Note |
Come to the Content Hub at content.cisco.com, where, using the Faceted Search feature, you can accurately zoom in on the content you want; create customized PDF books on the fly for ready reference; and can do so much more... So, what are you waiting for? Click content.cisco.com now! And, if you are already experiencing the Content Hub, we'd like to hear from you! Click the Feedback icon on the page and let your thoughts flow! |
Introduction to Cisco Identity Services Engine
Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure access to network resources. Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices. An administrator can then use this information to make proactive governance decisions by creating access control policies for the various network elements, including access switches, wireless controllers, Virtual Private Network (VPN) gateways, Private 5G networks, and data center switches. Cisco ISE acts as the policy manager in the Cisco TrustSec solution and supports TrustSec software-defined segmentation.
Cisco ISE is available on secure network server appliances with different performance characterizations, and also as software that can be run on a virtual machines (VMs). Note that you can add more appliances to a deployment for better performance.
Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also enables the configuration and management of distinct personas and services, thereby giving you the ability to create and apply services where needed in a network, but operate the Cisco ISE deployment as a complete and coordinated system.
For detailed Cisco ISE ordering and licensing information, see the Cisco Identity Services Engine Ordering Guide.
For information on monitoring and troubleshooting the system, see the "Monitoring and Troubleshooting Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.
System Requirements
For an uninterrupted Cisco ISE configuration, ensure that the following system requirements are fulfilled.
For more details on hardware platforms and installation in this Cisco ISE release, see the Cisco Identity Services Engine Hardware Installation Guide.
Note |
Cisco ISE cannot be installed on OpenStack. |
Supported Hardware
Cisco ISE, Release 2.4, can be installed on the following platforms:
Hardware Platform |
Configuration |
---|---|
Cisco SNS-3515-K9 (small) |
For the appliance hardware specifications, see the Cisco Secure Network Server Appliance Hardware Installation Guide. |
Cisco SNS-3595-K9 (large) |
|
Cisco SNS-3615-K9 (small) |
|
Cisco SNS-3655-K9 (medium) |
|
Cisco SNS-3695-K9 (large) |
Caution |
For Cisco Secure Network Server (SNS) 3600 series appliance support (SNS-3615-K9, SNS-3655-K9, and SNS-3695-K9), you must use only the new ISO file (ise-2.4.0.357.SPA.x86_64_SNS-36x5_APPLIANCE_ONLY.iso). Cisco ISE 2.4 Patch 9 or above must be applied after installation. We recommend that you do not use this ISO file for SNS 3500 series appliance, VMware, KVM, or Hyper-V installation. |
After installation, you can configure Cisco ISE with specific component personas such as Administration, Monitoring, or pxGrid on the platforms that are listed in the above table.
Caution |
|
Federal Information Processing Standard (FIPS) Mode Support
Cisco ISE uses embedded Federal Information Processing Standard (FIPS) 140-2-validated cryptographic module, Cisco FIPS Object Module Version 6.0 (Certificate #2984). For details about the FIPS compliance claims, see Global Government Certifications.
Supported Virtual Environments
Cisco ISE supports the following virtual environment platforms:
-
VMware ESXi 5.x, 6.x
-
Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later
-
KVM on RHEL 7.0, and 7.3
For information about the virtual machine requirements, see the Cisco Identity Services Engine Installation Guide for your version of Cisco ISE.
Caution |
Cisco ISE does not support VMware snapshots for backing up ISE data because a VMware snapshot saves the status of a VM at a given point in time. In a multi-node Cisco ISE deployment, data in all the nodes are continuously synchronized with current database information. Restoring a snapshot might cause database replication and synchronization issues. We recommend that you use the backup functionality included in Cisco ISE for archival and restoration of data. Using VMware snapshots to back up ISE data results in stopping Cisco ISE services. A reboot is required to bring up the ISE node. |
Supported Browsers
The supported browsers for the Admin portal include:
-
Mozilla Firefox 88 and earlier versions from version 82
-
Mozilla Firefox ESR 60.9 and earlier versions
-
Google Chrome 90 and earlier versions from version 86
-
Microsoft Internet Explorer 11.x
Validated External Identity Sources
Note |
The supported Active Directory versions are the same for both Cisco ISE and Cisco ISE-PIC. |
External Identity Source |
Version |
---|---|
Active Directory 1 |
|
Microsoft Windows Active Directory 2012 |
Windows Server 2012 |
Microsoft Windows Active Directory 2012 R2 2 |
Windows Server 2012 R2 |
Microsoft Windows Active Directory 2016 |
Windows Server 2016 |
LDAP Servers |
|
SunONE LDAP Directory Server |
Version 5.2 |
OpenLDAP Directory Server |
Version 2.4.23 |
Any LDAP v3-compliant server |
Any version that is LDAP v3 compliant |
Token Servers |
|
RSA ACE/Server |
6.x series |
RSA Authentication Manager |
7.x and 8.x series |
Any RADIUS RFC 2865-compliant token server |
Any version that is RFC 2865 compliant |
Security Assertion Markup Language (SAML) Single Sign-On (SSO) |
|
Microsoft Azure MFA |
Latest |
Oracle Access Manager (OAM) |
Version 11.1.2.2.0 |
Oracle Identity Federation (OIF) |
Version 11.1.1.2.0 |
PingFederate Server |
Version 6.10.0.4 |
PingOne Cloud |
Latest |
Secure Auth |
8.1.1 |
Any SAMLv2-compliant Identity Provider |
Any Identity Provider version that is SAMLv2 compliant |
Open Database Connectivity (ODBC) Identity Source |
|
Microsoft SQL Server |
Microsoft SQL Server 2012 Microsoft SQL Server 2022 |
Oracle |
Enterprise Edition Release 12.1.0.2.0 |
PostgreSQL |
9.0 |
Sybase |
16.0 |
MySQL |
6.3 |
Social Login (for Guest User Accounts) |
|
|
Latest |
Cisco ISE OCSP functionality is available only on Microsoft Windows Active Directory 2008 and later.
Cisco ISE supports all the legacy features in Microsoft Windows Active Directory 2012 R2. However, the new features in Microsoft Windows Active Directory 2012 R2, such as Protected User Groups, are not supported.
Supported Antivirus and Antimalware Products
For information about the antivirus and antimalware products supported by the Cisco ISE posture agent, see Cisco AnyConnect ISE Posture Support Charts.
What is New in Cisco ISE, Release 2.4
Support for Cisco Secure Network Server 3600 Series Appliance
For Cisco Secure Network Server (SNS) 3600 series appliance support (SNS-3615-K9, SNS-3655-K9, and SNS-3695-K9), you must use only the new ISO file (ise-2.4.0.357.SPA.x86_64_SNS-36x5_APPLIANCE_ONLY.iso). Cisco ISE 2.4 Patch 9 or above must be applied after installation. We recommend that you do not use this ISO file for SNS 3500 series appliance, VMware, KVM, or Hyper-V installation.
Business Outcome: Improved performance, scalability, and platform manageability over SNS 35xx series appliances.
The Default TLS Version when initiating External Connections through Proxy is TLS 1.2
When the Cisco ISE acts as a client, the default protocol used for the connections initiated from it to the external entities is TLS 1.2 In this case the supported protocol will be TLS 1.2 only. In case you want to provide support for lower versions as well (which might be insecure), these versions need to be explicitly enabled from the Cisco ISE by going to the following page: Administration > System > Settings > Security Settings.
Business Outcome
Improved security in SSL connections. |
Cisco ISE Can Pull IoT Device Context and Session Data from Cisco IND
Cisco ISE can profile and display the status of devices attached to a Cisco Industrial Network Director (IND). Cisco Platform Exchange Grid (pxGrid) is used to communicate the endpoint (Internet of Things [IoT]) data between Cisco ISE and Cisco IND. pxGrid is used to receive the context from Cisco IND and query Cisco IND to update endpoint type.
Business Outcome
Automates classification of IoT devices on your network. |
Control Permissions for pxGrid Clients
You can create pxGrid authorization rules to control the permissions of the pxGrid clients (under Administration > pxGrid Services > Permissions).
These rules to control which services and operation on that service are available to the pxGrid clients. Cisco ISE applies the rules to groups, not individual clients. You can manage groups by clicking the Manage Groups heading in the Permissions window. The Permissions window displays predefined authorization rules that use predefined groups (such as EPS, ANC). You can only update the Groups field in the predefined rules.
Business Outcome
Better pxGrid backward compatibility:
|
Customizable SSH Ciphers and Encryption Algorithms
You can use the service sshd encryption-algorithm
and service sshd encryption-mode
global configuration commands in Cisco ISE 2.4 to harden the ISE SSH server and specify the cipher suite to be used. You
can use AES-CTR and/or AES-CBC ciphers.
Cisco ISE 2.3 and earlier releases allowed only AES-CBC ciphers (due to Common Criteria Protection Profiles for Access Control Devices and Systems). Cisco ISE 2.4 allows you to use both AES-CTR and AES-CBC ciphers.
Business Outcome
|
Endpoint API Enhancements for MDM Attributes
Mobile Device Management (MDM) attributes are made available through the endpoints API to enable additional synchronization capability between Cisco ISE and a third-party MDM server.
Business Outcome
Helps customers to better integrate third party systems with ISE and provide better user experience for end users using mobile devices that are managed by an MDM server. |
IPv6 Support for RADIUS
IPv6 addresses are now supported for RADIUS configurations. The IP Address field in the Administration > Network Resources > Network Devices page and the Host IP field in the Administration > Network Resources > External RADIUS Server page now support both IPv4 and IPv6 addresses for RADIUS configurations.
Business Outcome
Additional support for IPv6 addressing:
|
Large Virtual Machine for Monitoring Persona
Cisco ISE introduces a large VM for Monitoring nodes.
This form factor is available only as a VM in Release 2.4 and above, and requires a large VM license.
Business Outcome
Deploying Monitoring persona on a large VM offers the following advantages:
|
Posture Enhancements
-
Grace Period for Noncompliant Devices—Cisco ISE provides an option to configure grace time for devices that become noncompliant. Cisco ISE caches the results of posture assessment for a configurable amount of time. If a device is found to be noncompliant, Cisco ISE looks for the previously known good state in its cache and provides grace time for the device, during which the device is granted access to the network. You can configure the grace time period in minutes, hours, or days (up to a maximum of 30 days). The Posture Assessment by Endpoint report is updated and displays a Grace Compliant status for an endpoint that is currently not compliant, but is under the grace period.
-
Posture Rescan—AnyConnect users can now manually restart posture at any time.
-
AnyConnect Stealth Mode Notifications—Several new failure notifications are added for AnyConnect stealth mode deployment to help users identify issues with their VPN connection.
-
Disabling UAC Prompt on Windows—You can choose to disable the User Access Control (UAC) prompts on Windows endpoints from the AnyConnect posture profile.
Note
By default, this value is set to No while configuring the AnyConnect Profile. When you change it to Yes, the UAC prompts are disabled and the Windows users no longer receive these prompts. If you want to enable the UAC prompt again, you should change this setting to No in the AnyConnect Profile. This setting takes effect only when the Windows endpoint is restarted.
-
New URL for Downloading Client Provisioning and Posture Updates—The client provisioning and posture feed URL has changed. The new URL for Posture Updates is https://www.cisco.com/web/secure/spa/posture-update.xml and for Client Provisioning is https://www.cisco.com/web/secure/spa/provisioning-update.xml
-
File Condition Enhancements—A new operator, within, is introduced under File Condition to check for the changes in a file within a certain period of time.
-
Certificate Attributes in Client Provisioning and Posture Policies—Certificate attributes are now available in the client provisioning and posture policy pages.
-
The following option has been newly added under the Location field in the Policy > Policy Elements > Conditions > Posture > Disk Encryption Condition window:
-
All Internal Drives—To check the internal drives. Includes all hard disks that are mounted and encrypted, and all internal partitions. Excludes read only drives, system recovery disk/partition, boot partition, network partitions, and the different physical disk drives that are external to the endpoint (including but not limited to disk drives connected via USB and Thunderbolt). Encryption software products that are validated include:
-
Bit-locker-6.x/10.x
-
Checkpoint 80.x on Windows 7
-
Note
"All Internal Drives" option is supported from AnyConnect Version 4.6.01098 onwards.
-
Business Outcome
Improved security alerts and enforcement:
|
Profiler Enhancements
-
Added 190 new profile policies from vendors, including AudioCode, BlackBerry, Brother, Hewlett Packard, Lexmark, NetApp, Samsung, and Xerox.
-
Added additional conditions to 185 profile policies to support additional probes. For example, DHCP conditions are added to Xerox devices such that customers who do not want to profile Xerox devices based on SNMP, can profile Xerox devices using DHCP.
-
Reorganized profiles into families for better identification of new devices. For example, HP-LaserJet-4350 was previously profiled directly under HP-Device. It is now profiled under HP-LaserJet, which in turn is profiled under HP-Device. When Hewlett Packard introduces a new Hewlett Packard LaserJet printer model, Cisco ISE will classify the new model as HP-LaserJet, and not as HP-Device until a new profile policy for that exact LaserJet printer model is added.
Business Outcome
Effective classification of devices:
|
Support for Sending Separate SNMP CoA Packets
You can check the Send SNMP COA Separate Request check box in the Administration > Network Resources > Network Device Profiles > Change of Authorization (CoA) window to send the SNMP CoA packets to the NAD as two packets.
Business Outcome
Increased compatibility with devices:
|
Support for Two Shared Secrets Per IP for RADIUS NAD Clients
You can specify two shared secrets (keys) to be used by the network device and Cisco ISE. You can configure the shared secrets in the RADIUS authentication settings section for a NAD in the Administration > Network Resources > Network Devices page in Cisco ISE.
Business Outcome
Replace Shared Secrets on network devices:
|
TrustSec Enhancements
You can select the ISE node from which the configuration changes must be sent to the network device while adding the network device (under Advanced TrustSec Settings section). You can select the PAN or PSN node. If the PSN node that you selected is down, the configuration changes are sent to this device using the PAN.
While deploying the IP SGT static mappings, you can select the devices or the device groups to which the selected mappings must be deployed. You can select all the devices if necessary. You can use the filter option to search for the devices that you want. If you do not select any device, the selected mappings are deployed on all TrustSec devices.
You can use the Check Status option to check if different SGTs are assigned to the same IP address for a specific device. You can use this option to find the devices that have conflicting mappings, IP address that is mapped to multiple SGTs, and the SGTs that are assigned to the same IP address. This option can be used even if device groups, FQDN, hostname, or IPv6 addresses are used in the deployment. You must remove the conflicting mappings or modify the scope of deployment before deploying these mappings.
