=CA:TRUE
This property is mandatory to comply with recent OpenSSL updates.
Install a New Patch
For instructions on how to apply the patch to your system, see the "Cisco ISE Software Patches" section in the Cisco Identity Services Engine Upgrade Journey.
For instructions on how to install a patch using the CLI, see the "Patch Install" section in the Cisco Identity Services Engine CLI Reference Guide.
Note |
If you installed a hot patch on your previous Cisco ISE release, you must roll back the hot patch before installing a patch. Otherwise, the services might not be started due to an integrity check security issue. |
Upgrade Information
Note |
Native cloud environments must use the Cisco ISE backup and restore method for upgrades. Upgrades cannot be performed on Cisco ISE nodes deployed in native cloud environments. You must deploy a new node with a newer version of Cisco ISE and restore the configuration of your older Cisco ISE deployment onto it. |
Upgrading to Release 3.4
You can directly upgrade to Release 3.4 from the following Cisco ISE releases:
-
3.1
-
3.2
-
3.3
If you are on a version earlier than Cisco ISE, Release 3.1, you must first upgrade to one of the releases listed above, and then upgrade to Release 3.4.
We recommend that you upgrade to the latest patch in the existing version before starting the upgrade.
Upgrade Packages
For information about upgrade packages and supported platforms, see Cisco ISE Software Download.
Upgrade Procedure Prerequisites
-
Run the Upgrade Readiness Tool (URT) before the upgrade to check whether the configured data can be upgraded to the required Cisco ISE version. Most upgrade failures occur because of data upgrade issues. The URT validates the data before the actual upgrade and reports the issues, if any. The URT can be downloaded from the Cisco ISE Download Software Center.
-
We recommend that you install all the relevant patches before beginning the upgrade.
For more information, see the Cisco Identity Services Engine Upgrade Guide.
Cisco ISE Integration with Cisco Catalyst Center
Cisco ISE can integrate with Cisco Catalyst Center. For information about configuring Cisco ISE to work with Catalyst Center, see the Cisco Catalyst Center documentation.
For information about Cisco ISE compatibility with Catalyst Center, see the Cisco SD-Access Compatibility Matrix.
Caveats
The Caveats section includes the bug ID and a short description of the bug. For details on the symptoms, conditions, and workaround for a specific caveat, use the Cisco Bug Search Tool (BST).
Note |
The Open Caveats sections list the open caveats that apply to the current release and might apply to releases earlier than Cisco ISE 3.4. A caveat that is open for an earlier release and is still unresolved applies to all future releases until it is resolved. |
Resolved Caveats in Cisco ISE Release 3.4
The resolved caveats in Cisco ISE Release 3.4, have parity with these Cisco ISE patch releases: 3.3 Patch 3, 3.2 Patch 6, and 3.1 Patch 9.
The following table lists the resolved caveats in Release 3.4.
|
Caveat ID Number |
Description |
|---|---|
|
The aging time of Cisco ISE Passive ID is always 1 hour regardless of the configuration. |
|
|
Cisco ISE Release 3.3: The automatically generated SNMPv3 engine ID is identical on all the nodes. The ID displayed is AKHGCM5MKGF. |
|
|
Account extension isn’t properly defined in the Sponsor-based Guest Portal. |
|
|
The Cisco ISE PAN is missing updates of nonsignificant attributes for endpoints from the Cisco ISE PSN. |
|
|
Cisco ISE CLI upgrade fails with the error "Internal error during command execution". |
|
|
Syslogs for Cisco ISE MnT purge events are incorrectly formatted. |
|
|
The Sponsor Portal displays the error "400 Bad Request" when you click the Contact Support option on the Cisco ISE GUI. |
|
|
Cisco ISE SNMP polling doesn’t work with privacy protocol AES 192 or AES 256. |
|
|
Adding the second NTP authentication key removes all authentication keys from the Cisco ISE GUI. |
|
|
If the Account Expiration notification has special characters, you can’t save the Guest Type. |
|
|
The MnT log processor service occasionally runs on other Cisco ISE admin nodes. |
|
|
In Cisco ISE Release 3.2, SNMP doesn’t work after a node restart. |
|
|
When posture lease is enabled, Cisco ISE PSN doesn’t update the database with the correct posture expiry time. |
|
|
Guest portal removal failure and integrity constraint in Cisco ISE Release 3.1 Patch 5. |
|
|
Removal of EPS from Cisco ISE code. |
|
|
TLS is restricted to use only a few ciphers in Cisco ISE Release 3.3, but the ports 8905, 9094, and 9095 use all TLS ciphers. |
|
|
Cisco ISE couldn’t find the selected authorization profile if the profile has been created using API. |
|
|
Strict transport security is incorrectly formed in Cisco ISE Release 3.2. |
|
|
NFS repository stops working suddenly on a single node in a distributed deployment in Cisco ISE Release 3.2. |
|
|
Listening noted on port TCP and 67 in Cisco ISE Release 3.2. |
|
|
Administrator login report displays the error "Administrator authentication failed" every five minutes in Cisco ISE Release 3.1. |
|
|
The pxGrid Databases Synchronization Test on Cisco ISE displays the error "Out of Sync". |
|
|
Unable to create a user with auth-password and priv-password equal to 40 characters in Cisco ISE Release 3.2 Patches 2 and 3. |
|
|
When using an LDAP connection to connect to AD, Cisco ISE can’t translate the value of AD attribute "msRASSavedFramedIPAddress" or "msRADIUSFramedIPAddress". |
