Introduction to Cisco Identity Services Engine
Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure access to network resources. Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices. An administrator can then use this information to make proactive governance decisions by creating access control policies for the various network elements, including access switches, wireless controllers, Virtual Private Network (VPN) gateways, Private 5G networks, and data center switches. Cisco ISE acts as the policy manager in the Cisco Group Based Policy solution and supports TrustSec software-defined segmentation.
Cisco ISE is available on Cisco Secure Network Server appliances with different performance characterizations, virtual machines (VMs), and on the public cloud.
Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also enables the configuration and management of distinct personas and services, thereby giving you the ability to create and apply services where needed in a network, but operate the Cisco ISE deployment as a complete and coordinated system.
For detailed Cisco ISE ordering and licensing information, see the Cisco Identity Services Engine Ordering Guide.
For information on monitoring and troubleshooting the system, see the "Monitoring and Troubleshooting Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.
What Is New In This Release?
This section lists the new and changed features in Cisco ISE 3.3 and its patches.
New Features in Cisco ISE Release 3.3 - Cumulative Patch 4
API keys and certificate authentication support for Tenable Security Center
From Cisco ISE 3.3 Patch 4 onwards, the following authentication methods are additionally supported for Tenable Security Center:
-
API Keys: Enter the Access key and Secret key of the user account that has access privileges in Tenable Security Center.
API keys authentication is supported for Tenable Security Center 5.13.x and later releases.
Note
Before choosing this option in Cisco ISE, you must log in as an Admin user and enable API key authentication in Tenable Security Center.
-
Certificate Authentication: From the Authentication Certificate drop-down list, choose the required certificate.
After successful authentication, Cisco ISE will retrieve the customer configured template from Tenable Security Center.
Note
Before enabling this option in Cisco ISE, you must configure Tenable Security Center to allow SSL client certificate authentication.
For more information, see "Configure Tenable Adapter" in the chapter "Threat Containment" in the Cisco Identity Services Engine Administration Guide, Release 3.3.
Assign dedicated resources for join points
From Cisco ISE Release 3.3 Patch 4, you can reserve resources for the join points in each PSN. This resource segmentation will help reduce the performance impact caused by resource sharing among the join points.
For more information, see "Assign dedicated resources for join points" in the Chapter "Asset Visibility" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.
Security Identifiers in certificates will not be used for authentication
From Cisco ISE Release 3.3 Patch 4, Cisco ISE supports a new format of certificates with Security Identifiers (SID).
The SIDs present in the Subject Alternative Name (SAN) fields will not be used for authentication in Cisco ISE. This enhancement prevents authentication failures caused due to incorrect SID parsing in the authentication process.
SSHD service cryptographic algorithms enhancement
From Cisco ISE Release 3.3 Patch 4, you can use the new algorithms under service sshd to manage a service using the Cisco ISE CLI. The following algorithms are newly added.
-
MAC-algorithm
-
Hostkey
-
Hostkey-algorithm
-
Key-exchange-algorithm
-
SSH-client-hostkey-algorithm
For more information, see the Cisco ISE CLI Reference Guide, Release 3.3.
Support for osquery condition
From Cisco ISE 3.3 Patch 4, you can create an osquery condition to check the posture compliance status of an endpoint or fetch the required attributes from an endpoint.
For more information, see "Add an osquery condition" in the Chapter "Compliance" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.
Note |
Cisco Secure Client 5.1.6 and earlier versions do not support osquery condition. |
Support for usgv6 Command
Use the usgv6 command in EXEC mode to enable, disable, or check the usgv6 compliance status of a Cisco ISE node with the underlying operating system.
For more information, see "usgv6" in the chapter "Cisco ISE CLI Commands in EXEC Mode" in the Cisco Identity Services Engine CLI Reference Guide, Release 3.3.
New Features in Cisco ISE Release 3.3 - Cumulative Patch 3
CLI Option to Enable or Disable the Explicit Curve Check
From Cisco ISE Release 3.3 Patch 3, administrators can use the following option in the application configure ise CLI command to verify the Elliptic Curve Digital Signature Algorithm (ECDSA) explicit curve certificate:
[39]Enable/Disable Explicit EC Check
The certificate verification applies to EAP TLS server mode, secure syslog, and secure LDAP.
For more information, see "Application Configure ISE" in the chapter "Cisco ISE CLI Commands in EXEC Mode" in the Cisco Identity Services Engine CLI Reference Guide, Release 3.3.
Option to Add Identity Sync After Creating Duo Connection
If you do not want to configure user data synchronization between Active Directory and Duo while creating a Duo connection, click Skip in the Identity Sync page. You will be taken to the Summary page directly.
After you create a Duo connection, you can add identity sync configurations at any time.
For more information, see "Integrate Cisco Duo With Cisco ISE for Multifactor AuthenticationIntegrate Cisco Duo With Cisco ISE for Multifactor Authentication" in the Chapter "Segmentation" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.
New Features in Cisco ISE Release 3.3 - Cumulative Patch 2
Configure Virtual Tunnel Interfaces (VTI) with Native IPsec
From Cisco ISE Release 3.3 Patch 2, you can configure VTIs using the native IPsec configuration. You can use native IPsec to establish security associations between Cisco ISE PSNs and NADs across an IPsec tunnel using IKEv1 and IKEv2 protocols. The native IPsec configuration ensures that Cisco ISE is FIPS 140-3 compliant. For more information, see "Configure Native IPsec on Cisco ISE" in the "Secure Access" chapter in the Cisco ISE Administrator Guide, Release 3.3.
End of Support for Legacy IPsec (ESR)
From Cisco ISE Release 3.3 Patch 2, Legacy IPsec (ESR) is not supported on Cisco ISE. All IPsec configurations on Cisco ISE will be Native IPsec configurations. We recommend that you migrate to native IPsec from legacy IPsec (ESR) before upgrading to Cisco ISE Release 3.3 Cumulative Patch 2 to avoid any loss of tunnel and tunnel configurations. For more information, see "Migrate from Legacy IPsec to Native IPsec on Cisco ISE" in the chapter "Secure Access" in the Cisco ISE Administrator Guide.
Enhanced Password Security
Cisco ISE now improves password security through the following enhancements:
-
You can choose to hide the Show button for the following field values, to prevent them from being viewed in plaintext during editing:
Under Network Devices,
-
RADIUS Shared Secret
-
Radius Second Shared Secret
Under Native IPSec,
-
Pre-shared Key
To do this, choose Show Password in Plaintext checkbox.
and uncheck theFor more information, see "Configure Security Settings" in the Chapter "Segmentation" in the Cisco ISE Administrator Guide, Release 3.3.
-
-
To prevent the RADIUS Shared Secret and Second Shared Secret from being viewed in plaintext during network device import and export, a new column with the header PasswordEncrypted:Boolean(true|false) has been added to the Network Devices Import Template Format. No field value is required for this column.
If you are importing network devices from Cisco ISE Release 3.3 Patch 1 or earlier releases, you must add a new column with this header to the right of the Authentication:Shared Secret:String(128) column, before import. If you do not add this column, an error message is displayed, and you will not be able to import the file. Network devices with encrypted passwords will be rejected if a valid key to decrypt the password is not provided during import.
For more information, see the table in "Network Devices Import Template Format" in the Chapter "Secure Access" in the Cisco ISE Administrator Guide, Release 3.3.
Localized ISE Installation
While reinstalling Cisco ISE, you can use the Localized ISE Install option (option 38) in the application configure ise command to reduce the installation time. Though this option can be used for both Cisco Secure Network Server and virtual appliances, it significantly reduces the reinstallation time for Cisco Secure Network Servers.
For more information, see "Localized ISE Installation" in the Chapter "Cisco ISE CLI Commands in EXEC Mode" in the Cisco Identity Services Engine CLI Reference Guide, Release 3.3.
Locking Identities with Repeated Authentication Failures
You can now limit the maximum number of unsuccessful authentication attempts an identity (username or hostname) can make while authenticating through the EAP-TLS protocol, by specifying the number of authentication failures after which the identity must be locked. Identities can be locked permanently or for a specific time period. Successful authentications by a locked identity will also be rejected until the identity is unlocked again.
For more information, see the table in "RADIUS Settings" in the Chapter "Segmentation" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.
Note |
From Cisco ISE Release 3.3 Patch 4, Identity Lock Settings are not supported in the RADIUS Settings page ( ). |
On-Demand pxGrid Direct Data Synchronization using Sync Now
You can use the Sync Now feature to perform on-demand synchronization of data for pxGrid Direct URL Fetcher connectors. You can perform both full and incremental syncs on-demand. On-demand data synchronization can be performed through the Cisco ISE GUI or using OpenAPI.