Verify TrustSec Deployment option on the General TrustSec Settings page helps you to verify whether the latest TrustSec policies are deployed on all the network devices. Alarms are displayed in the Alarms dashlet (under Work Centers > TrustSec > Dashboard), if there are any discrepancies between the policies that are configured on Cisco ISE and the network device. The following alarms are displayed in the TrustSec dashboard:
-
An alarm with an Info icon is displayed whenever the verification process is started or completed.
-
An alarm with an Info icon is displayed if the verification process is cancelled due to a new deployment request.
-
If the verification process resulted in an error (for instance, failed to open SSH connection with the network device, or the network device is unavailable), or if there is any discrepancy between the policies that are configured on Cisco ISE and the network device, an alarm with a Warning icon is displayed for each of these network devices.
The Verify Deployment option is also available on the following pages:
-
Work Centers > TrustSec > Components > Security Groups
-
Work Centers > TrustSec > Components > Security Group ACLs
-
Work Centers > TrustSec > TrustSec Policy > Egress Policy > Matrix
-
Work Centers > TrustSec > TrustSec Policy > Egress Policy > Source Tree
-
Work Centers > TrustSec > TrustSec Policy > Egress Policy > Destination Tree
Check the Automatic Verification After Every Deploy check box if you want Cisco ISE to verify the updates on all the network devices after every deployment. When the deployment process is complete, the verification process is started after the time that you specify in the Time after Deploy Process field. The current verification process is cancelled if a new deployment request is received during the waiting period or when the verification is in progress. Click Verify Now to start the verification process immediately.
IPv6 addresses can be used in IP SGT static mappings. These mappings can be propagated using SSH or SXP to specific network devices or network device groups.
If FQDN and hostnames are used, Cisco ISE looks for the corresponding IP addresses in the PAN and PSN nodes while deploying the mappings and checking the deployment status. You can select one of the following options (under IP SGT Static Mapping of Hostnames) in the General TrustSec Settings window to specify the number of mappings created for the IP addresses returned by the DNS query:
-
Create mappings for all IP addresses returned by DNS query
-
Create mappings only for the first IPv4 address and the first IPv6 address that is returned by a DNS query
Business Outcome
|
Decommissioned Dashlets
Some Dashlets Removed to Resolve Performance Issues
The following dashlets have been decommissioned to prevent performance issues when displaying large data sets:
A large number of endpoints caused performance problems with some dashlets.
Kerberos Authentication for the Sponsor Portal
You can configure Cisco ISE to use Kerberos to authenticate a sponsor user who is logged onto Windows for access to the sponsor portal. This process uses the Active Directory credentials of the logged in sponsor user in the Kerberos ticket. Kerberos SSO is performed inside the secure tunnel after the browser establishes the SSL connection with Cisco ISE.
Additional security for Sponsor authentication. |
NFS Repository Credentials
When you add a repository and select NFS as the protocol, you can no longer enter credentials to connect to the repository.
Business Outcome: Using credentials to connect to an NFS repository caused problems.
Known Limitations and Workarounds
LDAP Server Reconfiguration after Upgrade
Limitation
The primary Hostname or IP is not updated which causes authentication failures. This is because while upgrading the Cisco ISE deployment, the deployment IDs tend to reset.
Condition
When you enable the Specify server for each ISE node option in the Connection window ( or choose and an existing server) and then upgrade your Cisco ISE deployment with PSNs, the deployment IDs tend to reset.
Workaround
Reconfigure the LDAP Server settings for each node. For more information, see LDAP Identity Source Settings section in the Administrative Access to Cisco ISE Using an External Identity Store chapter in the "Cisco Identity Services Engine Administrator Guide, Release 2.4".
Upgrade GUI Notification
Limitation
Upgrade GUI shows that the upgrade progress at 0% for secondary PAN until upgrade is at 100%. The upgrade process continues in background and there’s no impact on upgrade.
Condition
While upgrading from Cisco ISE 2.4 Patch 8 to a higher release.
Workaround
show logging system ade/ADE.log
For more information, see CSCvp78781.
PxGrid Certificate Requirements
Limitation
The certificate requirements have become stricter for the pxGrid service from patch 13.
If you are using the Cisco ISE default self-signed certificate as the pxGrid certificate, Cisco ISE might reject that certificate after applying patch 13. This is because the older versions of that certificate have the Netscape Cert Type extension specified as SSL Server, which now fails (because a client certificate is required).
You may see an empty list in the pxGrid Web Clients window ( ).
Any client with a non-compliant certificate fails to integrate with Cisco ISE.
Condition
If you are using the Cisco ISE default self-signed certificate as the pxGrid certificate or the Netscape Cert Type extension in the certificate has only SSL Server specified in it, the certificate might be rejected by Cisco ISE after applying patch 13.
Workaround
Use a certificate issued by the internal CA or generate a new certificate with proper usage extensions:
-
The Key Usage extension in the certificate must contain the fields Digital Signature and Key Encipherment.
-
The Extended Key Usage extension in the certificate must contain the fields Client Authentication and Server Authentication.
-
The Nestscape Certificate Type extension isn’t required in the certificate. But if the extension is necessary, add both SSL Client and SSL Server in the extension.
-
If you’re using a self-signed certificate, the Basic Constraints CA field must be TRUE and the Key Usage extension must contain the Key Cert Sign. field.
Machine Authorization Fails
After applying patch 12, Authorizations fail for machine authentication using EAP-TLS, PEAP(EAP-TLS) and EAP-FAST(EAP-TLS). Cisco ISE is unable to retrieve machine account attributes and group memberships from Active Directory.
IP-SGT Bindings Are Not Propagated Under Certain Conditions
Under the following conditions, IP-SGT mappings are not propagated to ACI.
On the ISE administrators console, navigate to Work Centers -> TrustSec -> Components:
-
Create a security group, but don't check Propagate to ACI.
-
Create an IP-SGT binding with previously created Security Group. It may be a static, session or SXP binding.
-
On the Security Group, click Propagate to ACI .
-
Click Save.
-
The Security Group synchs to ACI, but not IP-SGT that is mapped to the Security Group.
Either:
-
Restart the ACI propagation in ISE and recreate the IP-SGT mappings.
-
On the Work Centers->TrustSec->Settings->ACI Settings, uncheck “TrustSec-ACI Policy Element Exchange”, and save.
-
Check TrustSec-ACI Policy Element Exchange, and save.
-
The connection between Cisco ISE and ACI is reestablished.
-
-
Delete the old IP-SGT bindings, and recreate them while Propagate to ACI is checked.
Note |
The connection between ACI and ISE reauthenticates every 24 hours, which also fixes this problem. |
SXP Protocol Security Standards
For more information, see https://tools.ietf.org/html/draft-smith-kandula-sxp-06.
Patch Build Download Using Chrome Browser
Radius Logs for Authentication
Details of an authentication event can be viewed in the Details field of the Radius Authentications window. The details of an authentication event are available only for 7 days, after which no data on the authentication event will be visible. All the authentication log data will be removed when a purge is triggered.
Profiler RADIUS Probe
High Memory Utilization
For more information, see CSCvn07836.
Diffie-Hellman Minimum Key Length
For more information, see CSCvi76985.
ECDSA Certificates
Note |
Apple iOS is not supported if you use ECDSA as a system certificate. ECDSA certificates are supported only for Android 6.x and Android 7.x. |
Cisco Temporal Agent
We recommend that you run the Cisco Temporal Agent within two minutes of downloading the agent from the Client Provisioning
Portal. Otherwise, the Posture Failed Due to Server Issues
error message is displayed.
Mobile Service Engine (MSE) Devices
When adding an MSE device to Cisco ISE, you must copy the certificates from the MSE device over to ISE to facilitate authorization. ISE does not receive these certificates directly from the MSE device.
Re-create Supplicant Provisioning Wizard References
Endpoint Protection Services API
As of Cisco ISE 1.4, ANC replaces Endpoint Protection Services. ANC provides additional classifications, and performance improvements. There are new APIs for ANC in the Cisco ISE SDK. While the ERS APIs might still work, we strongly recommend that you move to ANC.
Server IP update under Trustsec AAA Server list
When the IP of the Cisco ISE instance is changed via CLI, then Cisco ISE will restart the services. Once the services are up, we need to change the IP of Trustsec AAA Server. Choose
.Upgrade Information
Applying Patches to Release 2.4
To obtain the patch file for Cisco ISE, Release 2.4, log in to the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
For instructions on how to apply the patch to your system, see the “Installing a Software Patch”section in the Cisco Identity Services Engine Administrator Guide, Release 2.4.
For instructions to install a patch using CLI, see the "Install Patch" section in the Cisco Identity Services Engine CLI Reference Guide, Release 2.4.
Note |
When installing 2.4 Patch 4 and later, CLI services will be temporary unavailable during kernel upgrade. If CLI is accessed during this time, CLI will show the following error: "Stub Library could not be opened". However, once patch installation is complete, CLI services will be available again. |
Patches are cumulative such that any patch version also includes all fixes delivered in the preceding patch versions. Cisco ISE version 2.4.0.357 was the initial version of the Cisco ISE 2.4 release. After installation of the patch, you can see the version information from Settings > About Identity Services Engine page in the Cisco ISE GUI and from the CLI in the following format “2.4.0.357 patch N”; where N is the patch number.
Note |
Within the bug database, issues resolved in a patch have a version number with different nomenclature in the format, “2.4(0.9NN)” where NN is also the patch number, displayed as two digits. For example, version “2.4.0.298 patch 1" corresponds to the following version in the bug database “2.4(0.901)”. |
Note |
We recommend you to clear your browser cache after you install a patch on Cisco ISE, Release 2.4. |
Upgrading to Release 2.4
You can directly upgrade to Release 2.4 from the following Cisco ISE releases:
- 2.0
- 2.0.1
- 2.1
- 2.2
- 2.3
Information about the upgrade packages and the platforms they support, is avaliable at Cisco ISE Software Download.
If you are on a version earlier than Cisco ISE, Release 2.0, you must first upgrade to one of the releases listed above and then upgrade to Release 2.4.
Note |
It is recommended to upgrade to the latest patch in the existing version before upgrading to the next version of Cisco ISE. |
You can upgrade to Release 2.4 from the GUI or the CLI. See, Cisco Identity Services Engine Upgrade Guide, Release 2.4
Verify Operating System of Virtual Machines
ISE Release 2.4 runs on Red Hat Enterprise Linux (RHEL) 7.0. If you are upgrading Cisco ISE nodes on a VMware VM, after you upgrade, ensure that you change the guest operating system to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down the VM, change the guest operating system to RHEL 7, and power on the VM after the change.
External RADIUS Token Server Timeout
External Radius Token Server Timeout maximum changed from 120 seconds to 60 seconds. Upgrades to this release change the existing setting, if the maximum is more than 60 seconds.
License Changes
Device Administration Licenses
There are two types of device administration licenses: cluster and node. A cluster license allows you to use device administration on all policy service nodes in a Cisco ISE cluster. A node license allows you to use device administration on a single policy service node. In a high-availability standalone deployment, a node license permits you to use device administration on a single node in the high availability pair.
The device administration license key is registered against the primary and secondary policy administration nodes. All policy service nodes in the cluster consume device administration licenses, as required, until the license count is reached.
Cluster licenses were introduced with the release of device administration in Cisco ISE 2.0, and is enforced in Cisco ISE 2.0 and later releases. Node licenses were released later, and are only partially enforced in releases 2.0 to 2.3. Starting with Cisco ISE 2.4, node licenses are completely enforced on a per-node basis.
Cluster licenses have been discontinued, and now only node Licenses are available for sale.
However, if you are upgrading to this release with a valid cluster license, you can continue to use your existing license upon upgrade.
The evaluation license allows device administration on one policy service node.
Licenses for Virtual Machine nodes
Cisco ISE is also sold as a virtual machine (VM). For this Release, we recommend that you install appropriate VM licenses for the VM nodes in your deployment. Install the VM licenses based on the number of VM nodes and each VM node's resources, such as CPU and memory. Otherwise, you will receive warnings and notifications to procure and install the VM license keys. However, the installation process will not be interrupted. From Cisco ISE, Release 2.4, you can manage your VM licenses from the GUI.
VM licenses are offered under three categories—Small, Medium, and Large. For instance, if you are using a 3595-equivalent VM node with eight cores and 64-GB RAM, you might need a Medium category VM license if you want to replicate the same capabilities on the VM. You can install multiple VM licenses based on the number of VMs and their resources as per your deployment requirements.
VM licenses are infrastructure licenses. Therefore, you can install VM licenses irrespective of the endpoint licenses available in your deployment. You can install a VM license even if you have not installed any Evaluation, Base, Plus, or Apex license in your deployment. However, in order to use the features that are enabled by the Base, Plus, or Apex licenses, you must install the appropriate licenses.
After installing or upgrading, if there is any mismatch between the number of deployed VM nodes and installed VM licenses, alarms are displayed in the Alarms dashlet for every 14 days. Alarms are also displayed if there are any changes in the VM node’s resources, or whenever a VM node is registered or de-registered.
VM licenses are perpetual licenses. VM licensing changes are displayed every time you log in to the Cisco ISE GUI, until you check the Do not show this message again check box in the notification pop-up window.
If you have not purchased a Cisco ISE VM license before, see the Cisco Identity Services Engine Ordering Guide to choose the appropriate VM license. If you have Cisco ISE VM licenses with no associated Product Authorization Keys (PAK), contact the Cisco licensing team with the Sales Order numbers of your Cisco ISE VM purchases. Your request will be processed to provide one medium VM license key for each ISE VM purchase made.
For assistance with licensing issues of lower severity levels, open a case online through the Support Case Manager, at http://cs.co/scmswl.
For Cisco TAC assistance with critical issues, refer to the contact information provided at http://cs.co/TAC-worldwide.
For details about VM compatibility with your Cisco ISE version, see "Hardware and Virtual Appliance Requirements" chapter in the Cisco Identity Services Engine Installation Guide for the applicable release.
For more information about the licenses, see the "Cisco ISE Licenses" chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.4.
Upgrade Procedure Prerequisites
-
Run the Upgrade Readiness Tool (URT) before the upgrade to check whether the configured data can be upgraded to the required Cisco ISE version. Most upgrade failures occur because of data upgrade issues. The URT validates the data before the actual upgrade and reports the issues, if any. The URT can be downloaded from the Cisco ISE Download Software Center.
-
We recommend that you install all the relevant patches before beginning the upgrade.
For more information, see the Cisco Identity Services Engine Upgrade Guide.
Telemetry
After installation, when you log in to the Admin portal for the first time, the Cisco ISE Telemetry banner is displayed. Using this feature, Cisco ISE securely collects nonsensitive information about your deployment, network access devices, profiler, and other services that you are using. This data will be used to provide better services and more features in the forthcoming releases. By default, telemetry is enabled. To disable or modify the account information, choose Administration > Settings > Network Settings Diagnostics > Telemetry. The account is unique for each deployment. Each admin user need not provide it separately.