|
|
The attributes TotalAuthenLatency and ClientLatency don’t work for TACACS+ in Cisco ISE. |
|
|
Unable to add an endpoint's MAC address to Endpoint Identity Group when using grace access in the Guest portal. |
|
|
Additional IPV6-SGT session binding created for IPV6 to link local address from SXP ADD operation. |
|
|
The authorization policy feature isn’t working in Cisco ISE Release 3.2. |
|
|
Guest portal FQDN is mapped with the IP address of the node in the database. |
|
|
Cisco ISE database doesn’t update the email field for Sponsor accounts. |
|
|
Cisco ISE can’t retrieve a peer certificate during EAP-TLS authentication. |
|
|
Enhancement for encryption to only send AES256 for MS-RPC calls. |
|
|
Cisco ISE restarts services directly without a prompt with the error "no ip name-server" displayed. |
|
|
Unable to disable Active Directory Diagnostic Tool scheduled tests in Cisco ISE Release 2.7. |
|
|
The error "No session available" is displayed in Cisco ISE Release 3.3 Patch 2. |
|
|
Unable to match "identityaccessrestricted equals true" in the authorization policy in Cisco ISE Release 2.6 Patch 7. |
|
|
The Device Network Conditions GUI page doesn’t load. |
|
|
The "iselocalstore" logs aren’t getting collected in the support bundle logs obtained from the Cisco ISE CLI. |
|
|
The pxGrid getUserGroups API request returns an empty response. |
|
|
Enabling the SXP role on the Cisco ISE PSN causes high CPU load and utilization. |
|
|
Endpoints having a null key value pair in the attributes section are interrupting the purge flow. |
|
|
Cisco ISE times out when using the Export All option on the Network Devices page to export more than 90,000 network devices. |
|
|
Space " " characters in the command arguments are being replaced by forward slash "/" characters after the command set is exported as a CSV file. |
|
|
The endpoint is losing the static identity group assignment after reauthentication. |
|
|
You need to disable the unbound-anchor while starting Cisco ISE. |
|
|
The external RADIUS server list doesn’t show up after upgrading to Cisco ISE Release 3.2. |
|
|
An excess number of AD groups being mapped to sponsor groups is causing latency in sponsor login |
|
|
During the registration of a node that was previously registered to the deployment, it’s observed that all the certificates of the deployment were deleted and that all the nodes in the deployment were restarted. |
|
|
Unable to delete a support bundle from the Cisco ISE GUI in Cisco ISE Release 3.1 Patch 7. |
|
|
An issue with the Insufficient Virtual Machine Resources Alarm on AWS is seen in Cisco ISE Release 3.2 Patch 6. |
|
|
In Cisco ISE Release 3.2 Patch 4, the search for MAC address in the format is ignored. |
|
|
When Cisco ISE has pxGrid enabled on two nodes, the integration fails with the error "pxGrid not enabled on ISE". |
|
|
The ise-duo.log isn’t collected at the time of support bundle creation. |
|
|
Profiler CoA sent with the wrong session ID. |
|
|
The agent rule defaults to the default rule setting while editing an existing agent. |
|
|
Cisco ISE CLI admin user is unable login after not logging in over a two-month period. |
|
|
The ct_engine root is using 100% of the CPU. |
|
|
Cisco ISE URT bundle upgrade fails with the error "RADIUS dictionary attribute duplicate entry exists". |
|
|
The PRA fails if the endpoint is in a posture lease. |
|
|
Location group information is missing from policy sets. |
|
|
The mobile number format field for JavaScript code doesn’t support more than 100 characters. |
|
|
The AnyConnect posture script isn’t attempted when the script condition name contains a period. |
|
|
Scheduled backup configuration details aren’t visible to Read-only user in Cisco ISE Release 3.1 Patch 7. |
|
|
The row of "Manage SXP Domain filters" only displays a maximum of 25 filters. |
|
|
Unable to load the authorization policy due to duplicate portal entries. |
|
|
When upgrading to Cisco ISE Release 3.4, the Duo seeder is missing in the MnT table post the upgrade. |
|
|
The application remediation disappears after editing. |
|
|
In Cisco ISE Release 3.2, the SMS is not sent during the "Reset Password" flow when using a custom "SMTP API Destination Address". |
|
|
In Cisco ISE Release 3.3, the PAN failover component is missing from the debug log configuration. |
|
|
In Cisco ISE PIC Release 3.1, the live session shouldn’t show the terminated sessions. |
|
|
Posture client provisioning resources display an HTTP error when the dictionary attribute contains "-". |
|
|
Cisco ISE is reaching the context limit in proxy flows when querying LDAP groups for authorization policies. |
|
|
Cisco ISE automatic crash decoder isn’t decoding functions properly. |
|
|
Post ADEOS restore, the app server is stuck at the initializing phase. |
|
|
Add an option to delete temporary files from "/opt/backup" if the CLI backup process fails during transfer. |
|
|
When joining multiple Cisco ISE nodes to the domain controller simultaneously duplicate accounts are created. |
|
|
profiler is triggering Port Bounce when there are multiple sessions exist on a switch port |
|
|
In Cisco ISE Release 3.1, the detailed report doesn't show both user and machine authentication policies for EAP chaining. |
|
|
In Cisco ISE Release 3.2 and later releases, the System 360 monitoring debug log level needs to be reduced. |
|
|
German and Italian emails can’t be saved under Account Expiration Notification in Guest Types. |
|
|
In Cisco ISE Release 3.1Patch 8, the Installed Patches menu doesn’t list all the patches. |