For more information, see "On-demand pxGrid Direct Data Synchronization using Sync Now" in the "Asset Visibility" chapter in the Cisco ISE Administrator Guide, Release 3.3.
Opening TAC Support Cases in Cisco ISE
From Cisco ISE Release 3.3 Patch 2, you can open TAC support cases for Cisco ISE directly from the Cisco ISE GUI.
For more information, see "Open TAC Support Cases" in the chapter "Troubleshoot" in Cisco ISE Administrator Guide, Release 3.3.
New Session Directory topic available using pxGrid
From Cisco ISE Release 3.3 Patch 2 onwards, you can subscribe to the Session Directory All topic using pxGrid. The sessionTopicAll is similar to the existing sessionTopic (which continues to be supported), with one key difference. The sessionTopicAll also publishes events for sessions without IP addresses. For more information, see the pxGrid API Guide.
Support for Transport Gateway Removed
Cisco ISE no longer supports Transport Gateway. The following Cisco ISE features used Transport Gateway as a connection method:
-
Cisco ISE Smart Licensing
If you use Transport Gateway as the connection method in your smart licensing configuration, you must edit the setting before you upgrade to Cisco ISE Release 3.3 Patch 2. You must choose a different connection method as Cisco ISE Release 3.3 Patch 2 does not support Transport Gateway. If you upgrade to Cisco ISE Release 3.3 Patch 2 without updating the connection method, your smart licensing configuration is automatically updated to use the Direct HTTPS connection method during the upgrade process. You can change the connection method at any time after the upgrade.
-
Cisco ISE Telemetry
Transport Gateway is no longer available as a connection method when using Cisco ISE Telemetry. The telemetry workflow is not impacted by this change.
TLS 1.3 Support for Cisco ISE Workflows
Cisco ISE Release 3.3 Patch 2 and later releases allow TLS 1.3 to communicate with peers for the following workflows:
-
Cisco ISE is configured as an EAP-TLS server
-
Cisco ISE is configured as a TEAP server
Attention
TLS 1.3 support for Cisco ISE configured as a TEAP server has been tested under internal test conditions because at the time of Cisco ISE Release 3.3 Patch 2 release, TEAP TLS 1.3 is not supported by any available client OS.
-
Cisco ISE is configured as a secure TCP syslog client
Note |
For Cisco ISE Release 3.3 Patch 2, the Manually Configure Ciphers List option is not supported for TLS 1.3. |
For more information, see "Configure Security Settings" in the Chapter "Segmentation" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.
New Features in Cisco ISE, Release 3.3 - Cumulative Patch 1
Cisco Duo Integration for Multifactor Authentication
From Cisco ISE Release 3.3 Patch 1, you can directly integrate Cisco Duo as an external identity source for multifactor authentication (MFA) workflows. In earlier releases of Cisco ISE, Cisco Duo was supported as an external RADIUS proxy server and this configuration continues to be supported.
This Cisco Duo integration supports the following multifactor authentication use cases:
-
VPN user authentication
-
TACACS+ admin access authentication
For more information on this feature, see "Integrate Cisco Duo with Cisco ISE for Multifactor Authentication" in the Chapter "Segmentation" of the Cisco ISE Administration Guide, Release 3.3.
Customer Experience Surveys
Cisco ISE now presents customer satisfaction surveys to its users within the administration portal. The periodic administration of customer satisfaction surveys helps us better understand your Cisco ISE experiences, track what is working well, and identify areas of improvement. After you submit a survey, you are not presented with another survey for the next 90 days.
The surveys are enabled by default in all Cisco ISE deployments. You can disable the surveys at a user level or for a Cisco ISE deployment.
For more information, see "Customer Experience Surveys" in the chapter "Basic Setup" in the Cisco ISE Administrator Guide, Release 3.3.
Microsoft Intune Ends Support for UDID-Based Queries for Its MDM Integrations
From March 24, 2024, Microsoft Intune will not support UDID-based queries for its MDM integrations, as detailed in this Field Notice. The Cisco ISE APIs that fetch required endpoint information from Microsoft Intune MDM integrations have changed in response to this end of support.
From Cisco ISE Release 3.3 Patch 1, Microsoft Intune only provides the following endpoint details in response to compliance APIs:
-
Device compliance status
-
Managed by Intune
-
MAC address
-
Registration status
For more information on these changes, see Integrate MDM and UEM Servers with Cisco ISE.
New Features in Cisco ISE Release 3.3
Access the Cisco ISE Admin GUI Using HTTPS with TLS 1.3
From Cisco ISE Release 3.3, you can access the Cisco ISE Admin GUI using HTTPS with TLS 1.3 version. For more information, see "Configure Security Settings" in the chapter "Secure Access" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.
Bulk Update and Bulk Delete Support for Context-in API in pxGrid Cloud
From Cisco ISE Release 3.3, you have context-in API support in pxGrid Cloud for bulk updation and bulk deletion of endpoints. For more information, see the Cisco ISE API Reference Guide.
Certificate-Based Authentication for API Calls
From Cisco ISE Release 3.3, you can configure authentication settings for API admin users such as API admin and OpenAPI admin in the API Authentication Type section allows you to permit password-based or certificate-based authentications or both. These authentication settings do not apply to REST admin users such as pxGrid REST, MnT REST, and other REST admin users. For more information, see "Enable API Service" in the chapter "Basic Setup" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.
window. TheCisco AI-ML Rule Proposals for Endpoint Profiling
Cisco ISE now provides profiling suggestions based on continuous learning from your networks, helping you to enhance endpoint profiling and management. You can use these suggestions to reduce the number of unknown or unprofiled endpoints in your network.
For more information, see "Cisco AI-ML Rule Proposals for Endpoint Profiling" in the chapter "Asset Visibility" in the Cisco Identity Services Engine Administration Guide, Release 3.3.
Configure Native IPSec in Cisco ISE
From Cisco ISE Release 3.3, you can configure IPSec using the native IPSec configuration. You can use native IPSec to establish security associations between Cisco ISE PSNs and NADs across an IPSec tunnel using IKEv1 and IKEv2 protocols. For more information, see "Configure Native IPSec on Cisco ISE" in the chapter "Secure Access" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.
Disable Endpoint Replication to All nodes in a Cisco ISE Deployment
From Cisco ISE Release 3.3, dynamically discovered endpoints are not replicated to all the nodes in the Cisco ISE deployment automatically. You can choose to enable or disable the replication of dynamically discovered endpoints across all nodes in your Cisco ISE deployment. For more information, see "Data Replication from Primary to Secondary Cisco ISE Nodes" in the chapter "Deployment" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.
Data Connect
From Cisco ISE Release 3.3, the Data Connect feature uses the admin certificate to provide database access to Cisco ISE using an Open Database Connectivity (ODBC) or Java Database Connectivity (JDBC) driver, so that you can directly query the database server to generate reports of your choice. For more information, see "Data Connect" in the chapter "Basic Setup" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.
Enhanced Support for Unvalidated Operating Systems Releases in Posture Workflows
Cisco ISE now supports unvalidated versions of operating systems in agent-based and agentless posture workflows. In the earlier releases of Cisco ISE, only the endpoints that ran validated operating systems successfully met posture agent policies.
As a result, endpoints running an unvalidated operating system failed posture agent workflows with the error message, The operating system is not supported by the server.
For information on supported operating systems, see the Compatibility Matrix for your Cisco ISE release.
For example, posture agent flows for endpoints running operating system versions Windows 10 IoT Enterprise LTSC or Mac 14 failed while these operating system versions were not validated. When Cisco ISE validated these versions and the operating system data was published to the Feed Service, posture agents successfully matched these endpoints.
You can download the latest operating system data to Cisco ISE from the Feed Service in the
page of the Cisco ISE administration portal.From Cisco ISE Release 3.3, unvalidated operating systems are matched to a known operating system listed in the Policy pages (Posture, Requirements, and Conditions pages) of the Cisco ISE administration portal, so that posture agent workflows can be completed successfully. For example, if Mac xx is not validated and an endpoint is running it, a posture agent can now match the endpoint with MacOSX. When Mac xx is validated and published to the Feed Service, and the posture agent runs on the endpoint again, the endpoint is matched with Mac xx. Posture reports display the operating system that an endpoint is matched with.