Telemetry provides valuable information about the status and capabilities of Cisco ISE. Telemetry is used by Cisco to improve appliance lifecycle management for IT teams who have deployed Cisco ISE. Collecting this data helps the product teams serve customers better. This data and related insights enable Cisco to proactively identify potential issues, improve services and support, facilitate discussions to gather additional value from new and existing features, and assist IT teams with inventory report of license entitlement and upcoming renewals.
It may take up to 24 hours after the Telemetry feature is disabled for Cisco ISE to stop sharing telemetry data. Starting with patch 12, telemetry is disabled immediately.
Cisco ISE Live Update Portals
Cisco ISE Live Update portals help you to automatically download the Supplicant Provisioning wizard, AV/AS support (Compliance Module), and agent installer packages that support client provisioning and posture policy services. These live update portals are configured in Cisco ISE during the initial deployment to retrieve the latest client provisioning and posture software directly from Cisco.com to the corresponding device using Cisco ISE.
If the default Update portal URL is not reachable and your network requires a proxy server, configure the proxy settings. Choose Administration > System > Settings > Proxy before you access the Live Update portals. If proxy settings allow access to the profiler, posture, and client-provisioning feeds, access to a Mobile Device Management (MDM) server is blocked because Cisco ISE cannot bypass the proxy services for MDM communication. To resolve this, you can configure the proxy services to allow communication to the MDM servers. For more information on proxy settings, see the "Specify Proxy Settings in Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide, Release 2.4.
Client Provisioning and Posture Live Update Portals
You can download Client Provisioning resources from:
The following software elements are available at this URL:
-
Supplicant Provisioning wizards for Windows and Mac OS X native supplicants
-
Windows versions of the latest Cisco ISE persistent and temporal agents
-
Mac OS X versions of the latest Cisco ISE persistent agents
-
ActiveX and Java Applet installer helpers
-
AV/AS compliance module files
For more information on automatically downloading the software packages that are available at the Client Provisioning Update portal to Cisco ISE, see the "Download Client Provisioning Resources Automatically" section in the "Configure Client Provisioning" chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.4.
You can download Posture updates from:
The following software elements are available at this URL:
-
Cisco-predefined checks and rules
-
Windows and Mac OS X AV/AS support charts
-
Cisco ISE operating system support
For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the "Download Posture Updates Automatically" section in the Cisco Identity Services Engine Administrator Guide, Release 2.4.
If you do not want to enable the automatic download capabilities, you can choose to download updates offline.
Cisco ISE Offline Updates
This offline update option allows you to download client provisioning and posture updates, when direct internet access to Cisco.com from a device using Cisco ISE is not available or is not permitted by a security policy.
To download offline client provisioning resources:
Procedure
Step 1 |
Go to: https://software.cisco.com/download/home/283801620/type/283802505/release/2.4.0. |
Step 2 |
Provide your login credentials. |
Step 3 |
Navigate to the Cisco Identity Services Engine download window, and select the release. The following Offline Installation Packages are available for download:
|
Step 4 |
Click either Download or Add to Cart. |
For more information on adding the downloaded installation packages to Cisco ISE, see the "Add Client Provisioning Resources from a Local Machine" section in the Cisco Identity Services Engine Administrator Guide.
You can update the checks, operating system information, and antivirus and antispyware support charts for Windows and Mac operating systems offline from an archive in your local system, using posture updates.
For offline updates, ensure that the versions of the archive files match the versions in the configuration file. Use offline posture updates after you configure Cisco ISE and want to enable dynamic updates for the posture policy service.
To download offline posture updates:
Procedure
Step 1 |
Go to https://www.cisco.com/web/secure/spa/posture-offline.html. |
||
Step 2 |
Save the posture-offline.zip file to your local system. This file is used to update the operating system information, checks, rules, and antivirus and antispyware support charts for Windows and Mac operating systems. |
||
Step 3 |
Launch the Cisco ISE administrator user interface and choose Administration > System > Settings > Posture. |
||
Step 4 |
Click the arrow to view the settings for posture. |
||
Step 5 |
Click Updates. The Posture Updates window is displayed.
|
||
Step 6 |
Click the Offline option. |
||
Step 7 |
Click Browse to locate the archive file (posture-offline.zip) from the local folder in your system.
|
||
Step 8 |
Click Update Now. |
Configuration Prerequisites
-
The relevant Cisco ISE license fees should be paid.
-
The latest patches should be installed.
-
Cisco ISE software capabilities should be active.
Monitoring and Troubleshooting
For information on monitoring and troubleshooting the system, see the "Monitoring and Troubleshooting Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.
Ordering Information
For detailed Cisco ISE ordering and licensing information, see the Cisco Identity Services Engine Ordering Guide.
Cisco ISE Integration with Cisco Catalyst Center
Cisco ISE can integrate with Cisco Catalyst Center. For information about configuring Cisco ISE to work with Catalyst Center, see the Cisco Catalyst Center documentation.
For information about Cisco ISE compatibility with Catalyst Center, see the Cisco SD-Access Compatibility Matrix.
Migration Information
For information on migrating from ACS to ISE, see the Cisco Identity Services Engine Migration Tool Guide.
Caveats
This section describes open severity 1 and 2 caveats and select severity 3 caveats. The “Open Caveats” sections list open caveats that apply to the current release and may apply to previous releases. A caveat that is open for a prior release and is still unresolved applies to all future releases until it is resolved. The bug IDs are sorted alphanumerically. The Caveats section includes the bug ID and a short description of the bug. For details on the symptoms, conditions, and workaround for a specific caveat, you must use the Bug Search Tool.
Cisco Bug Search Tool (BST), the online successor to Bug Toolkit, is designed to improve effectiveness in network risk management and device troubleshooting. You can search for bugs based on product, release, and keyword. For more details on the tool, see the help page located athttp://www.cisco.com/web/applicat/cbsshelp/help.html.
New Features in Cisco ISE Release 2.4.0.357 - Cumulative Patch 14
Health Check
An on-demand health check option is introduced to diagnose all the nodes in your deployment. Running a health check on all the nodes prior to any operation helps identify critical issues, if any, that may cause downtime or blocker. Health Check provides the working status of all the dependent components. On failure of a component, it immediately provides troubleshooting recommendations to resolve the issue for a seamless execution of the operation.
Ensure that you run Health Check before initiating the upgrade process.
Business Outcome: Identify critical issues to avoid downtime or blockers.
DNS Cache
The DNS requests for hosts can be cached, thereby reducing the load on the DNS server.
This feature can be enabled in the configuration mode using the following command:
service cache enable hosts ttl ttl
To disable this feature, use the no form of this command.
no service cache enable hosts ttl ttl
Admin can choose the Time to Live (TTL) value, in seconds, for a host in the cache while enabling the cache. There is no default setting for ttl. The valid range is from 1 to 2147483647.
Note |
TTL value is honored for negative responses. The TTL value set in the DNS server is honored for positive responses. If there is no TTL defined on the DNS server, then the TTL configured from the command is honored. Cache can be invalidated by disabling the feature. |
Business Outcome: Load on DNS Server is reduced.
Resolved Caveats in Cisco ISE Release 2.4.0.357- Cumulative Patch 14
The following table lists the resolved caveats in Release 2.4 cumulative patch 14.
Patch 14 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.0.53 or later.
Caveat ID Number |
Description |
---|---|
ERS Update/Create for "Authorization Profile" failing the XML Schema Validation. |
|
nas-update=true accounting attribute will cause session to not be deleted. |
|
PxGrid certificate generation failing post rollback of patch containing nssdb format related changes. |
|
Guest remember me radius accounting and access accept not sending guest username. |
|
ISC BIND krb5-subdomain and ms-subdomain Update Policies Vulnerability. |
|
Unable to use "connect-info" dictionary by default in Authorization Condition. |
|
ISE Repository Password is accepted in GUI but not CLI. |
|
Active endpoints missing from MNT session directory during 2.7 Longevity. |
|
GNU Wget Buffer Overflow Vulnerability. |
|
Application server stuck in Initializing due to corrupted indexes. |
|
ISE 2.4 SNMPv3 user added with wrong hash after reload causing SNMPv3 authentication failure. |
|
Incorrect DNS config can lead to TACACS or Radius authentication failure. |
|
ISE False alarm - Health status unavailable. |
|
Show running-config fails to complete. |
|
glibc is affected by multiple vulnerabilities: CVE-2018-11236, CVE-2018-11237, CVE-2018-6485 and CVE-2017-16997. |
|
Evaluate 32-bit glibc effected by RHSA-2018:0805 vulnerabilities. |
|
cURL and libcurl tftp_receive_packet() Function Heap Buffer Overflow Vulnerabilities CVSS v3.1 Base: 9.8 |
|
ISE 2.7 BETA: Username field in Self-Registration Portal Configuration is not saved. |
|
cURL and libcurl tftp_receive_packet() Function Heap Buffer Overflow vulnerabilities. |
|
libssh2 packet.c Integer Overflow Vulnerability CVSS v3.1 Base: 8.1 |
|
EgressMatrixCell Allows Duplicate Creation Through ERS Call |
|
ISE 2.4 p5 crashes continuously around midnight, generating core files. |
|
Error message to be corrected in Trusted certificate page |
|
Update CiscoSSL to fix CSCvg56800 - Evaluation of ISE vulnerability nginx Oct 2017. |
|
Multiple Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities. |
|
X.Org libX11 Client Segmentation Fault Denial of Service Vulnerability. |
|
X.Org libX11 Off-by-One Memory Write Arbitrary Code Execution Vulnerability. |
|
pxGrid 2.0 WebSocket ping pong too slow even on idled standalone |
|
Certificate Authority Service initializing EST Service not running after upgrade to ISE 2.6/2.7 |
|
Multiple Vulnerabilities found in python. |
|
ISE: runtime-aaa debugs do not print packet details in ascii; breaking Endpoint debugs. |
|
SSLDUMP() logs printed on Showtech via Audit logs causing showtech file to grow extensively. |
|
Application Server takes more time to initialize |
|
Description using two lines, or <Enter> was used, under Client provisioning resources throws errorA |
|
ISE Server-side authorisation checks are insufficient |
|
Heavy delay observed in sxp mappings when 50k acc packets with single SGT and VN are sent. |
|
CPU spikes are being observed at policy HitCountCollector. |
|
Dure to rotation of diagnostics, log is not working on ISE |
|
Suspected memory leak in io.netty.buffer.PoolChunk. |
|
TC-NAC adapter stopped scanning with nexpose (insiteVM). |
|
ISE with DUO as External Radius Proxy drops access-reject. |
|
CIAM: batik 1.7 |
|
CIAM: cups 1.6.3 |
|
ISE logging timestamp shows future date. |
|
CIAM: libssh. |
|
2.4P11 VPN + Posture : Apex Licenses are not being consumed. |
|
License out of compliance alarm with a valid license. |
|
CIAM: perl 5.14.1 |
|
[CFD] GBAC sync breaks on deleting VN from SG if AuthZ profile is mapped to the same VN for diff SG. |
|
Compress messages.x files in the system. |
|
ISE 2.x, 3.x : Drop_Cache required for systems with High Memory Issues |
|
ISE Authorize-Only requests are not assessed against Internal User Groups. |
|
Radius secret 4 chars min requirement is not checked when REST API used to create NAD |
|
ERS REST API returns duplicate values multiple times when they are filtered by locations. |
|
Update "master guest report" to "primary guest report" everywhere in the ISE UI + code. |
|
Update "master/slave" terms to "primary/subordinate" in "show interface" command. |
|
SessionDB columns are missing from ISE (>=2.4) |
|
Alarm Suppression required for ERS queries along with suppression on iselocalstore.log |
|
Cisco Identity Services Engine Cross-Site Scripting Vulnerability |
|
ISE allows duplicates device ID in ERS flow in all version. |
|
CLDAP thread is hung and running infinite. |
|
ISE Radius Live Sessions Page Showing No Data Found. |
|
ISE not doing lookup for all mac addresses in mac list causing redirectless Posture to fail. |
|
ISE Authentication Status API Call Duration does not work as expected. |
|
ISE should either allow IP only for syslog targets or provide DNS caching. |
|
ISE 2.4 Application server going to Initializing on enabling endpoint debugs. |
|
Overlap of network devices using subnet and IP range. |
|
App server crashes while transitioning into stopping state. |
|
ISE - Unable to connect with an ODBC Identity Source - Connection Failed. |
|
Log Collection Error alarms appear. |
|
ISE:SEV2: Unable to restore backup of ISE 2.4 patch 12. |
|
TACACS Aggregate table is not purged properly. |
|
SYSAUX tablespace full despite fix for CSCvr96003. |
|
Session Cache for dropped session not getting cleared; causing High CPU on the PSN's |
|
ISE : Authzation profile not saved with proper attributes when Security Group selected under common tasks. |
|
Max Sessions Limit is not working for Users and Groups. |
|
ISE is selecting unsupported cipher in TLS Server hello packet. |
|
ISE Authentication Status API Call does not return all records for the specified time range. |
|
Modify TCP settings to enhance TACACS+ and TCP on ISE |
|
Policy export is not being saved without encryption after it is saved with encryption. |
|
BYOD Flow is broken in iOS 14 beta. |
|
DNA ACA SG Sync fails with JDBCException:could not prepare statement. |
|
Cannot start CSV exporting for selected user in internal ID Store. |
|
Radius passed-auth live logs not sent due to invalid IPv6 Address. |
|
MAC 11.x and its minor version support for ISE is not available. |
|
NFS Repository is not working from GUI. |
|
Evaluation of positron for Apache Struts Aug20 vulnerabilities. |
|
Device admin service is getting disabled when updating TACACS configuration. |
|
TrustSec enabled NADs not showing in trustSec Matrices when NDG column exceeds 255 characters. |
|
ISE_EST_Local_Host RADIUS Shared Secret empty causes ISE application server intializing state. |
|
Export of Current active session reports only shows sessions that has been updated since midnight. |
|
Context Visibility CVS exported from CLI not showing IP Addresses. |
|
Saving command with parenthesis in TACACS command set gives an error (ISE 2.7 p2). |
|
Group lookup failed as empty value to be appended to the context. |
|
ISE RADIUS Live Log details missing AD-Group-Names under other attributes section. |
|
Authentication summary report gets stuck if the total records are more than 5M. |
|
proxy bypass settings does not allow upper characters. |
|
ISE - Security Group values in Authorization Profile disappear shortly after fetching. |
|
Resource initialization failed (10) when failed to update User password in ISE via ERS API. |
|
No password audit will be generated after changing ISE internal user password via Switch/Router CLI. |
|
Unable to retrieve LDAP Groups/Subject Attributes when % chracter is used twice or more in bind password. |
|
Memory Leak : High Allocation in by CAD_ValidateUser during PassiveID stress. |
|
ISE Collection Filters will not be display in GUI. |
|
ISE 2.6 P6/Unable to create SGT: NetworkAuthZProfile with entered name already exists. |
|
Cannot configure scheduled config and operational backup with start date same as current day. |
|
[CFD] ACA Sync broken - "Error occurs during migration: Waiting for Sync Runtime timed out" |
|
ISE admin/portal Login with Chrome 85/86 could show error "Oops. Something went wrong." |
|
Memory leak after adding AD Groups for passiv-id flow. |
|
USID is found different when user login with Email/Userid when Ldap store is configured. |
|
Posture does not work with dynamic redirection on 3rd party NADs. |
|
Not Throwing error for ip overlap case. |
|
Upgrade license check should check ISE DB for smart license registration. |
|
Authorization Profiles showing "No data available" after NAD profile deleted. |
|
Cisco Identity Services engine untrusted file upload vulnerability. |
|
Passive ID is not working stable with multi-connect syslog clients. |
|
NADs shared secrets are visible in the logs while using APIs. |
|
ISE Service Account Locked and WMI not established due to special characters in password. |
|
Multiple Vulnerabilities in jackson-databind. |
|
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Application. |
|
XStream earlier to version 1.4.15 affected with multiple vulnerabilities. |
|
In js/parts/SvgRenderer.js in Highcharts JS before 6.1.0, the use of backtracking regular expressions permitted an attacker. |
|
Multiple Vulnerabilities in c3p0. |
|
ISE 2.4 nf_conntrack_udp_timeout value is not updating from sysctl.conf |
|
ISE Policy Evaluation : RADIUS requests dropped after deleting policy sets. |
|
CIAM found mariadb vulnerable. |
|
ISE incorrect number for the TOTAL field. |
|
ISE: NTP service does not work after changing the hostname of ISE |
|
Cross-site scripting (XSS) vulnerability in jsoup before 1.8.3. |
|
ISE conditions Library corruption during Pen test. |
|
CWE-20: Improper Input Validation for Create Node Group. |
|
Cisco Identity Services Engine sensitive information disclosure vulnerabilities. |
|
ISE 2.6/2.7 Sorting based on username does not work in User Identity Groups. |
|
Cisco Identity Services Engine sensitive information disclosure vulnerabilities. |
|
Cisco Identity Services Engine sensitive information disclosure vulnerabilities. |
|
Cisco Identity Services Engine sensitive information disclosure vulnerabilities. |
|
ISE 2.4 p13 break AD Authorization lookup for MAB authenticated endpoints. |
|
MAB authentication via active directory passes with AD object disabled. |
|
Cisco Identity Services Engine sensitive information disclosure vulnerabilities. |
|
ISE 2.4 patch 8 Unable to edit,duplicate or delete guest portals. |
|
iPod not shown as an option in ISE BYOD portal. |
|
Health Checks:DNS Resolvability: False failures with ISE FQDN as CNAME (alias). |
|
Health Checks:Disk space: insufficient failure info. |
|
Add IdenTrust Commercial Root CA 1 Certificate to ISE truststore. |
|
ISE Health Check Platform Support should update UI directly with results. |
|
SGA value Under-Provisioned for SNS3515 running all personas on same node. |
|
Add IdenTrust Commercial Root CA 1 Certificate for Smart Call Home and Smart Licensing. |
|
Services not running after upgrade to 2.7 |
Known Limitations in Cisco ISE 2.4.0.357 Patch 14
Change in SNMP User Password Format and SNMP Hash Minimum Length
After applying Cisco ISE 2.4 Patch 14, SNMP user configuration might be removed due to the change in the SNMP user password format. SNMP user passwords are now displayed in hash format. You must reconfigure the SNMP user settings again.