|
|
An identity store added using uppercase FQDN can’t be removed from the CLI. |
|
|
In Cisco ISE Release 3.1, there’s an intermittent failure in displaying Live Log details and the error "No Data available for this record" is displayed. |
|
|
Bulk Creating Egress Matrix Policy Via ERS Fails With an Error |
|
|
An attempt to delete an "Is IPSEC Device" NDG causes all subsequent RADIUS and TACACS+ authentications to fail. |
|
|
If the configured synflood-limit is beyond 10000, the limit isn’t working. |
|
|
Show CLI commands throw an exception after configuring log level up to five. |
|
|
Unable to integrate to prime Infrastructure due to a wrong password error. |
|
|
Cisco ISE displaying "Invalid IP or hostname" error. |
|
|
The PRA fails if the endpoint is within posture lease. |
|
|
Apache Struts Vulnerability affecting Cisco products: December 2023 |
|
|
Not able to schedule or edit schedule for a configuration backup. |
|
|
Cisco ISE Release 3.2 Patch 2 provides no response from SNMP when the "snmp-server host" is configured. |
|
|
Intensive GC observed due to the SXP component causing node longevity issues in Cisco ISE Release 3.4. |
|
|
Cisco ISE drops a RADIUS request with the error message "Request from a nonwireless device was dropped". |
|
|
Provide a comprehensible description for the error displays while editing internal users. |
|
|
Context Visibility for pxGrid ContextIn is missing custom attributes in Cisco ISE Release 3.1 Patch 7. |
|
|
Swap memory usage is high. |
|
|
Data corruptions causing FailureReason=11007 or FailureReason=15022 in Cisco ISE. |
|
|
The deployment SEC_TRNREP_STATUS isn’t getting updated from the "In Progress" state. |
|
|
In the Context Visibility page, the Endpoint Custom Attributes can’t be filtered using special characters. |
|
|
In Cisco ISE Release 3.2, there’s limited GUI access and an inability to regenerate root CA when Essentials licenses are disabled. |
|
|
The Cisco ISE GUI doesn't load when trying to edit the Client Provisioning Portal configuration. |
|
|
CVE-2023-48795 seen in OpenSSH in Cisco ISE. |
|
|
Unable to match Azure AD group if the user belongs to more than 99 groups. |
|
|
Discrepancy in the count of identity groups between the CV and Oracle databases. |
|
|
Enabling only "User Services" also enables admin GUI access. |
|
|
The application server is crashing as a result of Metaspace exhaustion. |
|
|
Cisco ISE doesn’t allow special characters in passwords while importing certificates. |
|
|
Inconsistence on VLAN ID or name with the error "Error: Not a valid ODBC dictionary". |
|
|
In Cisco ISE Release 3.1 Patch 5, the passwords of a few internal users aren’t expiring even after the configured global password expiry date. |
|
|
In Cisco ISE Release 3.3, TACACS data isn’t retained and is purged. |
|
|
The Cisco ISE Alarm and Dashboard Summary doesn’t load. |
|
|
The message description for message code 13036 has a misspelled word. |
|
|
In Cisco ISE Release 3.2, the TACACS+ end-station network condition has high step latency while accessing the NAD using the console. |
|
|
Resend the user account details for all guest users or specific guest users to the sponsor. |
|
|
pxGrid doesn’t show topic registration details. |
|
|
During the TrustSec deployment verification, the policy difference alarm is triggered while policy the is identical on Cisco ISE and the NAD. |
|
|
The text of the Out of Compliance for 30 days alarm needs to be updated. |
|
|
Cisco Identity Services Engine Arbitrary File Upload Vulnerability. |
|
|
In Cisco ISE Release 3.1, the NAD RADIUS shared secret key is incorrect when it starts with ' (apostrophe). |
|
|
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability. |
|
|
1000 database connections are exhausted due to "Dashboard System Status" query. |
|
|
Cisco ISE Sponsor Portal is showing an invalid input when special characters are used in the Guest Type. |
|
|
High CPU usage caused by RMQforwarder. |
|
|
The User Account search and Manage Accounts functionality has been enhanced. |
|
|
Decryption of session tickets received from the client fails on Cisco ISE. |
|
|
TrustSec update with CoA or CoA-push is broken. |
|
|
AD group retrieval fails while evaluating authorization policies. |
|
|
Cisco ISE Release 3.2 Patch 4 displays a "deleteCertFromStore:- Failed to parse certificate" error. |
|
|
The Profiler NetworkDeviceEventHandler failed to add a device as a result of the input containing "0-255" in the string. |
|
|
The error "Name or service not known'" is displayed when you try to reach the configured IP host under certain procedures. |
|
|
The Docker Metrics Report needs to be changed. |
|
|
Cisco ISE displays a 400 error when fetching the device administration network conditions using OpenAPI. |
|
|
Right COA to be triggered in VPM flow when posture and MDM flows are configured together. |
|
|
An upgrade to Cisco ISE Release 3.2 fails with the error - integrity constraint (CEPM.REF_HOSTCONFIG_HA_PEER1) violated. |
|
|
The TopN device administration reports don’t work when incoming TACACS records exceed 40 million records per day. |
|
|
Cisco ISE Passive ID agent displays error "id to load is required for loading". |
|
|
Cisco ISE can't create an authentication policy with DenyAccess identity source using OpenAPI. |
|
|
Unable to retrieve the endpoint IP address using API calls. |
|
|
The command "show cpu usage" doesn’t display information in Cisco ISE 3.x releases. |
|
|
Cisco ISE Missing Rate Limiting Protection. |