All the posture agents that are supported by Cisco ISE Release 3.3 are impacted by this change. No other Cisco ISE features, such as BYOD, are impacted.
ERS API Support for LDAP Profile Bind Account Password
From Cisco ISE Release 3.3, LDAP profile bind account password is supported by ERS APIs. You can configure a new LDAP server on the Cisco ISE GUI using the ERS API. The created LDAP server can be used to configure an identity source in other Cisco ISE portals. For more information, see the Cisco ISE API Reference Guide.
IPv6 Support for Agentless Posture
Cisco ISE Release 3.3 adds IPv6 support for Agentless Posture. Windows and MacOS clients are currently supported.
For more information, see "Agentless Posture" in the chapter "Compliance" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.
IPv6 Support for Portal and Profiler Features
Cisco ISE Release 3.3 adds IPv6 support for the following portals, portal features, and profiler features.
Cisco ISE Portals with IPv6 Support
-
Sponsor Portal
-
MyDevices Portal
-
Certificate Provisioning Portal
-
Hotspot Guest Portal
-
Self-Registered Guest Portal
Cisco ISE Portal Features with IPv6 Support
-
Single-Click Sponsor Approval
-
Grace Period
-
Validation of Credentials for Guest Portal
-
Active Directory
-
Guest Portal Posture Flow using Temporal Agent
-
Active Directory User - Posture Flow with AnyConnect
-
Dot1x User - Posture Flow with AnyConnect
-
Guest and Dot1x User - Posture Flow with Temporal Agent
Profiler Features with IPv6 Support
-
DHCP Probe
-
HTTP Proble
-
RADIUS Probe
-
Context Visibility Services
-
Endpoint Profiling
Note |
The static IP/hostname/FQDN field for the common task of web redirection cannot take an IPv6 address. |
Link External LDAP Users to Cisco ISE Endpoint Groups
From Cisco ISE Release 3.3, you can assign external LDAP user groups to Endpoint Identity Groups for guest devices using the Dynamic option. For more information, see "Create or Edit Guest Types" in the chapter "Guest and Secure WiFi" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.
Managing Passwords of Cisco ISE Users
From Cisco ISE Release 3.3, as an internal user of Cisco ISE, you can choose to add the Date Created and Date Modified columns to the Network Access User table in the Network Access Users window. For more information, see "Cisco ISE Users" in the chapter "Asset Visbility" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.
Multi-Factor Classification for Enhanced Endpoint Visibility
You can now create nuanced authorization policies using four specific attributes from the endpoints connecting to your network. The Multi-Factor Classification (MFC) profiler uses various profiling probes to fetch four new endpoint attributes to the Cisco ISE authorization policy creation workflows: MFC Endpoint Type, MFC Hardware Manufacturer, MFC Hardware Model, and MFC Operating System.
For more information, see "Multi-Factor Classification for Enhanced Endpoint Visibility" in the chapter "Asset Visibility" in the Cisco Identity Services Engine Administration Guide, Release 3.3.
Navigation Improvement
The Cisco ISE homepage GUI has been modified for a better user experience. When you click the menu icon at the left-hand corner of the homepage, a pane is displayed. Hovering your cursor over each of the options on the pane displays the following submenus to choose from.
-
Context Visibility
-
Operations
-
Policy
-
Administration
-
Work Centers
Click Dashboard for the home page.
The left pane also contains a Bookmarks tab where you can save your recently viewed pages. Click the menu icon again to hide the pane.
If you log out when the left pane is displayed, and log in again, the pane continues to be displayed. However, if you log out after the pane is hidden, and log in again, you must click the menu icon for the pane to be displayed again.
You can now use the icon on the homepage to access the Search Pages option to search for a new page or visit recently searched pages.
For more information, see "Administration Portal" in the chapter "Basic Setup" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.
Option to Disable Specific Ciphers
The Manually Configure Ciphers List option in the Security Settings window allows you to manually configure ciphers for communication with the following Cisco ISE components: admin UI, ERS, OpenAPI, secure ODBC, portals, and pxGrid.
A list of ciphers is displayed with allowed ciphers already selected. For example, if the Allow SHA1 Ciphers option is enabled, SHA1 ciphers are enabled in this list. If the Allow Only TLS_RSA_WITH_AES_128_CBC_SHA option is selected, only this SHA1 cipher is enabled in this list. If the Allow SHA1 Ciphers option is disabled, you cannot enable any SHA1 cipher in this list.
For more information, see "Configure Security Settings" in the chapter "Segmentation" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.
Posture and Client Provisioning Support for ARM64 Version of Agent
From Cisco ISE Release 3.3, posture policies and client-provisioning policies are supported for ARM64 endpoints. You can upload the ARM64 version of agent for ARM64 endpoints.
Note the following points while configuring an ARM64 client-provisioning policy:
-
ARM64 posture policies are supported for the following:
-
Windows Agent
-
Mac Agent
-
Mac Temporal Agent
-
Mac Agentless
Windows policies run separate packages for ARM64 and Intel architectures. Windows Temporal and Windows Agentless are not supported on ARM64 architecture, but are supported on Intel architecture.
macOS policies run the same package for both architectures.
-
-
ARM64 package is supported for Cisco AnyConnect VPN and Cisco Secure Client.
Note
Cisco Secure Client 5.0.4xxx and later versions support posture and client-provisioning policies for ARM64 endpoints.
ARM64 compliance module 4.3.3583.8192 and later versions can be used with Cisco Secure Client 5.0.4xxx and later versions along with Cisco ISE 3.3 and later versions for ARM64 endpoints. You can download the compliance modules from the Software Download Center.
-
ARM64 agent auto upgrade and compliance module upgrade are supported.
-
Google Chrome and Microsoft Edge 89 and later versions support web redirection for OS Architecture conditions like ARM64, 64-bit, and 32-bit.
Firefox browser does not support web redirection for OS Architecture conditions like ARM64, 64-bit, and 32-bit. Hence, it cannot be used to match ARM64 client-provisioning policies. The following message is displayed when you use the Firefox browser:
ARM64 endpoints do not support Firefox browser, and there may be compatibility issues if you continue downloading this agent. We recommend that you use Chrome or Microsoft Edge browser instead.
-
You cannot combine BYOD and ARM64 client-provisioning policies.
-
Ensure that the ARM64 condition policy is at the top of the conditions list (listed above the policies without an ARM64 condition). This is because an endpoint is matched sequentially with the policies listed in the Client Provisioning Policy window.
For more information, see "Configure Client Provisioning Policy for ARM64 Version of Agent" in the chapter "Compliance" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.
pxGrid Context-in Enhancements
From Cisco ISE Release 3.3, you have context-in API support in pxGrid. You can create custom attributes for endpoints and use OpenAPI for context-in support. For more information, see the Cisco ISE API Reference Guide.
pxGrid Cloud Support for Context-in
From Cisco ISE Release 3.3, you have context-in API support in pxGrid Cloud. You can create custom attributes for endpoints and use OpenAPI for context-in support. For more information, see the Cisco ISE API Reference Guide.
pxGrid Direct Enhancements
pxGrid Direct is no longer a controlled introduction feature. Before you upgrade to Cisco ISE Release 3.3 from Cisco ISE Releases 3.2 or 3.2 Patch 1, we recommend that you delete all configured pxGrid Direct connectors and any authorization profiles and policies that use data from pxGrid Direct connectors. After you upgrade to Cisco ISE Release 3.3, reconfigure pxGrid Direct connectors.
Note |
If you do not delete the configured pxGrid Direct connectors, the connectors are automatically deleted during the upgrade. This deletion results in uneditable and unusable authorization profiles and policies that you must delete and replace with new ones. |
For more information on changes to the pxGrid Direct feature, see "pxGrid Direct" in the chapter "Asset Visibility" in the Cisco Identity Services Engine Administration Guide, Release 3.3.
RADIUS Step Latency Dashboard
The RADIUS Step Latency dashboard (Log Analytics > Dashboard) displays the maximum and average latencies for the RADIUS authentication flow steps for the specified time period. You can also view the maximum and average latencies for the Active Directory authentication flow steps (if Active Directory is configured on that node) and the Top N RADIUS authentication steps with maximum or average latencies.
For more information, see "Log Analytics" in the chapter "Maintain and Monitor" in the Cisco Identity Services Engine Administration Guide, Release 3.3.