SNMP hash with less than 80 characters will not work and you will see the below error:
snmp-server user FT10 v3 hash fe7c35f09ff1238e369968a0be273f22 fe7c35f09ff1238e369968a0be273f22
% Error: Decryption Failed. Could not add SNMP User
Special Characters Usage Limitations in Name and Description Fields
-
The following special characters cannot be used in the Description field for TACACS+ profiles and Device Administration Network conditions: [%\<>*^:"|',=/()$.@;&-!#{}.?]. Supported characters are: alphanumeric, underscore(_ ), and space.
-
The following special characters cannot be used in the Name and Description fields for Authorization Profiles: %\<>*^:\"|',=. Supported characters for the Name and Description fields are: alphanumeric, hyphen(-), dot(.), underscore(_ ), and space.
-
The following special characters cannot be used in the Name and Description fields for Time and Date conditions: [%\#$&()~+*@{}!/?;:',=^`]"<>". Supported characters for the Name and Description fields are: alphanumeric, hyphen(-), dot(.), underscore(_ ), and space.
Open Caveats in Cisco ISE Release 2.4 - Cumulative Patch 14
Caveat ID Number |
Description |
---|---|
PAN login page times out after entering the credentials |
|
Posture and BYOD flows impacted after patch installation |
|
Disabled PSN persona but TACACS port 49 still open |
Resolved Caveats in Cisco ISE Release 2.4.0.357- Cumulative Patch 13
The following table lists the resolved caveats in Release 2.4 cumulative patch 13.
Patch 13 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.0.53 or later.
Caveat ID Number |
Description |
---|---|
No AD domain attributes retrieved for RA-VPN/CWA if AD used for both authC and authZ |
|
CSCvi62805 ISE ODBC does not convert the mac address as per configured stored procedure |
|
Matched Authentication rules in Monitor Only mode not showing in live log details page |
|
MNT node not purging data diligently before hitting 90% purge data disk utilization |
|
Improper format for email alerts containing the space character in the Suggested Actions section |
|
Logwatch files are not capped for size |
|
AnyConnect displays Cisco NAC agent error when using Cisco temporal agent |
|
libssh2 SSH_MSG_CHANNEL_REQUEST Packet Handling Out-of-Bounds Read V ... |
|
Change in External admin permissions are not getting reflected in other nodes in deployment. |
|
ISE Secondary PAN node sending RST to other ISE node with src ip address 169.254.2.2 |
|
ISE TACACS livelogs does not have the option to filter using specific NAS ip address. |
|
GnuPG Filename Status Message Spoofing Vulnerability |
|
Disabled PSN persona but TACACS port 49 still open. |
|
Replication failed alarm generated and ORA-00001 exceptions seen on ise-psc.log |
|
GNU patch OS Shell Command Injection Vulnerability |
|
FasterXML jackson-databind logback-core Class Polymorphic Deserializ ... |
|
Multiple Vulnerabilities in jquery - guest portals |
|
EAP Chaining: Dynamic Attribute value is unavailable |
|
GNU patch do_ed_script OS Shell Command Execution Vulnerability |
|
Apache Commons Beanutils PropertyUtilsBean Class Property Suppression Vulnerability |
|
ISE Application configure ise > 16 (Generate Endpoints Report) returns a long list of errors |
|
FasterXML jackson-databind Polymorphic Typing Vulnerability CVSS v3.1 Base: 9.8 |
|
Apache Commons Compress File Name Encoding Algorithm DoS Vulnerability CVSS v3.0 Base: 7.5 |
|
2.4P10 Endpoint added via REST has visible policy assignment only in "edit" mode |
|
libmspack chmd_read_headers Function Denial of Service Vulnerability |
|
Failing Network Devices CSV import, process silently aborting without reason |
|
Add the capability to filter out failed COA due to MAR cache checks among group nodes in ISE |
|
Service account passwords returned from server in SMS and LDAP page |
|
Cisco Identity Services Engine Cross-Site Scripting Vulnerability |
|
ISE 2.4: Administrator Login Report, Auth failed when using cert based admin auth |
|
collector log filled with repeated pxGrid and DNAC messages |
|
Authz Profiles not pulling properly using REST API (Pagination is missing) |
|
ISE 2.2+ affected with memory leak. Everyday 1-2% increase in native memory by PORT_Alloc_Util() |
|
Unable to do portal customization for "certificate provisioning portal" |
|
API is not retrieving the data when interim-updates are not stored DB |
|
Multiple Vulnerabilities in binutils |
|
Multiple Vulnerabilities in patch |
|
Multiple Vulnerabilities in python |
|
Multiple Vulnerabilities in sudo |
|
Vulnerability in unzip package - RHEL 7 |
|
CEPM schema stats not collected/scheduled for PAN only node |
|
.dmp files not deleted from /opt/oracle/base/admin/cpm10/dpdump even after the reset-config on ISE |
|
ISE expired TACACS sessions are not cleared in a timely manner from session cache |
|
Change "View" Options Wording in TrustSec Policy Matrix--ISE |
|
POST getBackupRestoreStatus occures on every ISE page after navigating to Backup/Restore menu |
|
"AD-Operating-System" attribute is not being fetched when this OS attribute changes on the AD Server |
|
pxGrid 2.0 WebSocket distributed upstream connect issue |
|
TCPDump - Node and Interface field Unavailable |
|
Preventive bug :Radius Errors/Misconfigured supplicants tables do not exist after upgrade to ISE2.6 |
|
GUI Slowness while enabling AVC |
|
ISE 2.4 p 10 email notification stops |
|
ISE latency in responding to RADIUS and high CPU |
|
EP lookup takes more time causing high latency for guest flow |
|
ISE 2.6 MDM flow fails if redirect value is present in the URL |
|
ISE: If min pwd length is increased then exisiting shorter pwd fails to login via GUI with no error |
|
MNT node election process is not properly designed. |
|
Multiple Node.js vulnerabilities |
|
Backups failing due to disk space issue not purged ENDPOINTS_REJECT_RELEASE table |
|
Unavailability to edit saved compound conditions using conditions library. |
|
Syslog Target configured with FQDN can cause Network Outage |
|
Multiple Vulnerabilities in rabbitmq |
|
SMS over HTTPS is not sending username/password to gateway |
|
Authentication Status API call on ISE 2.6p5 returns blank output |
|
Intermittent password rule error for REST API Update Operation |
|
ISE ERS API - GET calls on network devices is slow while processing SNMP configuration |
|
ISE-2.x || MNT REST API for ReAuth fails when using in distributed deployment |
|
ISE 2.6 Redundant "Application patch install has completed successfully" Alarm |
|
Application server may crash when MAR cache replication is enabled |
|
pxGrid unable to delete user in INIT state |
|
Alarm Dashlet shows 'No Data Found'. |
|
Mismatched Information between CLI export and Context Visibility |
|
Cannot select 45 or more products when creating Anti-Malware Condition for definition |
|
No debug log for non working MNT widgets |
|
ISE DACL Syntax check not detecting IPv4 format errors |
|
ISE RADIUS Accounting Report details shows "No data found" under Accounting Details |
|
ise-psc.log filled up with "check TTConnection is valid" causing relevant logs to roll over |
|
suspected memory leak in io.netty.buffer.PoolChunk |
|
ISE is not allowing to disable Radius in NAD via API |
|
Mandatory values when using Update-By-Name method with Internal Users |
|
ISE : Oracle process reached limit : causing multiple issues |
|
ISE is returning an incorrect version for the rest API call from DNAC |
|
portal page customisation changes are not reflecting in certificate provisioning portal |
|
ERS SGT create is not permitted after moving from Multiple matrix to Single matrix |
|
NDG added through ERS became associated with all network devices in DB |
|
When running ISR ERS API for internaluser update the existing identityGroups value is set to null |
|
ISE 2.4 p6 - REST API MnT query to get device by MAC address taking more than 2 seconds |
|
code for securityGroupAclTopic missing from 2.4 and 2.6, but topic still advertised |
|
Shared email for AD users fail to retrieve groups,ISE shows multiple account found in forest |
|
Session API for MAC Address returning Char 0x0 out of allowed range |
|
ISE - Rollback stuck indefinitely attempting to rollback from Patch 12 |
|
Machine authentication via EAP-TLS is failing during authorization flow with user not found error |
|
Devices configured SNMP v2c version on DNAC is not seen on Network devices in ISE |
|
InternalUser Attributes in ATZ policy will fail TACACS+ ASCII Authentication |
|
Restore of Config backup on ISE 2.6 P7 is causing issues with node registration |
|
Significant memory increase in PMNT node of longevity test |
|
Suspected Memory Leak in Elastic search |
New Features in Cisco ISE Release 2.4.0.357- Cumulative Patch 12
Telemetry
Cisco ISE securely collects nonsensitive information about your deployment, network access devices, profiler, and other services that you are using by using the Telemetry feature. This data is used to provide better services and more features in the forthcoming releases. By default, telemetry is enabled. To disable or modify the account information, choose Administration > Settings > Network Success Diagnistics > Telemetry. The account is unique to each deployment. Each admin user need not provide it separately.
Telemetry is used to improve the appliance lifecycle management for IT teams who have deployed Cisco ISE. Collecting this data helps the product teams serve customers better. This data and related insights enable Cisco to proactively identify potential issues, improve services and support, facilitate discussions to gather additional value from new and existing features, and assist IT teams with inventory report of license entitlement and upcoming renewals.
Note |
Cisco ISE 2.4 Patch 12 and later will not send Telemetry data to Security Service Exchange (SSE) and Smart Call Home (SCH). |
Resolved Caveats in Cisco ISE Release 2.4.0.357- Cumulative Patch 12
The following table lists the resolved caveats in Release 2.4 cumulative patch 12.
Patch 12 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.0.53 or later.