|
|
Authentication fails and the advanced options are ignored in Cisco ISE. |
|
|
There’s a spelling mistake in API gateway settings in Cisco ISE 3.x releases. |
|
|
Aruba-MPSK-Passphrase needs encryption support. |
|
|
User and Endpoint Identity Groups description fields become not editable when using long-form text. |
|
|
In Cisco ISE Release 3.1 Patch 5, the pxGrid client certificate can’t be generated by using CSR. |
|
|
Unable to delete Network Device Group. |
|
|
Cisco ISE agentless posture doesn’t support passwords containing ":" character. |
|
|
A misleading pop-up seen while setting the password lifetime as more than 365 days. |
|
|
Cisco ISE Get All Endpoints request takes a long time to execute since Cisco ISE Release 2.7. |
|
|
In Cisco ISE Release 3.2 and later releases, System 360 Monitoring debug log rotation isn’t working. |
|
|
Unable to trigger COA and is stuck at the dispatcher queue. |
|
| The Context Visibility pages open drawer action displays an error while loading subtitles in Cisco ISE Release 3.3 Patch 1. | |
|
Security groups and contracts with multiple backslash characters in a row in the description can’t sync to Cisco ISE. |
|
|
This Cisco ISE ERS API is taking several seconds to update a single endpoint. |
|
|
The requirement to enter the current password during a password update can be bypassed in Cisco ISE. |
|
|
Connection attempts to domains in the "not allowed domains" list are observed in Cisco ISE Release 3.0. |
|
|
The 'accountEnabled' attribute is causing authentication issues for EAP-TLS with Azure AD. |
|
|
In Cisco ISE, the authorization rule evaluation appears to be broken for authorization attempts that use EAP-chaining and Azure AD groups. |
|
|
An error is displayed while launching the Log Analytics page. |
|
|
Cisco ISE authorization profile displays the wrong security group and VN value. |
|
|
After the Import button is clicked, the .csv file shouldn’t be selected and the Import button shouldn't work. |
|
|
Cisco ISE should perform a NSLookup again when FQDN is the token server. |
|
|
SXP creates inconsistent mapping between IP address and SGT. |
|
|
The first name and last name fields in Network Access User doesn't allow for "'OR" in the names. |
|
|
Cisco ISE limits connection to AMP - AMQP service to TLSv1.0. |
|
|
Unable to disable SHA1 for ports associated with Passive ID agents. |
|
|
Unable to change the admin password if it contains "$" in Cisco ISE Release 3.1 Patch 7. |
|
|
The filter field 'name' isn’t supported for downloadable ACLs through Cisco ISE ERS APIs. |
|
|
Issues seen when the COA retry count is updated to "0". |
|
|
TCP socket exhaustion. |
|
|
Assigned logical profile is repeated in the endpoint attributes and reports on the Context Visibility page. |
|
|
Evaluation of Open VM tools CVE-2023-20900. |
|
|
Unable to create a new internal user and the error "couldn’t execute statement; SQL [n/a]; constraint [CEPM.BKUPSLASTAUTHTIMEENTRY]" is displayed on the Cisco ISE GUI. |
|
|
Evaluation of TACACS deployment with zero days won’t work following smart licensing registration. |
|
|
Extra pop-up screen appears while viewing the RADIUS and TACACS key after enabling "Require Admin password" to view sensitive data. |
|
|
IP access list control in Cisco ISE Release 3.2 isn’t visible. |
|
|
The Cisco ISE admin isn’t alerted about incorrect engineID format in snmp-server host during SNMPv3 configuration. |
|
|
Cisco ISE Release 3.2 couldn’t find selected authorization profiles. |
|
|
Errors encountered while editing AnyConnect configurations and Posture agent profiles. |
|
|
0.0.0.0 default static routes configured on all interfaces are deleted post Cisco ISE reload. |
|
|
Duplicating network devices recreate the devices without RADIUS settings in Cisco ISE Release 3.3 Patch 2. |
|
|
In pxGrid Direct, if the user data information is stored in nested objects within the data array, Cisco ISE is unable to them and it won’t be visible in the pxGrid Direct Connector information in the Context Visibility page. |
|
|
Custom attribute failure seen in Cisco ISE Release 3.1 Patch 7. |
|
|
Cisco ISE on AWS doesn't work if Metadata (IMDS) version value "V2 only" selected. |
|
|
Static IPV6 routes are removed after a reload in Cisco ISE Release 3.2. |
|
|
Cisco ISE Release 3.3 can’t switch the admininstration certificate role. |
|
|
The user custom attributes are stuck in the rendering stage. |
|
|
Manually deleting the static routes cause Cisco ISE to send packets with wrong MAC addresses in Cisco ISE Release 3.0 Patch 7. |
|
|
In Cisco ISE Release 3.2 and later releases, conditions from Condition Studio has a default disabled icon in the information pop-up. |
|
|
Cisco ISE SAML ID provider configuration attributes are deleted even when they are referenced elsewhere. |
|
|
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability. |
|
|
PEAP and EAP-TLS don't work on FIPS mode in Cisco ISE Release 3.2 Patch 3. |
|
|
Can’t edit or create admin user due to the error "xwt.widget.repeater.DataRepeater". |
|
|
IPv6 default route disappears from the routing table after modifying the IPv6 address. |
|
|
Cisco ISE isn’t sharing posture-compliant session properly over pxGrid. |
|
|
Cisco ISE context visibility doesn't validate static MAC entries if a separator like colon is omitted. |
|
|
Cisco ISE services are stuck in the initializing state with secure syslogs. |
|
|
Custom attributes used in the Never Purge rule are still purging the endpoints. |
|
|