Schedule Application Restart After Admin Certificate Renewal
After you renew an admin certificate on the primary PAN, all the nodes in your deployment must be restarted. You can either restart each node immediately or schedule the restarts later. This feature allows you to ensure that no running processes are disrupted by the automatic restarts, giving you greater control over the process. You must schedule node restarts within 15 days of certificate renewal.
For more information, see "Schedule Application Restart After Admin Certificate Renewal" in the chapter "Basic Setup" in the Cisco Identity Services Engine Administration Guide, Release 3.3.
Split Upgrade of Cisco ISE Deployment from GUI
Split upgrade is a multistep process that enables the upgrade of your Cisco ISE deployment while allowing other services to be available for users. The downtime can be limited in a split upgrade by upgrading the nodes in iterations or batches.
For more information, see "Split Upgrade of Cisco ISE Deployment from GUI" in the chapter "Perform the Upgrade" in the Cisco Identity Services Engine Upgrade Guide, Release 3.3.
Ukrainian Language Support in Portals
Guest, Sponsor, My Devices, and Client Provisioning portals now include Ukrainian as a supported localization language.
Wi-Fi Device Analytics Data from Cisco Catalyst 9800 Wireless LAN Controller
You can create profiling policies, authorization conditions, and authentication conditions and policies for Apple, Intel, and Samsung endpoints, using device analytics data from the Cisco Wireless LAN Controllers integrated with your Cisco ISE.
For more information, see "Wi-Fi Device Analytics Data from Cisco Catalyst 9800 Wireless LAN Controller" in the chapter "Asset Visibility" in the Cisco Identity Services Engine Administration Guide, Release 3.3.
Deprecated Features
Locking Identities with Repeated Authentication Failures
From Cisco ISE Release 3.3 Patch 4, Identity Lock Settings are not supported in the RADIUS Settings page ( ).
System Requirements
For an uninterrupted Cisco ISE configuration, ensure that the following system requirements are fulfilled.
For more details on hardware platforms and installation of this Cisco ISE release, see the Cisco Identity Services Engine Hardware Installation Guide.
Supported Hardware
Cisco ISE 3.3 can be installed on the following Secure Network Server (SNS) hardware platforms:
Hardware Platform |
Configuration |
---|---|
Cisco SNS-3615-K9 (small) |
For appliance hardware specifications, see the Cisco Secure Network Server Appliance Hardware Installation Guide. |
Cisco SNS-3655-K9 (medium) |
|
Cisco SNS-3695-K9 (large) |
|
Cisco SNS-3715-K9 (small) |
|
Cisco SNS-3755-K9 (medium) |
|
Cisco SNS-3795-K9 (large) |
Note |
Note that the filenames of the OVA templates have been changed in Cisco ISE Release 3.3. |
The following OVA templates can be used for SNS 3600 series appliances:
OVA Template |
ISE Node Size |
---|---|
Cisco-vISE-300-3.3.0.430.ova |
Evaluation |
Extra Small |
|
Small |
|
Medium |
|
Cisco-vISE-600-3.3.0.430.ova |
Small |
Medium |
|
Cisco-vISE-1200-3.3.0.430.ova |
Medium |
Large |
|
Cisco-vISE-1800-3.3.0.430.ova |
Large |
Cisco-vISE-2400-3.3.0.430.ova |
Large |
The following OVA templates can be used for both SNS 3600 and SNS 3700 series appliances:
OVA Template |
ISE Node Size |
|
---|---|---|
Cisco-vISE-300-3.3.0.430a.ova |
Evaluation |
300-Eval |
Extra Small |
300-ExtraSmall |
|
Small |
300-Small_36xx |
|
300-Small_37xx |
||
Medium |
300-Medium_36xx |
|
300-Medium_37xx |
||
Cisco-vISE-600-3.3.0.430a.ova |
Small |
600-Small_36xx |
600-Small_37xx |
||
Medium |
600-Medium_36xx |
|
600-Medium_37xx |
||
Cisco-vISE-1200-3.3.0.430a.ova |
Medium |
1200-Medium_36xx |
1200-Medium_37xx |
||
Large |
1200-Large_36xx |
|
1200-Large_37xx |
||
Cisco-vISE-2400-3.3.0.430a.ova |
Large |
2400-Large_36xx |
2400-Large_37xx |
Cisco SNS 3595 is not supported for Cisco ISE 3.3 and later releases. For more information, see End-of-Life and End-of-Sale Notices.
You cannot install or upgrade to Cisco ISE 3.3 or later releases using a Cisco SNS 3595 appliance. Virtual appliances with Cisco SNS 3595 profile must be migrated to Cisco SNS 3655 profile. To migrate the profile, you must take the backup of the node, install Cisco ISE 3.3 using Cisco SNS 3655 profile, and then restore the backup of Cisco SNS 3595 profile on this node.
Note |
If you are upgrading from Cisco ISE 3.2 or earlier releases to Cisco ISE 3.3 using Cisco SNS 3595 profile, the node will be profiled as Cisco SNS 3615 in Cisco ISE 3.3. Hence, the performance of the node will be degraded. |
Supported Virtual Environments
Cisco ISE supports the following virtual environment platforms:
-
Cisco ISE Release 3.3 is the last release to support VMware ESXi 6.7.
For Cisco ISE Release 3.0 and later releases, we recommend that you update to VMware ESXi 7.0.3 or later releases.
In the case of vTPM devices, you must upgrade to VMware ESXi 7.0.3 or later releases.
-
OVA templates: VMware version 14 or later on ESXi 6.7 ESXi 7.0, and ESXi 8.0.
-
ISO file supports ESXi 6.7, ESXi 7.0, and ESXi 8.0.
You can deploy Cisco ISE on VMware cloud solutions on the following public cloud platforms:
-
VMware cloud in Amazon Web Services (AWS): Host Cisco ISE on a software-defined data center provided by VMware Cloud on AWS.
-
Azure VMware Solution: Azure VMware Solution runs VMware workloads natively on Microsoft Azure. You can host Cisco ISE as a VMware virtual machine.
-
Google Cloud VMware Engine: Google Cloud VMware Engine runs software defined data center by VMware on the Google Cloud. You can host Cisco ISE as a VMware virtual machine on the software-defined data center provided by the VMware Engine.
Note
From Cisco ISE 3.1, you can use the VMware migration feature to migrate virtual machine (VM) instances (running any persona) between hosts. Cisco ISE supports both hot and cold migration. Hot migration is also called live migration or vMotion. Cisco ISE need not be shut down or powered off during the hot migration. You can migrate the Cisco ISE VM without any interruption in its availability.
-
-
Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later
-
KVM on QEMU 2.12.0-99 and later
Note
Cisco ISE cannot be installed on OpenStack.
-
Nutanix AHV 20220304.392
You can deploy Cisco ISE natively on the following public cloud platforms:
-
Amazon Web Services (AWS)
-
Microsoft Azure Cloud
-
Oracle Cloud Infrastructure (OCI)
For information about the virtual machine requirements, see the Cisco Identity Services Engine Installation Guide for your version of Cisco ISE.
Validated Browsers
Cisco ISE 3.3 is supported on the following browsers:
-
Mozilla Firefox versions 113, 114, 119, 123, 125, 127, and later
-
Google Chrome versions 112, 114, 116, 117, 119, 122, 124, 126, and later
-
Microsoft Edge version 112, 115, 117, 119, 122, 125, 126, and later
-
Safari 18.0 and later
Note |
Currently, you cannot access the Cisco ISE GUI on mobile devices. |
Validated External Identity Sources
Note |
The supported Active Directory versions are the same for both Cisco ISE and Cisco ISE-PIC. |
External Identity Source |
Version |
---|---|
Active Directory |
|
Microsoft Windows Active Directory 2012 |
Windows Server 2012 |
Microsoft Windows Active Directory 2012 R2 1 |
Windows Server 2012 R2 |
Microsoft Windows Active Directory 2016 |
Windows Server 2016 |
Microsoft Windows Active Directory 2019 |
Windows Server 2019 |
Microsoft Windows Active Directory 2022 |
Windows Server 2022 with Patch Windows10.0-KB5025230-x64-V1.006.msu |
Microsoft Windows Active Directory 2025 |
Windows Server 2025 |
LDAP Servers |
|
SunONE LDAP Directory Server |
Version 5.2 |
OpenLDAP Directory Server |
Version 2.4.23 |
Any LDAP v3-compliant server |
Any version that is LDAP v3 compliant |
AD as LDAP |
Windows Server 2022 with Patch Windows10.0-KB5025230-x64-V1.006.msu |
Token Servers |
|
RSA ACE/Server |
6.x series |
RSA Authentication Manager |
7.x and 8.x series |
Any RADIUS RFC 2865-compliant token server |
Any version that is RFC 2865 compliant |
Security Assertion Markup Language (SAML) Single Sign-On (SSO) |
|
Microsoft Azure MFA |
Latest |
Oracle Access Manager (OAM) |
Version 11.1.2.2.0 |
Oracle Identity Federation (OIF) |
Version 11.1.1.2.0 |
PingFederate Server |
Version 6.10.0.4 |
PingOne Cloud |
Latest |
Secure Auth |
8.1.1 |
Any SAMLv2-compliant Identity Provider |
Any Identity Provider version that is SAMLv2 compliant |
Open Database Connectivity (ODBC) Identity Source |
|
Microsoft SQL Server |
Microsoft SQL Server 2012 Microsoft SQL Server 2022 |
Oracle |
Enterprise Edition Release 12.1.0.2.0 |
PostgreSQL |
9.0 |
Sybase |
16.0 |
MySQL |
6.3 |
Social Login (for Guest User Accounts) |
|
|
Latest |
Cisco ISE supports all the legacy features in Microsoft Windows Active Directory 2012 R2. However, the new features in Microsoft Windows Active Directory 2012 R2, such as Protected User Groups, are not supported.