Caveat ID Number |
Description |
---|---|
ISE RBAC Network Device Type/Location View not working |
|
Missing NAD info in Alarm "Unknown SGT was provisioned" |
|
MNT API does not support special charactor |
|
Enhance error message when perform command authz and no command set |
|
ISE - DHCP Scope responding with 1 day lease instead of 15 seconds |
|
ISE sends CoA to active-compliant sessions when a node-group member is unreachable |
|
Supported server ciphers for TLSv1.2 need 2048-bit option |
|
Multiple Vulnerabilities in procps-ng |
|
Error Deploying IP SGT static Mapping on ISE |
|
ISE 2.3 RSA SecurID authentication fails |
|
36xx SNMP sysObjectID shows 3315 |
|
Evaluation of positron for CVE-2018-5391 (FragmentSmack) |
|
Remove ciphers with Diffie-Hellman moduli size less than or equal to 1024 bits for SSL connections |
|
ISE Crashes during policy evaluation for AD attributes |
|
Error occurred in publishing threat events - AMP adapters |
|
Multiple Vulnerabilities in krb5 |
|
ISE 2.4 URT fails with cert error |
|
Cisco Smart Licensing cloud agent in waitings state causes GUI login delay in ISE 2.2 |
|
ISE 2.4 High CPU utilization on Secondary Admin Node |
|
IETF Dictionary Attribute Ascend-Client-Primary-DNS broken after upgrade |
|
Radius session detail report are broken if calling-station-id contains CLIENTVPN |
|
ISE PSN node crashing while fetching context attributes during posture plus RADIUS flow |
|
Evaluation of positron for TCP_SACK |
|
Unable to update send from(Send configuration changes to device) attribute using CSV file. |
|
ISE Guest portal fails to parse http request with two questions marks |
|
My Device Portal does not show a device after BYOD on-boarding with SAML authentication |
|
Evaluation of ISE for CVE-2018-20685 |
|
ISE ERS SDK NetowrkDeviceGroup DELETE does not specify ID location |
|
Partitions are not clearing properly for tmp |
|
systemd vulnerabilities RHEL 7 RHSA-2019:0049 |
|
kernel (RHSA-2018:3083) vulnerabilities |
|
kernel CVE-2018-14634 (RHSA-2018:2748) |
|
PassiveID livesessions showing is without enabling PassiveID funcationality. |
|
Blank Course of Action for Threat events received from CTA cloud to TC-NAC adapter |
|
EAP-FAST authentication failed with no shared cipher in case of private key encryption failed. |
|
pxGrid Arab Bank defensive code change |
|
Localdisk size needs to be increased to accommodate large corefiles |
|
Typo in Max Sessions Page on Counter time limit tab |
|
Unable to delete SCEP profile because it is referencing system certificates |
|
ISE IP routing precedence issue |
|
" No policy server detect" on ISE posture module during high load . |
|
Config restore from one platform on another platform set incorrect UDI in sec_hostconfig table |
|
tzdata needs to be updated in ISE guest OS |
|
ISE 2.2 patch 14 AD status shows up as "updating.." indicating the process is hung |
|
ISE: LDAP bind test does not use the correct server when defined per node |
|
ISE App crash due to user API |
|
core file generated on PSN |
|
Valid Base and Plus licenses show out of compliance |
|
ISE fails to re-establish External syslog connection after break in connectivity |
|
NDG device references not cleaned out of ISE DB, preventing NDG deletion |
|
ERS Admin account disabled incorrectly due to password expiry |
|
API calls show different result as GUI |
|
ISE doesn't display the correct user in RADIUS reports if the user was entered differently twice |
|
ISE 2.3 p 6 LDAP test GUI flow with multiple results does not generate error observed in runtime |
|
Authorization Profile created using ERS API does not match with 'ASA VPN' field in GUI |
|
Journal logs are not compressed / rotated when system reaching SystemMaxUse #200 MB in ISE 24P10 |
|
Internal user's custom attributes fields are empty while creating through ERS API |
|
ISE : TACACS : PSN crashes for TACACS+ |
|
Set max time frame to 60 mins when EndPoint default interval disabled |
|
App server and EST services crash/restart at 1 every morning |
|
ISE: Reset config on 2.4 patch 9 throws some errors despite finishing successfully. |
|
Live log details not working and showing blank for Dynamic authorization |
|
ISE Guest creation API validation for Guest Users valid Days doesn't take time into account |
|
PassiveID: Configuring WMI with an AD account password that contains a $ will result in an error. |
|
Policy engine continues to evaluate all Policy Sets even after rule is matched |
|
LDAP ID store corruption alarm - Enhancement |
|
Improve behavior against brute force password attacks |
|
Invalid root CA certificate accepted |
|
ISE 2.x Network Device stuck loading |
|
Trustsec matrix pushing stale data |
|
NAD group CSV imports should allow all supported characters in description field. |
|
Highload on Mnt nodes with Xms value |
|
SEC_ERROR_BAD_DATABASE seen in system/app debug logs while removing a trusted CA cert |
|
Self Registered Guest portal unable to save guest type settings |
|
Unable to edit static group assignment |
|
The CRL is expired with specific condition |
|
ISE not updating SGT's correctly |
|
ISE 2.6 CA Certificate with the same CN removed from Trusted Store while integrating with DNA-C |
|
Condition disappeared from the library but is still in DB |
|
ISE allows to insert a space before command under Command Sets |
|
NFS mounting causes crash |
|
Backups are not triggering with special characters for encryption key |
|
MACAdress API is not working(API/mnt/Session/MACAddress) |
|
SessionDirectory values having lower on ISE3595 |
|
Multiple EP's profiled every second causing ISE nodes to go out of sync |
|
Creating a new user in the sponsor portal shows "invalid input" |
|
Days to Expiry value, marked as 0 for random authentications |
|
NAD CSV imports should allow all supported characters in the TrustSecDeviceID |
|
ISE Admin User Unable To Change The Group For Internal Users |
|
Tacacsprofile not retrieved properly using REST API |
|
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability |
|
After importing network device / groups, unable to add new Location |
|
ISE 2.2+ affected with memory leak. Everyday 1-2% increase in native memory due to Inflater() |
|
Days duration is not getting updated in portal page customization for self registration portal |
|
Errors when SG created using _ underscore sent from DNAC |
|
ISE 2.6 - Cannot enable FIPS if Default Device Admin has been modified |
|
ISE: 2.4p9 Intermediate CA cert not installed when configuring SCEP RA |
|
ISE crashes due to empty string instead of username in RadiusProxyFlow::stripUserName() |
|
URT fails on a ConditionsData clause from INetworkAuthZCheck |
|
SXP Bindings are not published to pxGrid 2.0 clients |
|
authenticationSettings: networkProtocol is required after ISE 2.4 patch 11 |
|
Having string 'TACACS' in AD join-point causes AD joinpoint to not show in AuthZ condition |
|
ISE 2.4 Guest ERS Call Get-By-Name fails when guest username contains @ sign (guest@example.com) |
|
ISE 2.6 Install: Input Validation- Check IP Domain Name |
|
ISE SNMP server crashes when using Hash Password. |
|
Importing metadata xml file with special characters results in unsupported tags error |
|
ISE 2.4 P11 On OP Backup Restore, EPOCH_TIME column is removed |
|
404 error upon refresh of success page of guest sponsored portal |
|
Cert Revoke and CPP not functioning without APEX license. |
|
No threshold option for High disk Utilization in Alarm Settings |
|
Posture with tunnel group policy evaluation is eating away Java Mem |
|
ISE shouldnt be allowing ANY in egress policy when imported |
|
[ENH] Add the ability to "GET|PUT|DELETE by Name" using the API for network devices |
|
IP SGT static mapping import not working correctly with hostnames |
|
ISE doesn't display all device admin authz rules when there are more authz policies and exceptions |
|
Authentication goes to process fail when "Guest User" ID Store is used. |
|
PERMGEN configured instead of metaspace for JDK8 |
|
When accessing the portal with iPad using Apple CNA and AUP as a link we get 400 Bad Request error. |
|
ISE shouldn't allow ANY SGT or value 65535 to be exposed over SGT import or export |
|
Cannot add/modify allowed values more than 6 attributes to System Use dictionaries |
|
Identity group updates for an internal user in ISE |
|
Hostname goes missing from CARS configuration |
|
[ENH] Add the ability to "GET|PUT|DELETE by Name" using the API for /ers/config/internaluser |
|
Getting a blank page when clicked on new or edit icon in SMS gateway |
|
ISE still generates false positive alarm "Alarms: Patch Failure" |
|
MNT DB reset fails on 2.4 p11 |
|
SYSAUX tablespace is getting filled up with AWR and OPSSTAT data. |
|
pxGrid 2.0 authorization profile attribute missing from the session directory |
Open Caveats in Cisco ISE Release 2.4 - Cumulative Patch 12
Caveat |
Description |
---|---|
Machine Authentications via EAP-TLS is failing during authorization flow with user not found error. Please see the Known Limitations and Workarounds section. |
New Features in Cisco ISE Release 2.4.0.357- Cumulative Patch 11
Cisco AI Endpoint Analytics Support
Cisco AI Endpoint Analytics is a solution on Cisco DNA Center that improves endpoint profiling fidelity. It provides fine-grained endpoint identification and assigns labels to various endpoints. Information gathered through deep packet inspection, and probes from sources like Cisco ISE, Cisco SD-AVC, and network devices, is analyzed for endpoint profiling.
Cisco AI Endpoint Analytics also uses artificial intelligence and machine learning capabilities to intuitively group endpoints with similar attributes. IT administrators can review such groups and assign labels to them. These endpoint labels are then available in Cisco ISE if your Cisco ISE account is connected to an on-premise Cisco DNA Center.
These endpoint labels from Cisco AI Endpoint Analytics can be used by Cisco ISE administrators to create custom authorization policies. You can provide the right set of access privileges to endpoints or endpoint groups through such authorization policies.
Resolved Caveats in Cisco ISE Release 2.4.0.357- Cumulative Patch 11
The following table lists the resolved caveats in Release 2.4 cumulative patch 11.
Patch 11 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.0.53 or later.
Caveat ID Number |
Description |
---|---|
Carlsbad Dashboard allows special characters: <>?"' |
|
Custom filters not working for Session status column in Live Sessions |
|
CoA REST API is not working for ASA VPN Sessions |
|
SXP Devices page - can't show all the name after 14 chars |
|
Live sessions show incorrect Authorization profile and Authorization Policy for VPN+Posture scenario |
|
Patch installation might generate alarm Application patch installation failed |
|
ISE 2.3 no patches, unable to login to sponsor portal with internal user |
|
ISE sends CoA after receiving a RADIUS Accounting-STOP |
|
ISE Network conditions with device,port being skipped during authz |
|
Self-signed account creation error: "An attempt to text your account information to you has failed" |
|
Change Audit config is not showed for the users when edit and change the status |
|
ISE Cannot Schedule a report the same day |
|
Not able to delete certificate after hostname change |
|
Message Class for EAP-TLS messages from System-Management to EAP |
|
Windows 7 device is profiled wrongly post Posture flow, due to anyconnect sending wrong useragent |
|
Config restore is struck in the UI forever, while restoring backup taken on the same node |
|
Alarm TrustSec SSH connection failed needs to be provide more details on NAD |
|
change password for few of the internal users not working after upgrade to 2.6 |
|
To enable CLI clock timezone command |
|
'MAR cache distribution is not enabled' even when it has been enabled. |
|
Memory leak on ISE node with the openldap rpm running version 2.4.44 |
|
Patchupload files >1 G don't get deleted when upgrading if upload through WebGUI interrupted |
|
ISE 2.2 Sign On Button grey out with Guest portal second factor Radius Token server authentication |
|
ISE 2.4 Live Sessions Cannot Filter on Policy |
|
Secure Syslog Audit for CLI Authentication Failure Suspend/Lock Account |
|
Generate a singlecertificate(with CSR) option in pxgridserivces with PKCS8format throws error. |
|
In Deployment, when external CA signs any system certificate allows to delete CA from trusted page. |
|
Unable to disable MDM server if configured server is not reachable |
|
Expired guest accounts purge is stuck after daylight time change |
|
ISE ERS Create via the API does not use the specified ID |
|
Network device Import to ISE when having IPV6 address, takes too long to import the devices |
|
Wrong password being notified after password reset (Only on SMS) |
|
MnT Purge with option to export repository not working |
|
Vulnerability Evaluation for ISE |
|
when binding external ca sign cert in intermediate CA CSR,certificate chain has broken under CA page |
|
ISE TACACS Authentication and accounting reports older than 30 days missing |
|
ISE does not show logging when CTS pac is expired |
|
Move to Mapping Group drop down menu limits SGT Mapping groups to 25 |
|
PassiveID Agent: No Syslog message is sent to MnT when the agent monitoring DC goes down |
|
pxGrid controller contacting terracotta.org |
|
ISE 2.4p9 Grace period is not working with PRA with VPN usecase |
|
ISE sponsor portal - sorting by creation date doesnt work |
|
Network devices added via restful API fails authentication with a 'Network Device not located' error |
|
IPv6 RADIUS attributes cannot be mapped to any External attribute |
|
Trashing IP SGT Static mappings across pages never completes |
|
IP SGT static mapping export fails for entries with no mapping data |
|
Internal user using token password will be disabled due to password expired |
|
Maximum thread value limit is too low and triggers 'Admin thread pool reached threshold value' alarm |
|
Remove Unnecessary JQUERY-UI Files from ISE |
|
Login page AUP as link does not work with iOS CNA browser |
|
Move devices to another group botton should be disabled when access has been restricted to NDG |
|
SNMP traps on access switch connected to APs causes incorrect profiling. |
|
All SNMP packets are logged to /var/log/messages file |
|
ISE 2.4 localhost-<date>.log files growing upto and more than 8 Gb in size |
|
ISE 2.6 Patch 2: EAP-TLS auth not matching endpoint groups |
|
No password audit will be generated after user change ISE internal user enable password via ASA CLI |
|
App Server crash observed while being passiveid dashboard for some time with > 200K activesessions |
|
Posture assessment by condition report is showing empty records. |
|
DCS Probe data notification missing endpoint attributes in the message |
|
ISE Posture Agent Profile does not allow blank remediation timer |
|
when creating Purging Rule ,Radius directory will hang if there is no plus license |
|
Radius Authentication and Radius Account Report performance is slow |
|
in ex-Radius scenario ,ISE should replace state attribute before forwarding access challenge to NAD |
|
Certificate is not loading from Oracle to NSSDB properly |
|
ISE 2.4: Advanced Custom Filter option and export of reports not working as Expected |
|
ISE : "MDM: Failed to connect to MDM server" log entry needs to have endpoint information |
|
Framed-Interface-Id RADIUS attribute not sent in access-accept if IPV6 address is in ::xx format |
|
REST API: Create Network Device with special character ("\") in password field is interpreted as utf |
|
ISE ERS SDK NetworkDeviceGroup PUT does not show ID placement in the API call |
|
pxGrid XMPP GCL Reconnect failure |
|
Network Device POST API allows for characters and spaces in Model name of device, GUI does not |
|
After changing password via UCP, "User change password audit" report doesn't have "Identity" |
|
Validation needed RADIUS Cisco DNA Center-ISE REST call sp. char (&) and (\) in shared secret fails |
|
Legacy | ISE fails to load N/w devices page while filtering on IP/Mask |
|
ISE: Read-only admin users are able to view TrustSec device configuration credentials |
|
Unable to get all tenable adapter repositories |
|
Radius Authentication report missing log, if custom Filter Used |
|
ISE not using the device-public-mac attribute in endpoint database |
|
Export failed in ISE gui in case of private key encryption failed no ERROR msg in ISE GUI |
|
ISE 3695 appliance is having issue with Oracle parameters configured for super MNT |
|
Day0: iPad OS 13.1 BYOD flow got failed |
|
Password lifetime expiration reminder appears for Internal Users with external passwords |
|
Multi Shared Secret Field is being populated for exported TACACS devices |
|
Unexpected COAs may be observed with SCCM MDM |
|
Unable to access My Devices portal |
|
GUI login with AD user failing when similar internal user is disabled |
|
ISE 2.4 Not entire fqdn is matched, but fragment of characters |
|
ISE services are not coming up after installing patch 2.3 p7 |
|
DHCP messages are marking endpoints active increasing the active endpoint count |
|
ISE 2.4 p9 Session directory write failed : String index out of range: -1 |
|
ISE sponsor's e-mail gets CC'd even when view/print guests' passwords is disabled |
|
Called-Station-ID missing in RADIUS Authentication detail report |
|
SCCMException in SCCM flow,ISE updating the MDMServerReachable value as false in the MDMServersCache |
|
WSA receives SIDs instead of AD groups from ISE |
|
Definition date for few AM product like mcafee and symantec is listed false |
|
Replication alarm when trustsec matrix CSV imported with EMPTY SGACL that is already EMPTY in GUI |
|
No profiling CoA for ip based profile policy |
|
Missing the following properties in platform.properties for <sns3615> ,<sns3655> <sns3695> |
New Features in Cisco ISE Release 2.4.0.357- Cumulative Patch 10
Enable Probe Data Publisher
This option is newly added in the Profiler Settings window ((
). This option is disabled by default. Enable this option if you want Cisco ISE to publish endpoint probe data to pxGrid subscribers that need this data to classify endpoints onboarding on ISE. The pxGrid subscriber can pull the endpoint records from Cisco ISE using bulk download during initial deployment phase. Cisco ISE sends the endpoint records to the pxGrid subscriber whenever they are updated in PAN.Note |
When you enable this option, ensure that the pxGrid persona is enabled in your deployment. |
Multi DNAC Support
Cisco DNA Center systems cannot scale to more than 25K to 100K endpoints. The Cisco Identity Service Engine can scale to 2 million endpoints. Currently, you can only integrate one Cisco DNA Center system with one Cisco ISE system. Large Cisco ISE deployments can benefit by integrating multiple DNA Center clusters with a single Cisco ISE. Cisco now supports Multiple Cisco DNA Center Clusters per Cisco ISE deployment, also known as Multi-DNAC.