Interrupting execution of "show tech-support" causes services to stop on Cisco ISE. |
|
|
Primary Guest Report shows duplicate entries of title when exported to an external repository. |
|
|
Cisco ISE AD Diagnostic Tool stops working upon upgrade and you can’t retrieve the list of available tests. |
|
| Cisco ISE incorrectly routes RADIUS Traffic when multiple static default routes are present. | |
|
Dedicated MnT nodes in Cisco ISE don’t replicate SMTP configuration. |
|
|
The script provided for creating endpoint group in the Cisco ISE REST API document is incorrect. |
|
|
Matching authorization profiles with SGT, VN name, and VLAN causes PRRT to crash. |
|
|
Expired guest accounts don't receive SMS when they try to reactivate their accounts. |
|
|
Stale lock files are blocking the API gateway and the Context Visibility page. |
|
|
Toggle to enable or disable RSA PSS cipher based on policies under Allowed Protocols. |
|
|
When a guest user connects for to Cisco ISE for the first time, Cisco ISE doesn’t update the ACS.Username field with the guest username. |
|
|
CRL download failure seen in Cisco ISE Release 3.2 Patch 3. |
|
|
The "Save" option under Advanced filters isn’t working for filtering Client Provisioning resources. |
|
|
Replication error "Error synchronizing object: EDF2EndPoint: Operation: Update" is displayed during replication in Cisco ISE. |
|
|
In Cisco ISE Release 3.1, the endpoints purging rule is automatically created after duplicating the My Devices portal in Cisco ISE BYOD configuration causing endpoints to be deleted from the Cisco ISE database after 30 days. |
|
|
The abandoned Jedis connections aren’t being sent back to the thread pool in Cisco ISE. |
|
|
Cisco ISE GUI packet captures that were taken from CLI can’t be deleted. |
|
|
Cisco ISE date of last purge has the wrong time stamp. |
|
|
Internal system error for posture is seen when premier license is disabled in Cisco ISE. |
|
|
Allow Launch program remediation to have a set order. |
|
|
Unsupported message codes 91092 and 91103, and respective alarms seen in syslogs. |
|
|
Cisco ISE Release 3.2 custom filters for TACACS reports don't work as expected. |
|
|
Deregistering a Cisco ISE node should verify whether the process has been initiated by the primary PAN. |
|
|
When configuring "TROUBLESHOOTING.EncryptionOffPeriod" advanced tuning with any nonzero value of minutes for decrypting the communication with Active Directory for troubleshooting, then RPC net logon fails for all Active Directory authentications on that Cisco ISE node. |
|
|
The numbering of DACL entries is off in Mozilla Firefox 45 and above. |
|
|
Hotpatches aren’t getting installed when both patches and hotpatches are in ZTP configuration. |
|
|
RADIUS server sequence configuration is corrupted. |
|
|
In Cisco ISE Release 3.2, the RMQ is sending outgoing RST packets with APIPA IP 169.254.2.2. |
|
|
Initial setup fails if the default gateway and configured IP address are on different subnets. |
|
|
Windows Agentless Posture isn’t working if the username starts with $ (dollar sign). |
|
|
In Cisco ISE Release 3.1, the Agentless Posture flows fail when the domain user is configured for endpoint login. |
|
|
Cisco ISE API doesn't recognize identity groups while creating user accounts. |
|
|
In Cisco ISE Release 2.6, it’s impossible to create static IP-SGT mapping for EPGs imported from ACI. |
|
|
In Cisco ISE 3.x releases, Interactive Help throws an error in the console and logs. |
|
|
The portal name and results filters aren’t working in the Primary Guest report. |
|
|
CRL retrieval is failing. |
|
|
Unable to use the advanced filter in Cisco ISE Release 3.2 for "Empty" and "Not Empty" filters. |
|
|
Cisco ISE Release 3.3 on Cloud (Azure, AWS, OCI) isn’t reading disk size properly and always defaults to 300 GB. |
|
|
Failure due to case-sensitive check when new mobile device managers are created with the same name but with a different case. |
|
|
Get-All Guest User API isn’t retrieving all the guest accounts. |
|
|
All network device groups are deleted after a child item is removed from any group. |
|
|
After restoring a configuration backup, you must reconfigure the repository with new credentials. |
|
|
Validation is missing on the Cisco ISE server. |
|
|
No alarm is generated for a failed scheduled backup. |
|
|
Invalid IP or hostname error is displayed when using "_" as the first character in the NSLookup request. |
|
|
Evaluation Period Expired alarm is observed when the SLR license is out of compliance due to overconsumption. |
|
|
The AD connector in not joined status update. |
|
|
Korean support issue on Context Visibility page. |
|
|
Only superadmin users can edit or delete endpoints when Cisco ISE has more than 1000 identity groups. |
|
|
Guest accounts can’t be seen by sponsors in a specific sponsor group. |
|
|
When the PassiveID syslog is received by the MnT before the Active Authentication syslog, session integration isn’t happening in Cisco ISE. |
|
|
NA PRRT needs to be decoupled from logging using the main thread pool. |
|
|
The ise-messaging.log not visible for download on the Cisco ISE GUI. |
|
|
The warning "Configuration Missing" is seen when navigating to the Log Analytics page. |
|
|
When nonmandatory attributes aren’t included in the body of Update PUT requests, their values are reset to empty or the default value. |
|
|
Vulnerabilities in OpenSSL 1.0.2o. |
|
|
Wild-card certificate imported on primary PAN isn’t replicated to other nodes in deployment. |
|
|
Cisco ISE Release 2.7 Patch 6 is unable to filter NAD IP by IP address. |