Supported Antivirus and Antimalware Products
For information about the antivirus and antimalware products supported by the Cisco ISE posture agent, see Cisco AnyConnect ISE Posture Support Charts.
Validated OpenSSL Version
Cisco ISE 3.3 is validated with OpenSSL 1.1.1x and CiscoSSL 7.3.375 with FOM 7.3a.
OpenSSL Update Requires CA:True in CA Certificates
For a certificate to be defined as a CA certificate, the certificate must contain the following property:
basicConstraints=CA:TRUE
This property is mandatory to comply with recent OpenSSL updates.
Known Limitations and Workarounds
This section provides information about the various known limitations and the corresponding workarounds.
Cisco ISE Restart Limitation with Disabled pxGrid Direct Connectors
Restarting Cisco ISE when there are disabled pxGrid Direct connectors causes problems with scheduling sync operations using pxGrid Direct connectors following the restart. We recommend that you to enable all disabled pxGrid Direct connectors before restarting Cisco ISE, and disable the connectors again following the restart. Alternatively, you could also edit the attributes of the disabled connector (making it an active connector) prior to the Cisco ISE restart as a workaround to this problem.
This problem has been resolved in Cisco ISE Release 3.2 Cumulative Patch 5 and Cisco ISE Release 3.3 Cumulative Patch 2.
Upgrade Information
Note |
Native cloud environments must use the Cisco ISE backup and restore method for upgrades. Upgrades cannot be performed on Cisco ISE nodes deployed in native cloud environments. You must deploy a new node with a newer version of Cisco ISE and restore the configuration of your older Cisco ISE deployment onto it. |
Upgrading to Release 3.3
You can directly upgrade to Release 3.3 from the following Cisco ISE releases:
-
3.0
-
3.1
-
3.2
If you are on a version earlier than Cisco ISE Release 3.0, you must first upgrade to one of the releases listed above, and then upgrade to Release 3.3.
We recommend that you upgrade to the latest patch in the existing version before starting the upgrade.
Upgrade Packages
For information about upgrade packages and supported platforms, see Cisco ISE Software Download.
Cisco ISE Release 3.3 upgrade bundle files have been replaced on the Cisco ISE Software Download site.
This entails:
-
resolution of bugs CSCwj43362 and CSCwj55392.
-
that the filenames of the new files will have "b" appended to the build number (for example, ise-upgradebundle-3.0.x-3.2.x-to-3.3.0.430b.SPA.x86_64.tar.gz).
-
that existing Cisco ISE Release 3.3 cumulative patches will continue to work with this new upgrade bundle.
Upgrade Procedure Prerequisites
-
Run the Upgrade Readiness Tool (URT) before the upgrade to check whether the configured data can be upgraded to the required Cisco ISE version. Most upgrade failures occur because of data upgrade issues. The URT validates the data before the actual upgrade and reports the issues, if any. The URT can be downloaded from the Cisco ISE Download Software Center.
-
We recommend that you install all the relevant patches before beginning the upgrade.
For more information, see the Cisco Identity Services Engine Upgrade Guide.
Cisco ISE Integration with Cisco Catalyst Center
Cisco ISE can integrate with Cisco Catalyst Center. For information about configuring Cisco ISE to work with Catalyst Center, see the Cisco Catalyst Center documentation.
For information about Cisco ISE compatibility with Catalyst Center, see the Cisco SD-Access Compatibility Matrix.
Install a New Patch
For instructions on how to apply the patch to your system, see the "Cisco ISE Software Patches" section in the Cisco Identity Services Engine Upgrade Journey.
For instructions on how to install a patch using the CLI, see the "Patch Install" section in the Cisco Identity Services Engine CLI Reference Guide.
Note |
If you installed a hot patch on your previous Cisco ISE release, you must roll back the hot patch before installing a patch. Otherwise, the services might not be started due to an integrity check security issue. |
Caveats
The Caveats section includes the bug ID and a short description of the bug. For details on the symptoms, conditions, and workaround for a specific caveat, use the Cisco Bug Search Tool (BST).
Note |
The Open Caveats sections list the open caveats that apply to the current release and might apply to releases earlier than Cisco ISE 3.3. A caveat that is open for an earlier release and is still unresolved applies to all future releases until it is resolved. |
Resolved Caveats
Resolved Caveats in Cisco ISE Release 3.3 - Cumulative Patch 4
Identifier |
Headline |
---|---|
Data mismatch while opening live logs or live session details in Cisco ISE. |
|
Deleted MDM server is still listed in MDMServerName attribute allowed values. |
|
Agentless posture endpoint logs are exported as HTM instead of a zip file. | |
When a previous mandatory policy fails, the audit policy fails and shows skipped conditions. |
|
The Get-All Guest User API does not retrieve all accounts, specifically those created by other sponsor users. |
|
Stale lock files blocks API gateway and context visibility. |
|
When you try to edit or add a description for network access users, the description field closes. |
|
Cisco ISE ERS guest documentation should be updated to exclude portal ID from the Get calls. |
|
Backup restoration is stuck at 75 percent. |
|
Evaluate configuration validator does not parse all the NAD interfaces. |
|
Empty GPG files are exported if there is no data to purge. |
|
Replication Error "Error synchronizing object: EDF2EndPoint: Operation: Update". |
|
Cisco ISE internal users account disable policy feature does not work after one day of inactivity. |
|
Old Cisco ISE nodes are shown in TCP dump and debug profile configuration after restore. |
|
Unable to log in to Cisco ISE GUI. After entering the credentials, it hangs on checking the credentials screen. |
|
Discrepancy in the count of identity groups between the CV and Oracle database. |
|
After patch install TC-NAC adapters will be not reachable and new adapters cannot be configured. |
|
When posture lease is enabled, the PSN node does not update the database with the correct posture expiry time. |
|
Cisco ISE does not allow saving allowed protocols with no protocols checked. |
|
SAML request PSN exclusion. |
|
TACACS data is not retained and everything gets purged. |
|
Cisco ISE counters reports are empty for secondary nodes. |
|
Repository password accepts %,<,>,? characters from CLI but not from GUI. |
|
Cisco ISE EAP-FAST PAC-less session timeout, value does not get saved. |
|
Update OpenSSL library to OpenSSL 1.1.1x (CiscoSSL 7.3.375 with FOM 7.3a). |
|
PSN does not update the database with the correct posture lease expiry time. |
|
Users pending account is not displayed in the Sponsor Manage Account page. |
|
TACACS+ endstation network condition high step latency while accessing the NAD through console. |
|
From Cisco ISE 3.1 Patch 6, the method used to retreive policy details calls the internal method and is not cached. |
|
Cisco ISE profiler unable to read the MAC from the LLDP port ID subtype 7 received through SNMP probe response. |
|
TrustSec deploy request failed and CoA request got stuck while fetching NADs. |
|
Cisco ISE REST API Blind SQL Injection Vulnerabilities. |
|
Cisco ISE REST API Blind SQL Injection Vulnerabilities. |
|
From Cisco ISE Release 2.6, it is not possible to create static IP-SGT mapping for EPGs imported from ACI. |
|
Cisco ISE REST API Blind SQL Injection Vulnerabilities. |
|
The ea.log file should be included in support bundle. |
|
Authentication using the name of the profile fails when the default device is used. |
|
"No session available" error is displayed when tried to rename guest type in the policy set. |
|
Cisco ISE does not connect with external RADUIS server when proxy-state attribute is missing. |
|
Cisco ISE should not allow updating existing library conditions with conditions that are not allowed in the policy set. |
|
Cisco ISE skips authentication against the child domain controller when the AD Forest is marked offline. |
|
Binding with SGT assigned through MAB policy is not seen in SGT bindings table. |
|
Numeric overflow exception encountered during restart of replication client. |
|
MDM significant attributes causing database persistent events during authentication flow. |
|