Resolved Caveats in Cisco ISE Release 2.4.0.357- Cumulative Patch 10
Patch 10 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.1.53 or later.
The following table lists the resolved caveats in Release 2.4 cumulative patch 10.
Caveat ID Number |
Description |
---|---|
The software shouldn't allow to delete the pxGrid certificate on a ISE node |
|
posture update not working when there's a proxy with credentials in ISE |
|
Pseudo double Auth request on AD |
|
ISE T+ and Policy : Allowed protocols for RADIUS uncheck if changes are made via TACACS PE section |
|
ISE 2.3+ does not have authentication condition Network Access:AuthenticationMethod |
|
Parsing NMAP smb-os-discovery data should remove 
 or \x00 |
|
ERS Guest User operations fail with 401 Unauthorized if Sponsor_Portal_Sequence missing |
|
ISE 2.x: Mobile/Desktop previews don't display self-registration form fields correctly |
|
ISE 2.3 p2 is sending redundant CoA message during VPN Posture Flow |
|
ISE2.3 portals not displaying Spanish Accents |
|
Endpoint Oracle Persist Received value wrongly counted in ISE Counters report |
|
ISE : Accounting updates tolerance for suppression needs to be more efficient. |
|
Is ISE affected by Spring Framework CVE-2018-1270 |
|
ad_agent.log flooded with entries from blocked list domains |
|
ISE RBAC unable to modify nested permissions after migration from ACS |
|
REST API GET DACL page filter does not show correct information |
|
ISE HTTP error 401 unauthorized on External CA UI |
|
Remote-Access VPN Posture Sessions showing Base license consumed but no Apex |
|
Making name changes to the "All_User_ID_Stores" Identity Source Sequence will break new policy sets. |
|
Different FQDN in SAN can cause CV issue |
|
ISE ENH : Allow RADIUS Dictionary VSA "Vendor Attribute Size Field Length" of 2 bytes |
|
Cannot edit Guest group if accesing through Manage accounts |
|
Cisco Identity Services Engine Cross Site Scripting Vulnerability |
|
Triggered SNMP query not working properly for HP OUI |
|
ISE: Exception thrown while adding email address in NTP Service Failure alarm |
|
ISE custom attributes not being applied to endpoint when pushed from cloudpost IND |
|
EAP-TLS authentications with Endpoint profile set to not unknown fails in second authorization. |
|
Multiple Vulnerabilities in jackson-databind |
|
The caluclation of required space for MNT backup need to be revalidated. |
|
Runtime prepends "\" to ";" in dhcp-class-identifier in syslog message sent to profiler |
|
Sponsor guest portal rate limit time not honored |
|
pxGrid startup order causing profiler code to fail init |
|
ProfilerCoA:- Exception in getting Policy details Exception : in Infinite Loop in Profiler.log |
|
Sponsored Guest account start date not adjusting when account extend |
|
ISE 2.4 P5 : Profiling : Netflow probe not working on ISE Bonded Interface |
|
ISE Profiler SNMP Request Failure Alarms should show the reason of failure |
|
No serialization or batching when large scale(>300) NADs are moved between MatrixA to MatrixB |
|
ISE: SMTP server sending Email notification gets Exhausted |
|
ERS API that requires CSRF token always failing on PUT/POST/DELETE |
|
ISE dropping requests due to descriptor allocation exhaustion under external server latency scenario |
|
Internal User not found in prrt-server intermittently even though PrRTCpmBridge returns user found |
|
Posture redirect fails with error 'unable to determine peer' in AnyConnect_ISEPosture.txt |
|
ISE 2.4 With CTA threat, threat endpoints are not detecting |
|
AD Diagnostic tool shows low level API query failed w/ Response contains no answer. Check DNS config |
|
ISE 2.4 p6 400 error on sponsor portal after timeout. |
|
SQLite FTS3 Query Processing Integer Overflow Vulnerability |
|
Authorization profile fails to import with no warnings or errors to user |
|
AUP guest portal error 400 when retrun from contact support link (iphone captive portal) |
|
Email not received to guest if view/print guest password disabled |
|
Authentications start failing once AD throws KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN |
|
Unable to remove an endpoint from the endpoint database due to permission error |
|
2.4 P8/P9 Certificate chain does not get imported to Patch 8 and Patch 9 |
|
ISE customer endpoint attribute type string doesn't allow certain numbers |
|
ISE trustsec custom view doesn't sort properly with manual order |
|
License usage for Plus either shows 0 or incorrect value |
|
Export from Context Visibility-Endpoints does not contain Custom Attr for most of Endpoints |
|
[ 400 ] Bad Request error when refreshing the Mydevice portal |
|
ISE CoA is not sent even though new Logical Profile is used under Authz Policy Exceptions |
|
Can't use endpoint group description during runtime for authz profile |
|
Wrongly job (HOURLY_STATS_JOB) running |
|
Cisco Identity Services Engine Cross-Site Scripting Vulnerability |
|
ISE 2.4 fails to match authorization rules after deleting authorization condition |
|
ISE 2.6 patch 1 - AD User Test is returning 0 groups |
|
Renewed self-signed certificate doesn't get updated in trusted store |
|
Cannot Update Internal User with External Password ID Store via ERS--ISE |
|
ISE fails to save configuration changes for large policy-sets |
|
Create Failing with ORA-02291 on CEPM.REF_ROLE_MASTER if groupId w/ prepending/trailing spaces |
|
Core files on PSN servers causing High Disk Utilization alarms |
|
ISE shows "Oops. Something went wrong" if session ID contains "-" |
|
Incorrect audit report while updating Counter Time Limit in Max Sesssions page |
|
ISE PAN failover inactive days = elapsed days causing incorrect purging of EP's. |
|
ISE doesn't store self-registered EndPoints in configured custom group |
|
ISE 2.6 ACI integration Trustesec ACI report doesn't have sent ip-sgt mappings to ACI |
|
Export function in Network device groups fails when using RBAC |
|
Network Conditions do not work with shorten IPv6 |
|
'Deleting All' Network Access Users doesn't appear on audit report |
|
Using ECDSA signed certificates with the admin or pxgrid usage breaks pxgrid |
|
ISE user import does not fail when username contains invalid characters |
|
Static group information is lost from EP in some scenarios |
|
PSN generates scheduled reports if no connectivity to MNT |
|
Static group assignment losing from guest flow |
|
"Cache not properly initialized" message in every Profiler Policy and cannot update Profiler Feed |
|
When updating password for administrative user it is possible to bypass entering current password |
|
Under heavy load, ISE live logs either unavailable or delayed |
|
ISE 2.4 Possible XSS input in Certificate Attributes message when "/" sign is in the name |
|
Qualys show connected state once disable/enable tc-nac if added before applying patch. |
|
Certificate trust chain is incomplete for pxGrid on pxGrid alone persona |
|
Allowing Different FQDN in SAN DNS field for EAP Certificate. |
|
System Test: Temporial agent instalation is failing with internal system error. |
|
Rename the label from "ResetAll Hitcounts" to "Reset Policyset Hitcounts" under policy sets |
|
Cisco Identity Services Engine Policy Set Name Cross Site Scripting Vulnerability |
|
pxGrid WebSocket multiple connections issue |
|
ISE subscribes to IND topic /topic/com.cisco.endpoint.asset 3 times |
|
pxGrid service lookup still returns old hostname after hostname change |
|
Not able to change the language in guest portal with option "Always use" |
|
VM Licenses are not consuming based on M5 Profiles |
|
Env data is missing when TrustSec-ACI integration is enabled. |
|
unable to create ATZ policy using supported special character |
|
SXP Mappings bulk download is slow over pxgrid |
|
Change logging level of 90140 INFO PassiveID: Message parsed syslog to DEBUG |
|
ISE: "Posture failed due to server issues" error during System scan on MAC OSX |
|
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities |
Known Issues in Cisco ISE Release 2.4.0.357- Cumulative Patch 10
CA Service Disabled after Upgrade to Cisco ISE 2.4 Patch 10
After upgrading to Cisco ISE 2.4 Patch 10, Certificate Authority (CA) service might be disabled on the nodes on which Policy Service persona is not enabled. To enable the CA service, choose Administration > System > Certificates > Certificate Authority > Internal CA Settings.
Certificate authority service and EST service will be disabled if Sessions service is disabled on the PSN.
Resolved Caveats in Cisco ISE Release 2.4.0.357 - Cumulative Patch 9
For Cisco Secure Network Server (SNS) 3600 series appliance support (SNS-3615-K9, SNS-3655-K9, and SNS-3695-K9), you must use only the new ISO file (ise-2.4.0.357.SPA.x86_64_SNS-36x5_APPLIANCE_ONLY.iso). Cisco ISE 2.4 Patch 9 or above must be applied after installation. We recommend that you do not use this ISO file for SNS 3500 series appliance, VMware, KVM, or Hyper-V installation.
The following table lists the resolved caveats in Cisco ISE 2.4 Patch 9.
Patch 9 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.1.53 or later.
Note |
After the patch is successfully installed, sometimes you may see an alarm indicating that patch installation failed with an error while trying to reboot. This is a false alarm. You can ignore this alarm. |
Caveat ID Number |
Description |
---|---|
Location filter for ERS Network Device get-all API fails |
|
Normalized Radius:SSID not matched after CoA in the same session-ID |
|
ISE 2.1+ RBAC: not able to manage endpoints and assign static identity groups |
|
Some information is missing when session details are sent from ISE to FMC via pxGrid |
|
Endpoints keeps profiling even though profiling is disabled |
|
Blank pop-up in Sponsor Portal if customField contains "null" value |
|
SCCM MDM attribute LastPolicyRequest is not converted correctly in ISE |
|
Import two CA certs with same subject name |
|
ISE Secure Access Wizard Easy Wireless null AD groups for BYOD, Secure Access, Sponsored guest flow |
|
ISE does not provide the expected values in the context of EAP chaining |
|
ISE-PIC self signed certificate delete operation fails due to Secure Syslog Server reference error |
|
CA Service still running on command line after disabling internal certificate authority in Web UI |
|
ISE 2.4 ERS API - PUT and GET Internal User "User Custom Attributes" |
|
Sponsor portal doesn't refresh the accounts after deleting users and requires a manual refresh |
|
Removing SCEP RA Profile causes the associated CA chain to be removed from Trusted Store |
|
ISE downloads unnecessary RA certificate for BYOD |
|
Json SearchResult gives the href value as NULL |
|
ISE DACL syntax checking validation failing on wildcard notation |
|
pxGrid node name limit too short for FMC |
|
ISE 2.4 Patch 6 installation breaks FQDN of Sponsor and MyDevices Portal |
|
Memory usage discrepancy in GUI and show tech |
|
COA failure in Radius+PassiveID flow |
|
While saving IP SGT static mappings changes, "Discard changes you have made" message is displayed |
|
After Importing ISE PB to ISE, Login page are not loaded |
|
Provisioned Certificates are not deleted after revocation |
|
Adding DEFCON matrix pop-up title needs to be changed |
|
Active Directory Machine authentication fails with error "22040 Wrong password or invalid shared secret" |
|
ISE 2.4 Patch 6 reload breaks backups |
|
Cross-Site Request Forgery (CSRF) [OWASP_CSRFTOKEN bypass] |
|
PassiveID flow should send User's SamAccountName and ExplicitUPN |
|
ADNormalizedUserName field missing in some of the sessions |
|
Plus Licenses consumed without Plus features |
|
RSA or RADIUS Token user with Valid account and credentials gets a blank page when trying to login to ISE Admin portal if the account doesn't exists under Access > Administrators |
|
AD User information not shown in Context Visibility page |
|
Policy sets order mismatch when exporting as XML |
|
ISE TLS 1.0 and 1.1 security settings are not applied for PxGrid, causing WSA to fail integration |
|
ISE 2.4p3 Radius livelogs not displayed due to invalid NAD ip address |
|
Cisco Identity Services Engine Blind SQL Injection Vulnerability |
|
Modifying Radius attributes to send in the request to External RADIUS Server is not working on ISE |
|
Enable Pxgrid Profiling Probe setting is not working properly |
|
ISE fails to match authorization policy with endpoint ID group "unknown" |
|
ISE deletes all endpoints if MAC address is deleted twice at the same time |
|
Custom Attribute (advanced filter in CV) not able to filter on risk score (integer value) |
|
Application server crash is observed when an AD Join operation is attempted via GUI under Administration > Identity Management > External Identity Sources > Active Directory |
|
TACACS/AAA live log report not showing configuration change made from ACI |
|
ISE 2.3/2.4 upgrade to the latest patch may break dynamic redirection for third party NADs |
|
Cannot configure scheduled config and operational backup with start date same as current day |
|
Unable to add AD group if it contains "/." or "/.." in the AD group name |
|
ise-elasticsearch.log files not purged in ISE 2.4 and 2.6 |
|
Changing max user global settings is not logged in change configuration audit |
|
GUI Context Visibility report export slowness |
|
Replication: Cluster information table has old FQDN |
|
BYOD flow is broken in IOS 12.2 |
|
BYOD provisioned profile doesn't automatically configure EAP TLS in IOS 12.2 |
|
Import of network device template throws error "Failed illegal value for Encryption key" |
|
Multiple Vulnerabilities in struts2-core |
|
Upgraded ISE Node shows LDAP Identity Store password in plain text |
|
Enforce NMAP skip host discovery and NMAP scan timeout |
|
ISE 2.4 P8 posture scan running when an endpoint switches to a wired network not configured with dot1x |
|
"Cisco Modified" Profiles are overwritten by the Profiler Feed Service |
|
Log Collection Error - Session directory write failed when AD Probe Session is inserted |
|
Deploy button is missing in the Matrix page when Multiple Matrices workflow is enabled |
|
ISE LogicalProfile appears under Custom attributes in Context Visibility page when custom attributes are configured |
|
Unable to add network device with combination of any digit followed by () in Software Version field |
|
Enhancement to publish the following attributes via pxGrid: ADUserSamAccountName, ADUserQualifiedName, ADHostSamAccountName, and ADHostQualifiedName |
|
Restore failing for scheduled backup |
Resolved Caveats in Cisco ISE Release 2.4.0.357- Cumulative Patch 8
The following table lists the resolved caveats in Release 2.4 cumulative patch 8.