|
|
Profiling isn’t processing the Calling Station ID values that are in the format "XXXXXXXXXXXX". |
|
|
PSN node crashed during assignment of CPMSessionID. |
|
|
The Cisco ISE GUI is showing the HTML Hexadecimal code for the characters in the command set. |
|
|
Cisco Identity Services Engine Server-Side Request Forgery Vulnerability. |
|
|
Export of all network devices gives an empty file in Cisco ISE. |
|
|
RBAC policy with custom permissions is working when the administration menu is hidden. |
|
|
Both agentprobeoom.sh & restprobeoom.sh need to clean up their own OOM Heap files to optimize Cisco ISE database usage. |
|
|
Cisco-av-pair throws an error when using % for PSK. |
|
|
Endpoint .csv file import displays the error "No file chosen" after selecting the file. |
|
|
Garbage collector logs, thread dump, and HEAP dump are missing from the support bundle. |
|
|
Operational backups from the Cisco ISE GUI fail with the following status: "Backup Failed; copy to repository failed". |
|
|
Cisco ISE maximum session counter time limit isn’t working. |
|
|
The API ers/config/sessionservicenode is returning the incorrect total. |
|
|
Unable to log in to the secondary admin node's Cisco ISE GUI using AD credentials. |
|
|
pxGrid Direct service is stuck in the initializing state because the lock file isn’t removed. |
|
|
Using an apostrophe in the First Name and Last name fields displays an invalid name error. |
|
|
Upgrade to Cisco ISE Release 3.2 with LSD disabled before the upgrade workflow is causing a profiler exception. |
|
|
In Cisco ISE Release 3.2 Patch 3, the adapter log information remains constant. |
|
|
While using the SMS HTTP method as the SMS gateway the attribute name in the SMS HTTP URL causes problems. |
|
|
The DumpClearOnExceed files are using excessive disk space on the Cisco ISE PSN nodes. |
|
|
Addition of the "Disable EDR Internet Check" tag is a feature enhancement. |
|
|
Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability. |
|
|
Addition of a mechanism to fetch user data for pxGrid connectors. |
|
|
The GCMP256 authorization with the SHA384withRSA4096 certificate, a requirement in Android 12 for authorization, is failing the authorization process. |
|
|
Verify the existence of per-user DACL on Cisco ISE configurations in Cisco ISE Release 3.2. |
|
| Cisco ISE-PIC license expiration alarms. | |
|
Exporting a report for a time period of over one month provides a report with no data. |
|
|
HS_err files are being generated on the MnT nodes. |
|
|
Cisco ISE is constantly requesting internal super admin users in response to external RADIUS token servers. |
|
|
A COA port-bounce must take place when an ANC policy with PORT_BOUNCE is removed. |
|
|
Operational data purging only shows the name of the primary monitoring node. |
|
|
After performing a reset configuration with the FQDN value, a mismatch occurs between the GUI and the CLI. |
|
|
Cisco ISE AD connector fails during a join operation. |
|
|
There are changes to the hostname during printing on the CLI. |
|
|
The debug profile isn’t removed when the "reset to default" option is used in the debug log configuration. |
|
|
Old Cisco ISE nodes are shown in the TCP dump and debug profile configuration after a restore operation. |
|
|
Cisco ISE Release 3.2 is sending outgoing RST packets with APIPA IP 169.254.4.x. |
|
|
Cisco ISE PSN crashes when maximum number of users are a part of the user session authentication flow using TACACS. |
|
|
Authorization based on internal user ID group is failing without the RADIUS-token authorization for VPN. |
|
|
Corruption in the Cisco ISE portal due to inconsistencies in the database. |
|
|
Cisco ISE is sending misleading messages when it’s unable to send an email to a guest after sponsor approval. |
|
|
Cisco ISE is stuck in a profiling loop, slowing down replication, and causing errors. |
|
|
TLS 1.0 or TLS 1.1 is accepted in the admin portal of Cisco ISE Release 3.0. |
|
|
Unable to edit or delete authorization profiles which have parentheses in their names. |
|
|
Compress restprobe-OOMHeap dumps. |
|
|
ANC remediation isn’t functioning properly with AnyConnect VPN. |
|
|
Cisco ISE allows a policy to be saved even when the corresponding ID store is deleted from another browser tab. |
|
|
Cores related to jstack can be observed on the primary PAN nodes in a regression setup. |
|
|
AD connector process doesn’t shut down. |
|
|
You can’t set the value of the preferred domain controllers registry during advanced tuning. |
|
|
Threads get blocked on primary PAN if the port 1521 isn’t available. |
|
|
The endpoint details in the pxGrid Endpoints page are incorrect. |
|
|
Read-only permissions provided for Cisco ISE admin access during SAML authentication. |
|
|
COA is triggered using a Guest Flow when Cisco Catalyst Center or Endpoint Analytics dictionary attributes are updated on Cisco ISE. |
|
|
The deleted MDM server is still listed in the allowed values under MDMServerName attribute. |
|
|
The erl_crash.dump must be handled in a better way. |
|
|
MAR cache replication fails between peer nodes for both NIC and Non-NIC bonding interfaces. |
|
|
Unable to update the profiling settings as the PriorityType is mandated. |
|
|
Posture feed update error is incorrect when there’s a problem with the proxy. |
|
|
Cisco ISE ERS Guest documentation should be updated to exclude the Portal ID from GET calls. |
|
|
Endpoint import fails for RBAC when Azure SAML is used for administration access. |
|
|