Vulnerable JS Library issue found while executing ZAP in Cisco ISE Release 3.3. |
|
Cisco ISE Command Injection Vulnerability. |
|
Cybervision receives DDOS getAssets calls post Cisco ISE integration. |
|
Cisco ISE app server crashes while importing large files to secondary node through local disk management. |
|
Profiler network device event handler failed to add device for input string 0-255. |
|
AD connector is not in joined status. |
|
The ise.psc.log does not print the incoming API request’s URI in DEBUG mode. |
|
Right CoA to be triggered in VPN flow when posture and MDM flow are configured together. |
|
The pxGrid live log serviceability. |
|
Unable to retrieve Endpoint IP address through API calls. |
|
AD credentials fail to integrate Cisco ISE with Cisco Catalyst Center 2.2.1.x and above. |
|
The ise.messaging.log is not visible on GUI to download. |
|
Maximum concurrent CLI sessions does not work. |
|
Endpoint check result remains unreachable after passive ID login event. |
|
Cisco ISE missing rate limiting protection. |
|
Unable to replace SSH key for Cisco ISE AWS Ec2 instances. |
|
Getting higher counts on external active directory logs on syslog server. |
|
ODBC query in authorization policy does not return result with postgres. |
|
ConfD generates endless localhost:9888.access.1.1.1.1...and so on. |
|
In Cisco ISE Release 3.3 Patch3, DUO MFA authentication fails instantly with "22076 MFA authentication failed" in live logs. |
|
The graph is not shown when you click on Cisco ISE report in launchpad from prime infrastructure. |
|
Endpoint details in Cisco ISE context visibility does not match with RADIUS live logs or sessions during MDM flow. |
|
Agentless posture fails for EAP-TLS flows with multiple domains configured for endpoint login. |
|
Cisco ISE Business Logic Issue - User Dictionaries. |
|
From Cisco ISE Release 3.2, the System 360 Monitoring debug log rotation does not work. |
|
In Cisco ISE 3.2 Patch 6, insufficient virtual machine resources alarm triggers on AWS. |
|
Posture state synchronization feature use cases and validation steps need to be documented. |
|
Cisco ISE says CLI maximum password size is 127. |
|
The ise-duo.log is not collected at the time of support bundle creation. |
|
Misleading pop-up is seen while password lifetime is set for more than 365 days. |
|
In API NBAR application management setting, PUT option shows an error in swagger tool. |
|
Known OS bug causes swap to increase on Cisco ISE nodes. |
|
Cisco ISE Formula Injection. |
|
The GUI does not ask confirmation of old password for password change. |
|
OOM heap files must be deleted for agentprobeoom.sh and restprobeoom. |
|
Health check fails for MDM flow. |
|
When creating network access user, the system does not allow to create the user with the first name or last name including combinations of "OR". |
|
Total authentication latency and client latency does not work for TACACS+. |
|
Attribute name in SMS HTTP URL causes issues with URL updates on editing. |
|
The "DumpClearOnExceed" files filling up the disk on Cisco ISE PSN nodes. |
|
Cisco ISE Server-Side Validation Missing. |
|
Invalid IP or hostname error when using "_" as first character in the nslookup request. |
|
Cisco ISE stuck in a profiling loop which causes slow replication errors. |
|
Imported endpoints shows incorrect endpoint IDs causing data mismatch. |
|
ODBC advanced attributes does not work if two or more in-bound attributes are selected. |
|
System 360 does not show Cisco ISE nodes with different DNS domain names other than primary Cisco ISE. |
|
The health check fails on input or output bandwidth performance check and returns a NULL result. |
|
Assigned logical profile is repeated in context visbility endpoint attributes and reports. |
|
Unable to create new internal user due to "could not execute statement; SQL [n/a]; constraint" error. |
|
The HS_err files gets generated on MnT nodes. |
|
Cisco ISE 360 Monitoring dashboard displays average CPU time percentage instead of summing the rate. |
|
Operational data purging shows only primary monitoring node name in a two deployment node. |
|
SXP threads storing NULL objects in the Java heap causes high CPU load and utilization. |
|
Cisco ISE /ers/config/endpoint/getrejectedendpoints does not have pagination and returns only 100 endpoints. |
|
SNMP v3 config does not alert the admin when engineID format is incorrect for snmp-server host. |
|
High memory usage observed in <getAllTrustCerts> class in eight-node deployment. |
|
Cisco ISE REST API Blind SQL Injection Vulnerabilities. |
|
Primary admin node stuck at disk corruption check stage during split upgrade from Cisco ISE Release 3.3 Patch 1 to Cisco ISE Release 3.4. |
|
IP-SXP mapping is not created for VPN clients. |
|
Cisco ISE internal users lock or suspend on incorrect attempts counter does not work as expected. |
|
ODBC advanced setting sent in procedure call should be logged. |
|
Could not assign EAP role on certificate with IMS role. |
|
When joining multiple Cisco ISE nodes to the domain controller simultaneously, duplicate accounts are created. |
|
High CPU on admin node post accessing "Endpoint Identity Groups" page on Cisco ISE. |
|
Change in local log settings does not trigger old files deletion. |
|
In Cisco ISE Release 3.1 Patch 7, When the endpoint attribute filter is disabled, custom attributes are not retained. |
|
Backup details are showing scheduled status as "no" and "triggered from CLI", when they are scheduled from GUI. |
|
In Cisco ISE Release 3.2 Patch 6, Cisco ISE_Internal_Operations_Diagnostics triggers FATAL logging message stating system has reached low disk space limit due to localstore directory size issue. |
|
Cisco ISE is not able to query MySQL 8.x as mysql.proc table is not implemented. |
|
Cisco ISE passiveid-agent.log should include information about the user when logon event is shared. |
|
Device admin license does not allow Cisco ISE admin user to reset first login password. |
|
Compress restprobeOOMHeap dumps. |
|
From Cisco ISE Release 3.3 Patch 3, multiple options have been removed or do not work work in application configure ise command. |
|
Cisco ISE does not share posture compliant session properly over pxGrid. |
|
Better description for error while editing internal users |
|
List of installed patches does not show under patch management page due to admin certificate issue. |
|
Sysaux tablespace allocation should be done based on the profile of the node. |
|
Cisco ISE Release 3.2 API does not validate if a join point is being used when deleting it over the ERS API. |
|
Interrupting execution of "show tech-support" causes services to stop on Cisco ISE. |
|
Unable to delete the IPv6 route after performing the modification. |
|
Undefined data in information page of identities. |
|
Policy hit count shows zero when fetched by open API GET call. |
|
From Cisco ISE Release 3.2 and later, bond interfaces need MTU as configured on primary interfaces. |
|
Cisco ISE CLI or SSH user does not follow password policy. |
|
CSCwm30212 |
The pxGrid direct triggers sync at last restart time instead of scheduled time. |
The swapon or swapoff cron should be removed as it causes high load every six hours. |
|
If PAN failover is enabled in deployment page PAN-HA precheck fails. |
|
In Cisco ISE Release 3.2 Patch 5, documentation correction for guest. |
|
Cannot delete a capture following a hostname change. |
|
In Cisco ISE Release 3.3 Patch 3, MnT database reset causes all database to corrupt. |
|
High memory utilization causes the app server to restart after 12 hours of passive traffic. |
|
Optimize the indexing for 'EDF_MDM_GUID' lookups for 'EDF_MDM_GUID' to eliminate full table scans. |
|
DNS cache timeout is not honored. |
|
Heap space is fully utilized by RMQ Consumer. |
|
In Cisco ISE Release 3.3 Patch 3, the external identity sources show "no data available" after Cisco ISE Release 3.3 Patch 3 installation. |
|
Passive session is not published to FMC as Cisco ISE tries to stitch the session. |
|
OOM killer alerts Cisco ISE Admin CLI due to API-gateway memory limitation. |
|
Additional fix to LSD class. |
|
TC-NAC_Tenable throws "Scan Failed: Error in connecting to host: 403 Forbidden" error. |
|
Cisco ISE reverts to the old CLI password after shutting down and powering on the VM or SNS appliance. |
|
GigabitEthernet or Bond Interfaces with link-local IPv6 addresses after IPv6 is disabled. |
|
SXP mappings is not learned for VPN users private IP. |