Patch 8 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.1.53 or later.
Note |
After the patch is successfully installed, sometimes you may see an alarm indicating that patch installation failed with an error while trying to reboot. This is a false alarm. You can ignore this alarm. |
Caveat ID Number |
Description |
---|---|
CSCvh54905 | Identity Admin cannot see users under Identities tab |
Include hostname in posture assessment reports |
|
Posture remediation files are limited to 50MB |
|
ISE 2.3 : Posture report for endpoint by condition not working as expected |
|
Network access user with external password cannot be used as ISE admin |
|
User name from WMI information is deleted on receiving a DHCP custom syslog for same endpoint |
|
ISE 2.3 after applying patch 5 creation of EOB Guest user does not work |
|
ISE 2.4 slow database response with 500 authorization policies |
|
Emails are not sent for alarm specific email configuration |
|
Smart Licensing agent thread lock causes GUI login delay in ISE 2.2 |
|
Cisco Identity Services Engine Cross-Site Scripting Vulnerability |
|
ISE not able to assign guest account to the same guest type used for previous user |
|
ISE 2.4 Unable to modify proxy settings when proxy bypass list contains carriage return symbol |
|
Cannot filter Context Visibility by 'NAD Port ID' when using "/" character |
|
ISE includes only one prrt-server file in support bundle |
|
MDMServerReachable does not work for SCCM MDM again |
|
ISE expired license can't be deleted if number of Base and Wired Licenses are not matching |
|
Nodes have high IO spikes frequently in VM performance reports |
|
ISE TrustSec policy difference alarm description is not accessible |
|
Authentications are displayed in correctly in "Top N Authentication by Failure Reason" report |
|
ISE 2.4 - IP-SGT bindings disappear from SXP for user session |
|
ISE 2.4 Live Logs Not Filtering |
|
ISE : Custom user attribute change does not reflect changes in configuration change audit report |
|
App status for ISE is in initialisation state |
|
ISE 2.4 : InactiveDays attribute update with disabled profiling |
|
IPV6 based client provisioning portal is not working on default port 8443 |
|
ISE: admin users unable to delete or modify groups if a tacacs user is saved without any group |
|
Removal of unused logical profile may cause a wrong authorization result |
|
Non-existed DACL is not verifyed by the ISE |
|
[ISE 2.4]Unable to use created profiling policy in authorization condition |
|
Backups from SFTP repository may show incorrect year in Modified time |
|
ISE does not allow to add an SGT |
|
ISE : Improve Posture Assessment by Condition Report export rate for higher records (millions) |
|
ISE 2.4 - CLI password will not accept 3 $ |
|
ISE: failed to skip duplicate framed-pool attribute during migration |
|
ISE endpoint purge ACTIVEDIRECTORY dictionary is not loading |
|
TACACS+ Admin Group access denied when navigating to Work Center > Device Admin > Identities |
|
ISE Custom Endpoint Attributes - Will not save or delete |
|
ISE 2.3 - Location info and IPSEC info are reversed in order in Network Device Groups for some NADs |
|
Guest portal client provisioning customization text doesn't save |
|
ISE2.4 doesn't reset failedLoginAttempts after successful login of internal users to network device |
|
Device Sensor not able to correctly parse DHCP attributes via RADIUS probe |
|
Admin group cannot get access to "Users" at "Device Administration" tab after install patch 5 |
|
Default python change password script returns CRUD operation exception |
|
Internal Administrator Summary report not allowing to select specific columns |
|
ISE:WMI-Passed values may compromise the security of ISE. Please remove malicious scripting terms |
|
CSV file of RADIUS authentications report may have duplicate records |
|
ISE Adds an additional character at the end of OperatingSystemVersion |
|
ISE 2.2 Sponsor: Single click approval displays wrong message after clicking on approval link twice |
|
Device Administration Current Active Sessions report not available from 2.4 P6 |
|
System Scan throws internal error for MAC built-in FW remediation |
|
ISE dmp files are not deleted from /opt/oracle/base/admin/cpm10/dpdump for failed backup attempts |
|
ISE 2.x : Guest account activation time discrepancy for imported accounts |
|
Sponsor Portal Page takes more than 10 seconds to load |
|
ISE 2.2 has too many journal files. |
|
Samsung S7 and S8 profile |
|
ISE CoA doesnt work 2 days after initial auth |
|
Surplus of License Files can Cause Excessive Login Delay--ISE |
|
ERS API that requires CSRF token returns HTTP 404 instead of 403 |
|
ISE SNMPv3 User still display on "show snmp user" after delete snmp-server user |
|
ODBC attribute retrieval not working properly with EAP chaining |
|
Device network conditions missing |
|
URT Fails at Import Due to ORA-31684 |
|
Multi-NIC Windows/macOS: ISE Posture Module Maps VPN IP to MAC Address of a Disconnected Interface |
|
Master Guest reports takes 30+mins to display |
|
ISE 2.2 : Network devices page is not loading |
|
Domain Admins are not able to edit Sponsor accounts properly |
|
ISE not showing filtered NADs |
|
High CPU and High Auth Latency and OOM condition on PSN nodes |
|
NAD CSV imports should allow all supported characters |
|
TACACS/RADIUS shared secret key disappears after highlight and then command/control + C |
|
Cisco Identity Services Engine Password Recovery Vulnerability |
|
ISE 2.x : Remote forest Active Directory controller failover prolonged time |
|
Unable to integrate Tenable adapter to ISE 2.4 & 2.5 2.2 2.3 |
|
"No Data Available" when attempting to add endpoints to Identity Group with RBAC User |
|
Failed to upload AC packages of file size > 50MB on ISE->Agent Resources |
|
ISE: Rebooting associated site-specific GC does not result in failover to other GC |
|
log4j.appender.ACS-FILE.MaxBackupIndex is not working in ISE |
|
SL Server is getting overloaded with ISE auth renewals |
|
Parser error seen with Threat Centric NAC CTA Configuration irrespective of ise version |
|
Certain characters are not being parsed properly |
|
Network Device Filtering Returns Only First IP Range When Multiple Ranges Are Configured |
|
Limited access user getting "failed to fetch network device group" when accessing NAD |
|
Posture policy with Tunnel Group Name in condition is not hitting |
|
TACACS authentication details displays blank page |
|
Pullout reports from Authentication Summary report is showing empty report. |
|
Guest creation fails ISE 2.3 after patch 5 |
|
Live sessions record is not getting updated with new username (and/or) new IP address. |
|
ISE deleting the newly created IP-SGT mapping |
|
Able to delete ACI IEPG in ISE. |
|
pagination is not working in "All SXP mappings" page in ISE. |
|
APIC logs not seeing in sxp.log when SXP logging set to 'DEBUG'. |
|
Delay in clearing of SXP mappings in ISE. |
|
ISE truncates the SGT name after a "-" character and assigning a version id |
|
ISE 2.3 P5 ISE doesn't allows to delete SGT tag from GUI although it is not referenced |
|
Adding config to support PrA in PSN failover case |
|
Cisco Identity Services Engine (ISE) Arbitrary Client Certificate Creation Vulnerability |
Resolved Caveats in Cisco ISE Release 2.4.0.357 - Cumulative Patch 7
The following table lists the caveats that are resolved in Release 2.4 cumulative patch 7. Patch 7 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.1.53 or later.
Caveat ID Number |
Description |
---|---|
This is an enhancement to implement primary node APIs for multi-DNAC support in Cisco ISE. |
Resolved Caveats in Cisco ISE Release 2.4.0.357- Cumulative Patch 6
The following table lists the resolved caveats in Release 2.4 cumulative patch 6.
Patch 6 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.0.53 or later.
Caveat ID Number |
Description |
---|---|
Guest remember-me breaks ISE Guest Activity Logging |
|
ISE 2.x Unable to delete endpoint from endpoint group |
|
Unable to add duplicated mappings to multiple SXP VPNs |
|
ISE fails to read response from MDM with special characters |
|
Collection Filters configured with User name is not working for TACACS Author/Acct |
|
[ISE] SMS notifications in non-English containing <BR> HTML tag |
|
EasyConnect CoA not sent after session merge in distributed deployment |
|
ISE email notifications to guests sends twice email for approval and guest user |
|
ISE 2.2 no patch, SXP process fails when trying to create network subnet static mapping |
|
ISE 2.2: Disabled password Lifetime, however getting reminder for account expiration. |
|
ISE 2.1-P3 || high CPU seen in PAN due to 100K limit in redis |
|
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability |
|
ISE 2.x TACACS log extremely slow |
|
Cisco Identity Services Engine Logs Cross-Site Scripting Vulnerability |
|
ISE fails to re-establish TCP syslog connection after break in connectivity |
|
ISE: Need a report/dashboard for total unique endpoints |
|
Flexibility needed to choose the time intervals in disclosing the user name for failed auth |
|
Short CPU spikes can be observed when client didnt respond and ISE is used as RADIUS Proxy |
|
Library conds referrred in policies are getting deleted; evaluation is giving deny access |
|
Bulk guest import does not work using when logged into sponsor portal using SAML provider, |
|
SNMPv3 COA failures on ISE using HP switches |
|
Endpoint Attributes not updated in context visibility |
|
validDays does not match span of fromDate to toDate for ERS created guests |
|
ISE 2.2 Endpoint export may contain duplicate entries |
|
Policy Hit count value gets nullified while click on REFRESH button. |
|
EST Service not running owhen ISE iseca folder missing |
|
ISE 2.1 Endpoint Purge policy is matched but job halts during execution. |
|
ISE Internal CA : SAN ext validation fails if it isn't the first entry in RequestedExtensions in CSR |
|
ERS API get all endpoints not returning description field as stated in documentation |
|
Unsupported character Backslash has to be added to the UI error message while creation of admin user |
|
AC 4.6 Application enforcement is not working for Torrent |
|
Password length limitation when adding DC's in the PassiveID section of 32 characters. |
|
Cannot delete security groups having virtual network mapping |
|
Unknown Radius Flow is set to RadiusFlowType when updating ExternalIdStoreDictionary |
|
User customer attributes order doesn't change after drag drop and save. |
|
ISE 2.3 AD Group SID Update fails for Groups referenced in the policies |
|
Active endpoints are mismatched from expected value |
|
SNMP CoA is not sending correct SNMP traps |
|
Cisco Identity Services Engine (ISE) Java Deserialization Vulnerability |
|
Cisco Identity Service Engine (ISE) unsafe deserialization in Adobe Action Message Format (AMF) |
|
Cisco Identity Services Engine (ISE) File Upload Code Execution Vulnerability |
|
ISE 2.2 VPN MDM- Compliance not updated from MDM Compliance Checker for active session |
|
DNAC-ISE:Pxgrid failover fails with 2.4 patch1 with DNAC - ISE Integration |
|
ISE 2.4 Backup Input Validation does not occur on backup name characters |
|
ISE HSTS Max-Age parameter is too agressive no includedDomains flag |
|
ISE stops publishing SXP mapping |
|
Enable VLAN DHCP release breaks guest flow for ISE 2.4 |
|
pxgrid: XMPP Cleartext Authentication |
|
ISE : Incomplete error message while importing an icon under Network Device Profiles |
|
Enable pxGrid in FIPS mode |
|
Guest password is not reset if Sponsor does not have rights to view the Guest Password |
|
ISE allows importing multiple instances of same language in portal setup |
|
Changed name for My Reports against Policy Set match removes the delete option from My Reports |
|
RBAC SuperAdmin Data Access over written by read-only data access for Network Device Groups |
|
ISE stops responding to TACACS requests. |
|
Remove GMT portion from $ui_start_date_time$ and $ui_end_date_time$ on Email Notifications |
|
NMAP fails to execute when an EP matches a Admin Created profiling policy |
|
ISE sponsor's e-mail shoud not be in CC when view/print guests' passwords is disabled |
|
ISE 2.4 Sponsor-Group OWN_ACCOUNTS email association |
|
ISE offline profiler feed service unavailable 17/07/18 |
|
Editing guest user throws pop up error when creating with java scripts in first and last name |
|
Live sessions are not seen in ISE Live logs page in ISE 2.4 |
|
DST changes are not honored by the shift job which is causing the data movement issues on MNT nodes |
|
ISE doesn't validate the data type date in the custom endpoint attribute |
|
SAML authentication is showing wrong Identity store in Sponsor Login and Audit report |
|
Admin warned of license non-compliance even after adding new licenses |
|
SNMPv3 profiling works only with DES or AES128 privacy protocol |
|
SecureSyslogCollectors should be disabled by default on remote log targets. |
|
ISE ADE-OS - when trying to change timezone there should be a warning stated it is not supported |
|
ISE- Can login to GUI with disabled admin accounts. |
|
Radius Token Identity Caching Timeout not Configurable |
|
ISE sponsor email customization doesn't add image properly |
|
PxGrid SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection - CVE-2009-3555 |
|
HTTP Request Header for ISE fails if it contains @ in email |
|
ISE 2.4 | Unable to save multiple custom attributes at once |
|
Customer sees no data available for this record for "Details" page in Live Logs |
|
ISE 2.3 not hitting policy with Session BYOD-Apple-MiniBrowser-Flow condition |
|
ISE 2.3 Context Visibility Authentication Policy column is blank. |
|
ISE should not send alarm for 'ERS-Media-Type' not present in ERS header |
|
Evaluation of positron for Struts remote code execution vulnerability August 2018 |
|
ISE 2.1+ : Identity Source Sequence info button information is wrong for Sponsor Portal |
|
Cannot Disable Telnet Change Password |
|
ISE 2.3 to 2.4 upgrade is failing with error "nodes are not on the same ISE patch version" |
|
Oracle Security Alert Advisory - CVE-2018-3110 |
|
ISE 2.x || Cisco-Device profiler policy missing the tandberg OUI as a condition |