The TCP Dump diagnostic tool doesn’t allow for simultaneous multiple interface captures on a node. |
|
|
Problems seen with Cisco ISE CLI access as it fails to connect to the server. |
|
|
Live log events 5422 and 5434 don’t show any data in the Authentication and Authorization columns. |
|
|
Unable to enforce the IdentityAccesssRestricted attribute in the authorization policy. |
|
|
Cisco ISE shouldn’t allow a user to save the Allowed Protocols when no protocols have been checked. |
|
|
Lack of cross-origin HTTP security headers in Cisco ISE. |
|
|
Sponsor portal shows the wrong days of week information in the "Setting date" tab when using the Japanese GUI. |
|
|
Cisco ISE GUI pages aren’t loading properly with custom administration menu work center permissions. |
|
|
Cisco ISE can’t load corrupted NAD profiles causing authorization drops due to failure reasons 11007 and 15022. |
|
|
In Cisco ISE Release 3.2, the subject line of the self-registration email truncates everything after the"=" sign on the Sponsor-Guest portal. |
|
|
Cisco ISE HSTS header vulnerability on port 8084. |
|
|
Cisco ISE can’t download Passive ID agent. |
|
|
Cisco ISE REST authorization service isn’t running due to an error in the IP tables. |
|
|
MDM configuration fails when the GUID in the client certificate is used to validate the compliance of the device. |
|
|
With the ADE-OS restore option, the Cisco ISE GUI and CLI aren’t accessible in Cisco ISE Release 3.2 Patch 1 and later releases. |
|
|
The debug elements repeat three or more times in the debug profile configuration in Cisco ISE Release 3.3. |
|
|
Accept client certificate without KU purpose validation as per CiscoSSL rules. |
|
|
The TrustSec deployment request fails as the CoA request gets stuck while fetching NAD information. |
|
|
Cisco ISE SXP Bindings API call returns 2x response when the call fails. |
|
|
The ea.log file must be included in the support bundle. |
|
|
In Cisco ISE Release 3.2 Patch 3 and Cisco ISE Release 3.3, the portals don’t initialize if "IPV6 is enable" is the only IPV6 command on the interface. |
|
|
MDM compliance check fails when there are multiple MAC addresses with VMWare Workspace One as the mobile device management server. |
|
|
Nodes in Cisco ISE Release 3.2 running on Hyper-V are being assigned a DHCP address in addition to the static IP configured during the initial setup. |
|
|
SNMPD process causes memory leak on Cisco ISE. |
|
|
Agentless posture script is not running if the computer isn't connected to an AC power source. |
|
|
Recreating the undo-tablespace causes URT to fail in Cisco ISE Release 3.1 Patch 7. |
|
|
Policy export fails to export the policies in Cisco ISE Release 3.0 Patch 6. |
|
|
Unable to add multiple tasks within quotes "" in the launch program remediation. |
|
|
Cisco ISE Release 3.1 on AWS gives a false negative on the DNS check under health checks. |
|
|
Cisco ISE database only allows for 100 characters in the email field for a Sponsor account. |
|
|
In Cisco ISE Release 3.1, the services fail to start after restoring a backup from Cisco ISE Release 2.7. |
|
|
AD Credentials fail to integrate with Cisco ISE with 2.2.1.x and later releases. |
|
|
Cisco ISE includes a version of libcurl that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2023-27536,CVE-2023-27535,CVE-2023-27538. |
|
|
Cisco ISE isn’t sending SNMPv3 disk traps to configured SNMP servers. |
|
|
The endpoint probe doesn’t clean up SXP mappings. |
|
|
Maximum concurrent CLI sessions don’t work in Cisco ISE Release 3.4. |
|
|
Gig 0 always participates in the TCP handshake of the sponsor FQDN. |
|
|
RADIUS Authentication reports exported from the Operational Data Purging page are empty. |
|
|
Redirect URLs using FQDN that end with the IP address have the IP address replaced by the Cisco ISE hostname. |
|
|
Unable to delete existing devices in the My Device portal after restoring from Cisco ISE Release 2.7. |
|
|
Cisco ISE AD User SamAccountName parameter is null for user sessions in Cisco ISE Release 3.2 Patch 3. |
|
|
Cisco ISE DNS Resolvability Health Check fails due to a duplicated entry (IP, name, and FQDN). |
|
|
Methods used for retrieving policy details use the internal method and aren’t cached in Cisco ISE Release 3.1 Patch 6. |
|
|
Profiling isn’t suppressing CoA even if the option to supress CoA for specific logical groups is enabled. |
|
|
The session information isn’t stored in the time session cache during third-party posture flows. |
|
|
Endpoint details in the Cisco ISE Context Visibility page don’t match with the RADIUS live logs or sessions during the MDM flow. |
|
|
Agentless posture fails for EAP-TLS flows with multiple domains configured for endpoints to log in. |
|
|
Unable to select hotspot portal if an existent or duplicated authorization profile is selected. |
|
|
The Cisco ISE Release 3.1 Patch 5 install stalls indefinitely. |
|
|
The Log Analytics page isn’t launching in Cisco ISE. |
|
|
Cisco ISE Release 3.3 can’t register new nodes to the deployment after an upgrade as the node exporter password isn’t found. |
|
|
Impact on the authentications that use Active Directory as the identity source. |
|
|
Updating the DACL doesn’t modify the last update timestamp in the Cisco ISE ERS API. |
|
|
Profiler is caching the MDM attributes with wrong values. |
|
|
Sponsor permissions are disabled on the sponsor portal when they are accessed from the primary PAN. |
|
|
In Cisco ISE Release 3.1 Patch 7, the removed device types can still be selected in the policy set. |
|
|