Resolved Caveats in Cisco ISE Release 3.3 - Cumulative Patch 3
Caveat ID Number |
Description |
---|---|
Microsoft Azure AD has been officially renamed as Microsoft Entra ID. |
|
Command show cpu usage does not display information on Cisco ISE Release 3.x. |
|
Endpoint loses static identity group assignment after reauthentication. |
|
Application remediation disappears after editing. |
|
Umbrella defect for providing information for terminologies used in licensing page. |
|
TLS is restricted to use only a few ciphers in Cisco ISE Release 3.3 but 8905, 9094, 9095 ports uses all ciphers. |
|
A guest flow triggers a CoA when Cisco Catalyst Centre or EA dictionary attributes are updated on Cisco ISE. |
|
[404] Resource Not Found error occurs when using the built-in authorization profile Block_Wireless_Access. |
|
Unable to add multiple tasks with quotes in launch program remediation. |
|
IP host <ip> <fqdn> command does not create IP-FQDN entry in Cisco ISE. |
|
The pxGrid direct service remains stuck in the initializing state as the lock file is not removed. |
|
Cisco ISE business logic issue in user dictionaries. |
|
The Cisco ISE Release 3.2 guest user API gives incorrect results when using a filter. |
|
Cisco ISE fails to send SNMPv3 disk traps to the configured SNMP server. |
|
Cisco ISE throws an error for iPSK custom attributes that start with special characters. |
|
The system extends sponsored guest accounts beyond the maximum number of days allowed. |
|
SAML default portal required to configure SAML in Cisco ISE is deleted from database. |
|
Extra popup screen appears while viewing RADIUS or TACACS key after enabling "require admin password" option. |
|
Cisco ISE DNS resolvability health check fails due to a duplicated entry of IP, name and FQDN on /etc/hosts. |
|
Cisco ISE reaches the context limit in proxy flow when it queries LDAP groups for authorization policy. |
|
Device network conditions GUI fails to load. |
|
Cisco ISE Release 3.2 could not find selected authorization profiles. |
|
The pxGrid direct sync is stuck in progress. |
|
Unable to delete network device group. |
|
A failed scheduled backup does not generate an alarm. |
|
The "Dashboard System Status" query exhausts 1000 database connections. |
|
Profiling does not suppress CoA although CoA is suppressed for specific logical groups. |
|
Insufficient virtual machine resource alarm is observed in Cisco ISE Release 3.1 Patch 8 longevity setup. |
|
Device administration setting changes record no report or alarm. |
|
MDM compliance check fails when there are multiple MAC addresses with VMware Workspace ONE as MDM. |
|
The RMQ forwarder causes high CPU or load average. |
|
Fix for using IPv6 with CoA requests. |
|
REST API authentication service does not enable when /etc/hosts has multiple entries. |
|
Cisco ISE self persistent Cross-Site Scripting (XSS) in my reports. |
|
Non super-admin users cannot edit or delete endpoints when Cisco ISE has more than 1000 identity groups. |
|
Cisco ISE integration fails with pxGrid is not enabled on Cisco ISE error message even when pxGrid is enabled in both nodes. |
|
Cisco ISE Release 3.3 does not invoke MFA for the user with User Principle Name (UPN). |
|
Cisco ISE monitoring GUI page stuck at "Welcome to Grafana". |
|
When using Azure SAML for admin access, RBAC causes endpoint import to fail. |
|
Primary PAN REST API call to MnT nodes should not be load balanced. |
|
Inconsistencies in the database cause corruption in the Cisco ISE portal. |
|
Cisco ISE support bundle must include garbage collector logs, thread dump, and heap dump. |
|
Cisco ISE cross-site request forgery. |
|
Cannot remove identity store from CLI that was added using uppercase FQDN. |
|
AD group retrieval fails while evaluating authorization policy. |
|
Profiler caches MDM attribute with wrong values. |
|
API ers/config/sessionservice node returns an incorrect total. |
|
Cisco ISE Release 3.2 Patch 4: deleteCertFromStore fails to parse certificate. |
|
PSN node does not update the database with correct posture expiry time when posture lease is enabled. |
|
Application server crashes due to metaspace exhaustion. |
|
Invalid IP or hostname error. |
|
Changes in rank cause authorization rule to commit to the database table which triggers save call from UI. |
|
Cisco Identity Services Engine Code Injection Vulnerability. |
|
Cisco ISE Release 3.2 Patch 4 context visibility does not match live logs or sessions. |
|
Endpoints that have null key value pair in the attributes section interrupts the purge flow. |
|
No IPv4 or IPv6 selection is seen for passive ID reports for IP address column filter. |
|
Cisco ISE should do lookup again when the token server is FQDN. |
|
The pxGrid getUserGroups API request returns an empty response. |
|
The nsf should return index-0 SAN-URI to MDM, even when we have multiple SAN-URIs. |
|
Cisco ISE allows a policy to be saved when another browser tab deletes an ID Store. |
|
Upgrade CXF version as 3.4.2 is vulnerable. |
|
Intensive garbage collection is observed due to SXP component. |
|
After ADE-OS is restored, appserver is stuck at initializing state. |
|
Cisco ISE Release 3.2 sends outgoing RST packets with APIPA IP 169.254.4.x. |
|
Cisco ISE could not find selected authorization profile if created using API. |
|
Invalid request page in Cisco ISE Release 3.2 Patch 5. |
|
SNMPD process causes memory leak on Cisco ISE. |
|
In Cisco ISE, the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) ID, CVE-2023-48795 affect third-party software in open SSH. |
|
Swap cleanup script to drop the swap area and program the cron. |
|
Cisco ISE Release 3.2 Patch 2 is intermittently not unmounting NFS repositories. |
|
The 'accountEnabled' attribute in Azure AD causes authentication issues for EAP-TLS. |
|
Export of more than 90,000 network devices times out. |
|
Cisco ISE audit reports log APIPA addresses as the source of API requests. |
|
Resend the user account details for all or specific guest users to the sponsor. |
|
Primary PAN nodes show cores related to jstack. |
|
Cisco ISE Release 3.3 ECDSA Explicit Curve test fails for EAP, secure syslog, and secure LDAP. |
|
Enhance guest user account search functionality. |
|
TrustSec CoA is not sent from the primary PAN when it does not have a policy role. |
|
Cisco ISE reaches the context limit in the proxy flow while querying LDAP groups for authorization policy. |
|
Unable to trigger CoA that is stuck at dispatcher queue. |
|
Cisco ISE main ThreadPool is stuck due to ACE 3rd party library causing contextN leak. |
|
Cisco ISE Evaluate OpenSSH CVE-2024-6387 "regreSSHion". |
|
In Cisco ISE 3.3, TACACS data is not retained and everything gets purged. |
Resolved Caveats in Cisco ISE Release 3.3 - Cumulative Patch 2
Caveat ID Number |
Description |
---|---|
Space characters in command arguments are not preserved after CSV Export of TACACS + command set. |
|
Authorization policy takes time to load, causing delays in Duo portal entries. |
|
SR-Insights identifies an Umbrella defect that displays more information on SL registration failure. |
|
In Cisco ISE 3.3, enabling the "always show invalid usernames" option does not work. |
|
Endpoint probe does not clean up SGT Exchange Protocol mappings. |
|
Updating internal users through ERS need to retain values of Non-Mandatory Attributes. |
|
Exporting the report beyond one-month period yields no data. |
|
ERS API takes several seconds to update single endpoint. |
|
In Cisco ISE 3.2: SMS is not sent in the "Reset Password" flow when using a custom SMTP API Destination Address. |
|
A wildcard certificate imported on PPAN is not replicated to other nodes in deployment. |
|
TrustSec deploy verification - policy difference alarm while policy identical on Cisco ISE and NAD. |
|
Unable to integrate with Prime Infrastructure due to a wrong password error. |
|
The Cisco ISE AD Diagnostic Tool stops working upon upgrade, making it impossible to retrieve the list of available tests. |
|
Cisco ISE API | Does not recognize identity groups while creating user accounts. |
|
Cisco ISE CLI Read only users cannot run show CPU usage command. |
|
Application server crashes due to metaspace exhaustion. |
|
In redirect URLs that use FQDN that end with IP, IP is replaced by Cisco ISE hostname. |
|
In Cisco ISE PIC 3.1, the Live Session feature does not show terminated sessions. |
|
Cisco ISE 3.1 patch 7: Removed Device Types remain selectable in policy set. |