|
ISE: After upgrading to ISE 2.4 schedule backup are not working. |
|
AMQP Cleartext Authentication Vulnerability |
|
Endpoints not re-profiled after config restore and import new profiles |
|
PassiveID Probe hprof files in temp folder |
|
ISE AD lookup broken due to the blocked list domain lookup failing |
|
IE11 : Trash icon linked to MAC address search box in Context Visibility |
|
Unable to delete Root Network Device Group |
|
Rest API- Unable to retrieve Guest User Details using ToDate filters |
|
AD groups with more than one space doesn't allow authZ policy to be saved |
|
Difference between Oracle and ES in terms of description |
|
Newly created Network Device Model Name and Software Version are not present in GUI |
|
Maintain Connectivity During Reauthentication option not working |
|
Live log detailed reports shows msec instead of seconds for session timeout |
|
ISE 2.3 : Unable to access NFS repository and scheduled reports not working using NFS respository |
|
'Error 400' after pressing Sing Out on the Manage Guest Accounts page. |
|
OWASP ZAP reports Cross Site Scripting (DOM Based) on pxGrid Web application |
|
pxGrid cert change causing onAuthzRequest DENIED |
|
ISE 2.4 not sending "Framed-IP-Address" attribute in profile when using leading zero |
|
30+ GB files left behind after successful ISE 2.4 upgrade |
|
Changes made in allowed protocols is missing in change configuration audit reports |
|
ISE-secondary node doesnt send COA when guest account gets suspended or deleted |
|
Manual CoA fails from Context Visibility if user never accesses Live logs or Live Sessions prior |
|
ISE PB portal files are not restored with a restore of an old backup |
|
WasMachineAuthenticated EQUALS False No Longer Parsed in Runtime--ISE 2.4 |
|
BYOD TLS not working for IOS 12 FCS release |
|
SXP debug logs are not dumped in sxp.log unless services are restarted |
|
'EST-CSR-Request' dictionary condition does not work |
|
Cisco Identity Services Engine Logging Cross-Site Scripting Vulnerability |
|
ISE 2.4 Conditional CoA failure upon EndPoint Identity Group change |
|
Guest AUP: AUP acceptance is triggering replication event |
|
Accounting messages from ASR1K not saved and not shown in ISE Reports |
|
Chrome:Cannot create new ByoD portal |
|
Max Sessions" value can not be applied on GUI after applying 2.2p10 or 2.3p4 |
|
Cisco Identity Services Engine Reflected Cross-Site Scripting Vulnerability |
|
Cisco ISE Path traversal issue |
|
ISE 2.2 | Guest self registration portal doesn't sort timezone list correctly |
|
AD Probe failing to find the computer object with FQDN |
|
Alarms: Profiler Queue Size Limit Reached |
|
Sponsor creating random accounts for time restricted guest types fails |
|
ISE 2.4 - Guest users aren't getting emails automatically while importing from CSV |
|
ISE: EAP-FAST prefers cached AD DN over new DN after changing the Account OU |
|
MyDevices Portal: Can't change device status on a PSN running with secondary PAN. |
|
ISE -"user's email is not valid" unable to create User for top level domains other than .com .in etc |
|
SAML with ADFS is broken with 3rd party NAD |
|
ISE 2.4 Replication failure causing nodes to go out of sync after LAN automation |
|
ISE2.2 TACACS doesnt apply the command sets after long REGEX argument |
|
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability |
|
Cisco ISE Local Privilege Escalation Vulnerability |
|
ISE 2.4 Scheduled backups not working. Can be seen in gui |
|
endpointcert/certRequest API call causes Internal CA Service to Crash in ISE |
|
Request to increase Radius Token Server password caching to 900 seconds or later |
|
Inner Execution Context is not fully iuodated from API Execution context |
|
ISE CAC or certificate login does not populate external groups under new admin group |
|
Menu access duplicate is failing with plus sign |
|
Account Disable Policy 'Disable accounts after days of inactivity' is incorrectly calculated |
|
ISE 2.3 patch 5 : NAD / AAA server address is not specified. |
|
Lost and Stolen buttons stay disabled on My Devices portal if Japanese GUI used |
|
pxGrid debug "warn" level causing XCP to stop running |
|
Cisco Identity Services Engine Password Recovery Vulnerability |
|
ISE Kerberos Authentications are incrementing AD bad password count by 2 |
|
Authorization policy evaluation failing intermittently when using identity group as condition |
|
Show members delays to retrieve the N/w devices in NDG page |
|
SGACL Push in large scale NAD environment causes High CPU on PAN |
|
Modify existing Network Device Profiles, grayed SAVE button |
|
ISE 2.4: Details of 'error 500' missing in REST API query after patch 1 installation |
|
PassiveID Management Logs Show Database ID insead of DC Name |
|
Need to add Internal User Group in Certificate Authentication Profile |
|
Under heavy load, ISE live logs stop working on ISE 2.3 |
|
ISE 2.4 :Unable to import network devices if shared secret contains "<" |
|
ISE importing EMPTY cells in trustsec matrix doesnt overwrite existing content of cells |
|
Profiler definitions for OSX Mojave (10.14) are not available in ISE 2.4 latest patch. |
|
ISE: logwatch process failed with ::1 fatal error |
|
ISE 2.4 patch 4 reduces I/O read Speed |
|
ISE: Import Network Device does not conform to admin access permissions |
|
pxGrid not handling invalid xml characters for publish and download |
|
VCS pages Auth/Endpoint tab shows blank pop up msg. |
|
ISE does not follow the capabilities of the Listener. |
|
ISE: Trustsec alarm doesn't have SEVERITY level and its greyed out. |
|
400 Bad Request when logging out Sponsor Portal |
|
RBAC permissions do not propagate for admin users who login ISE with AD |
|
Report logs can not fully displayed with "latst 30 days" |
|
SXP connection between ISE and IOS Devices stuck in DeleteHoldDown state |
|
Date in Unix Epoch format when context visibility in exported |
|
ISE 2.x || ISE syslog message code (59200-59208) are not being used in ISE currently. |
|
2.4P5:In 3 node deployment After Rollback of P5 PSN went down |
|
ISE 2.4p5 - ACI integration - Not all IP_EPG mappings on ACI is imported by ISE |
|
ISE replaces "ip:" to it's hostname in "ip:inacl" Cisco AV-Pair |
|
Process failure using external radius token server authentication |
|
Manage ACC calling infinite time when sponsoruser configured with permissions ALL&GROUP sponsor grps |
|
When individual policy set is reset, other policy set hit counters are reset to 0. |
|
ISE 2.3 patch 5 issue when creating guest user on sponsor portal using special character |
|
ISE DACL syntax checking is not properly catching errors |
|
ISE should support internal users with Special char colon : character to be partiy with ACS |
|
TC-NAC configured with Qualys shows Not Reachable. |
|
ISE stops responding to IPv6 hosts in its own subnet after adding IPv6 route. |
|
ResetAll Hitcount Button not resetting hitcount value in Firefox browser |
|
Cores being consistently generated on every node after upgrading from ISE 2.4 to 2.5 |
|
ISE 2.4 : Misconfigured supplicant query is one of the reasons for high CPU on both MNT nodes |
New Features in Cisco ISE Release 2.4.0.357 - Cumulative Patch 6
Identity Caching in RADIUS Token and RSA SecurID Server
Identity caching is used to allow processing of requests that do not perform authentication against the server. You can enable the identity caching option and set the aging time in minutes. The default value is 120 minutes. The valid range is from 1 to 1440 minutes. The results obtained from the last successful authentication are available in the cache for the specified time period.
This option is disabled by default.
Open Caveats in Cisco ISE Release 2.4.0.357 - Cumulative Patch 6
Caveat ID Number |
Description |
---|---|
CSCvo75376 |
pxGrid node name limit is too short for Cisco Firepower Management Center (FMC) |
Resolved Caveats in Cisco ISE Release 2.4.0.357- Cumulative Patch 5
The following table lists the resolved caveats in Release 2.4 cumulative patch 5.
Patch 5 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.0.53 or later.
Caveat ID Number |
Description |
---|---|
SFTP Connect Error |
|
EAP-FAST doesn't support correct key generation in TLS 1.2 |
|
pxGrid : EndpointProfileMetaData not propagated with Pxgrid V2 |
|
AD authentications are failing after applying 2.2 P11/ 2.4 P4 |
|
TC-NAC configured with Qualys shows Not Reachable. |
|
EPG mappings not created on ISE |
|
ISE Apache Struts CVE-2016-1000031 Vulnerability |
Resolved Caveats in Cisco ISE Release 2.4.0.357- Cumulative Patch 4
The following table lists the resolved caveats in Release 2.4 cumulative patch 4.
Patch 4 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.0.53 or later.
Caveat ID Number |
Description |
---|---|
Diag Tool: For DNS A Record tests change status failed to warning |
|
ISE21- Auth inactivity alarms every 15 mins |
|
ISE doesn't convert guest username to lower case if credentials used in 802.1x, not on portal |
|
Reset-config is reverting the fixes of patches and causing the issues. |
|
ISE: Remove state attribute from access accept packets. |
|
Evaluate ISE for Apache Tomcat February 2018 Vulnerabilities |
|
ISE : URT fails due to upgrading the ACS to ISE migrated setup. |
|
Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability |
|
Message Catalog Displaying Only the Message Code 89006 but Not the Rest |
|
Network devices page fails to paginate as shared secret is in plain text |
|
ISE: While registering getting the error: Unable to register the node <fqdn> Version: 0.0.0.0. |
|
General Patch Management - Red Hat Linux(Critical/High) |
|
Application check works in opposite logic |
|
Failed to get sgt name from sgt tag: 5 or sgt is read only, or isPropgateToAPIC is false |
|
Fix for CSCvf68738 does not allow legitimate CA certificate refresh |
|
ISE 2.2: Hot Spot portal users asked to accept the AUP more than once |
|
VM License Thresholds Mismatch Platform definitions |
|
ISE 2.4 Trustsec Dashboard Query performance |
|
Adding Node to deployment does not add the Profiling OUI data |
|
ISE 2.4 Windows PC behind IP phone being profiled as Cisco-IP-Phone-8851 |
|
Regression: Windows 8/10 clients incorrectly profiled as windows7 due to feed policies |
|
"ERROR_NO_SUCH_USER" due to ISE ADRT mis-identifiing a child domain name as root forest domain |
|
ISE 2.4 no patches : unable to load network devices page |
|
ISE 2.4 MnT session & Auth API response is not populating 'other_attributes' section |
|
Not able to delete certificate from trusted page |
|
Wrong number or types of arguments in call to 'COLLATIONDAILY_PURGE',HOURLY_STATS_JOB |
|
ISE: "Manage accounts" gives 400 HTTP error if sponsor portal is configured for SAML authentication. |
|
ISE 2.4 PxGrid queries against Secondary MNT resulting in collector crashing |
|
ISE 2.4 2.3 2.2 2.1 2.0 : NFS repository credentials are not used |
|
ISE 2.4 : Social Login e2e flow fails due to recent changes done on Facebook side |
|
ISE 2.4 excessive profiler syslogs sent to MNT |
|
ISE 2.4 Cisco Prime querying ISE session API could cause high CPU utilization on Monitoring Nodes |
|
Certificate parameters not persistent after DNAC trust re-establishment |
|
Authentication Summary Reports show "no data available" for Radius and TACACS |
|
ISE 2.4 Core dump on primary node: SIGSERV in GenericConfigObject::getAsNested(unsigned int) const |
|
CISCO Network Setup Assistant APP Not Available on GooglePlay |
|
ISE cores on LDAP test server after DNAC establishment when same chain used |
|
ISE CoA sends NULL value for NAS-Port-Id |
|
ISE custom endpoint attribute type String doesn't allow numbers only |
|
LiveSessions are not showing on GUI because user name having unicode characters |
|
ISE context visibility endpoints import fails with custom endpoint attribute date |
|
400 Error Seen In Guest and Sponsor Portal due to portal session deletion |
|
Config Backups triggered from GUI hangs at 45% during ES backup |
Open Caveats in Cisco ISE Release 2.4.0.357- Cumulative Patch 4
Caveat ID Number |
Description |
---|---|
CSCvm93698 | AD authentications fail after installing ISE 2.4 patch 4. Could see the following error in ad_agent.log: Identity resolution failed - ERROR_NO_SUCH_USER_SOME_DOMAINS_NOT_AVAILABLE |
ISE 2.4: Possible kernel memory leak |
|
ISE 2.4 patch 3: COA is not working for CTS role based policy |
|
Unable to use SFTP server as a repository in ISE 2.4 patch 4 |
Resolved Caveats in Cisco ISE Release 2.4.0.357- Cumulative Patch 3
The following table lists the resolved caveats in Release 2.4 cumulative patch 3.
Patch 3 might not work with older versions of SPW. MAC users must upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later, and Windows users must upgrade their SPW to WinSPWizard 2.2.0.53 or later.
Caveat ID Number |
Description |
---|---|
CDP Attributes not added to EP via SNMP Query |
|
Multiple Vulnerabilities in httpasyncclient |
|
US27030 - Fix VPN Session to MAC Mapping |
|
ISE 2.2 user may be redirected again after AUP acceptance on Hotspot portal |
|
ISE: Failure to retrieve AD groups for Intel AMT supplicant username format |
|
Matched AuthC and AuthZ rules in Monitor Only mode showing in GUID but not names |
|
Purging doesn't work if Identity group name was changed/ change is not reflected to purge policy |
|
Single click approval sponsor not seeing self-registered guest with implicit/explicit UPN |
|
CSCvi23542 | ISE doesn't fail-over to other available DCs when receiving STATUS_ACCESS_DENIED (0xc0000022) from DC on authentication attempts |
ISE High Authentication Latency due to lookup in Internal Endpoints |
|
Corefiles are being generated due to timesten crash in MNT node |
|
Log Collection Error : null alarm |
|
Customer see's blank "Details" page in RADIUS Live Logs |
|
The content changes for imported guest notification template is not working. |
|
Changing status of Network Access Users doesn't appear on audit report |
|
User domain name may remain empty in session when ISE passive-id AD agent or MS WEF is used |
|
Sponsor created guest have a previous guest account email CC'd |
|
ISE 2.4 patch 2 install brings application services down due to integrity checksums failure |