Changes in rank cause the authorization rule to be committed to the database table which triggers the save call from the G UI |
|
|
A critical error seen in Client Provisioning Portal customization. |
|
|
Cisco ISE authorization profiles don’t persist data with "Security Group" and "Reauthentication" common tasks. |
|
|
The Sysaux tablespace is full due to the growth size of the AUD$ table. |
|
|
Multiple entries of DockerMetric seen in reports in Cisco ISE Release 3.3. |
|
|
Cisco ISE - Intune MDM integration may be disrupted due to the end of support for MAC address-based APIs from Intune. |
|
|
In Cisco ISE Release 3.2, the order of the IP name-servers in the running configuration isn’t respected. |
|
|
Some VNs from the Author node aren’t synced to the Reader node. |
|
|
Endpoint description in the Context Visibility page is updated with the Static Identity Group description. |
|
|
In Cisco ISE Release 3.2, the guest user API gives incorrect results when the filter is used. |
|
|
Cisco ISE audit reports log APIPA addresses as the source of the API requests. |
|
|
In Cisco ISE Release 3.2 Patch 3, the CoA Disconnect call is sent instead of the CoA Push call during a Posture Assessment when the RSD is disabled. |
|
|
After the administration certificate change, Cisco ISE doesn’t restart the services if the Bond interface is configured. |
|
|
Cisco ISE Release 3.3 doesn't invoke MFA for the user with UPN (User Principle Name). |
|
|
Cisco ISE and CVE-2023-24998. |
|
|
An error with custom attribute special characters in Cisco ISE. |
|
|
The Cisco ISE default portal is deleted from the database and is needed for SAML configuration. |
|
|
Observing the Insufficient Virtual Machine Resource alarm in Cisco ISE Release 3.1 Patch 8. |
|
|
No report or alarm is triggered for changes in the Device Administration settings. |
|
|
IP or SXP mappings aren’t created for VPN clients. |
|
|
REST authorization services won’t be enabled when hosts have multiple entries. |
|
|
Cisco ISE Self-Persistent Cross-Site Scripting (XSS) is seen in My Reports. |
|
|
Primary PAN REST calls to MnT nodes for live logs and reports aren’t loaded balanced. |
|
|
Cisco ISE to evaluate OpenSSH CVE-2024-6387. |
|
|
Cisco ISE allows duplicate interface IP addresses. |
|
|
Cisco ISE messaging certificate generation doesn’t replicate the full certificate chain on secondary nodes. |
|
|
Running the URT shows cosmetic warnings or errors. |
|
|
The DumpClearOnExceed files can be seen by using the "dir" command in the Cisco ISE CLI. |
|
|
Backups triggered rom the Cisco ISE GUI have errors saying that backups were triggered from the CLI. |
|
|
Smart license registration failure with "communication send error" alarms triggered intermittently. |
|
|
Cisco ISE is changing the MAC address format according to the selected MAC address format even when it isn’t a MAC device. |
|
|
Cisco ISE monitoring GUI is stuck at the "Welcome to Grafana" page. |
|
|
The main thread pool in Cisco ISE is stuck due to the ACE third-party library ContextIn leak. |
|
|
The detailed Live Log page isn’t loading for the TACACS+ authorization flow. |
|
|
SAML Provider can’t be added in Cisco ISE Release 3.2 and later releases. |
|
|
Unable to save changes in the patch management condition. |
|
|
Cisco ISE doesn’t use the license during authorization. |
|
|
The "Enable Password" of the internal users is created even when it’s specified through ERS API. |
|
|
The System Certificate Import doesn’t work for Cisco ISE nodes in a deployment in Cisco ISE Release 3.2. |
Open Caveats in Cisco ISE Release 3.4
This is the list of open caveats in Cisco ISE Release 3.4.
|
Caveat ID Number |
Description |
|---|---|
|
After upgrade, the MFC Profiler dashboard displays no data. |
|
|
SGTs are not deleted when an ACI connection is deleted. |
|
|
Duo MFA with VPN login does not work with MS-CHAP-v2. |
|
|
RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS). |
|
|
SXP bulk download missing entries after SXP node reload. |
|
|
Endpoints are not listed in the Context Visibility page, but they are listed in the Live Logs and Live Sessions pages, when a standalone node is assigned both PPAN and PSN personas. |
|
|
Page-level help for Inbound and Outbound SGT Domain Rules page is not working. |
|
|
Authorization fails if DACL is not found in ISE configuration. |
|
|
Data Upgrade and Restore from Cisco ISE 3.3 to 3.4 fails if username suffix is not configured in REST ID store. |
Additional References
See Cisco ISE End-User Resources for additional resources that you can use when working with Cisco ISE.
Communications, Services, and Additional Information
-
To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
-
To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
-
To submit a service request, visit Cisco Support.
-
To discover and browse secure, validated enterprise-class apps, products, solutions, and services, visit Cisco DevNet.
-
To obtain general networking, training, and certification titles, visit Cisco Press.
-
To find warranty information for a specific product or product family, access Cisco Warranty Finder.
Cisco Bug Search Tool
Cisco Bug Search Tool (BST) is a gateway to the Cisco bug-tracking system, which maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. The BST provides you with detailed defect information about your products and software.
Documentation Feedback
To provide feedback about Cisco technical documentation, use the feedback form available in the right pane of every online document.
Feedback