|
Cisco ISE: REST API ERS: downloadableacl: The filter field 'name' is not supported. |
|
MAR Cache replication fails between peer nodes for both NIC and NON-NIC bonding interfaces. |
|
The PAN is missing non-significant attribute updates of endpoints from PSNs. |
|
Cisco ISE Messaging Certificate generation does not replicate full certificate chain on secondary nodes. |
|
Posture Client Provisioning Resources HTTP Error when dictionary attribute contains "-". |
|
IP access list control in Cisco ISE 3.2 is not visible. |
|
Additional IPv6-SGT session binding created for IPv6 link local address from SXP ADD operation. |
|
Cisco ISE ERS API - Updating DACL does not modify last update timestamp. |
|
Vulnerabilities in antisamy 1.5.9. |
|
There are errors when editing AnyConnect configuration and Posture Agent profiles. |
|
Session info not stored in timed session cache during third party posture flow. |
|
Cisco ISE Database does not update the email field for Sponsor Accounts. |
|
Failure due to case sensitive check when new MDMs are created with the same name but different case. |
|
LINUX ISSUE - PRA fails if end point is within posture lease. |
|
Advanced Filter "Save" option does not work for Client Provisioning Resources filtering. |
|
Session ticket received from NAD decrypt fails when OU has & and @ characters in it. |
|
All network device groups are deleted after removing a child item from any group. |
|
Cisco ISE 3.1 endpoints purging rule is created automatically when My Devices portal is duplicated. |
|
Cisco ISE - Abandoned Jedis connections are not being sent back to the threadPool. |
|
Cisco ISE 3.2: Verify existence of Per-User dACL in the Cisco ISE configuration. |
|
Allow pxGrid session update publishing without IP Address. |
|
Unable to select hotspot portal if an existent or duplicated authorization profile is selected. |
|
Guest type save does not work when account expiration notification has special or newline character. |
|
Cisco ISE Admin Access: Enabling only "User Services" enables Admin GUI Access as well. |
|
Cisco ISE CLI access problems: Failed to connect to server. |
|
Grafana UI and Kibana should have RBAC implemented in Identity Services Engine. |
|
Cisco ISE Posture Failure: Internal System Error when premier license is disabled. |
|
Cisco ISE 3.2 patch 4: ODBC: Search for MAC address in format is ignored. |
|
External Radius server list does not show up after upgrading to 3.2. |
|
Cisco ISE: synflood-limit does not take effect if configured with more than 10000. |
|
User Custom Attributes stuck on rendering. |
|
In Cisco ISE 3.1/3.2, the validation for existing routes is missing during CLI configuration. |
|
Location group information is missing from policy sets. |
|
Gig0 always participates on TCP handshake of sponsor FQDN. |
|
Cisco ISE doesn't allow special characters for the password while importing the certificate. |
|
Cisco ISE Authorization Profile does not persist data with "Security Group" and "Reauthentication" common tasks. |
|
Show CLI command throws exception after configuring log level to 5. |
|
Sponsor Portal returns 400 Bad Request when clicking (Contact Support). |
|
Apache Struts Vulnerability affecting Cisco Products: December 2023. |
|
Sponsor portal shows wrong days of week information from [Setting date] tab when using Japanese UI. |
|
Cisco ISE SAML ID provider Configuration Attributes are deleted though they are referenced. |
|
Cisco ISE: Error 400 when fetching device admin network conditions through OpenAPI. |
|
Sysaux tablespace full due to AUD$ table size growth. |
|
Cannot add SAML provider into Cisco ISE 3.2 or higher. |
|
Unable to save changes in the patch management condition. |
|
FireFox 45+ or Chrome 72: Incorrect line numbering for DACL. |
|
Unable to enforce the IdentityAccesssRestricted attribute during authorization. |
|
Cisco ISE ERS API /ers/config/deploymentinfo/getAllInfo returns different data on multi-node deployments. |
|
Current value of Disable_RSA_PSS environmental value is not preserved upon patch installation. |
|
Cisco ISE REST Authentication Service does not run due to iptables error. |
|
Cisco ISE 3.2: Nexpose Rapid 7: Strict-Transport-Security malformed. |
|
Cisco ISE Passive ID Agent error "id to load is required for loading". |
|
When multiple static default routes are present Cisco ISE incorrectly routes RADIUS Traffic. |
|
A custom attribute used in a 'never purge' rule is still purges endpoints. |
|
Issues with updating the CoA retry count to "0". |
|
Radius Authentication reports exported from the Operational Data Purging pages are empty. |
|
Cisco ISE 3.1p8 Installed Patches menu does not list all the patches. |
|
Azure VM: Not able to register node to deployment. |
|
Cisco ISE Active Directory process (lwsmd) is stuck at "Updating" and consumes 90-100% CPU. |
|
PSN node crashes while assigning the CPMSessionID. |
|
Issue while inserting the data to the config folder if any of the connector is disabled. |
|
Cisco ISE 3.3 on Cloud (Azure, AWS, OCI) doesn't read the disk size properly; the size always defaults to 300 GB. |
Resolved Caveats in Cisco ISE Release 3.3 - Cumulative Patch 1
Identifier |
Headline |
---|---|
Cisco ISE Passive ID sessions are always cleared after an hour. |
|
Read-only admin group users have full access when logging into Cisco ISE GUI through SAML authentication. |
|
Data corruption is causing an authentication failure with the error messages: FailureReason=11007 or FailureReason=15022. |
|
Sponsor permissions are disabled on sponsor portal when accessed from the primary PAN persona. |
|
In the pxGrid Endpoints page, the endpoint details are not displayed accurately. |
|
The dedicated MnT nodes in a Cisco ISE deployment do not replicate the SMTP configuration. |
|
Cisco ISE REST API documentation provides incorrect script while creating endpoint group. |
|
A match authorization profile with SGT, VN name, VLAN fields empty causes port to crash. |
|
Expired guest accounts don't receive SMS when they try to reactivate account. |
|
Disabled essential license leads to limited Cisco ISE GUI page access and inability to regenerate root CA. |
|
Acs.Username is not being updated with guest username in first device connection. |
|
Local or global exception rules are not matched for authorization policy. |
|
GUI doesn't load when trying to edit Client Provisioning Portal config. |
|
The OpenAPIs for endpoints are not working for the existing IOT asset attributes. |
|
The sync status is displayed as failed when the maximum number of TrustSec objects are selected for syncing. |
|
The PreferredDCs registry value cannot be set during advanced tuning. |
|
Date of last purge has a wrong timestamp. |
|
MNT log processor is enabled on non-MNT admin Cisco ISE node. |
|
In Cisco ISE Release 3.2, the SNMP is not working following a node restart. |
|
Allow launch program remediation to have a set order. |
|
The Sponsor portal shows the wrong days of week information from the [Setting date] tab when using the Japanese Cisco ISE GUI. |
|
Inconsistency in VLAN ID results in erorr message: Not a valid ODBC dictionary. |
|
In Cisco ISE Release 3.1 Patch 5: Some internal users passwords are not expiring after the configured global password expiry dates. |
|
In Cisco ISE Release 3.1 Patch 5: An attempt to remove the guest portal after a PAN failure leads to a ORA-02292 integrity constraint. |
|
Removal of EPS from the Cisco ISE code. |
|
Cisco ISE GUI pages are not loading properly with custom admin menu workcenter permissions. |
|
Cisco ISE cannot load corrupted NAD profiles causing authorization failures with the following reasons: failureReasons 11007 and 15022. |
|
Cisco ISE Alarm and Dashboard Summary does not load. |
|
Cisco ISE 3.2.0.542: The hot patches are not getting installed when both the patch and hot patches are in ZTP configuration. |
|
RADIUS server sequence configuration gets corrupted. |
|
Reconfiguring repository with credentials is required following the restoration of a configuration backup. |
|
Cisco ISE Release 3.1: Administrator Login Report shows 'Administrator authentication failed' every 5 minutes. |
|
pxGrid does not show the topic registration details. |
|
Agentless posture is not working in Windows if the username starts with the special character '$'. |
|
The AnyConnect posture script does not run when the script condition name contains a period. |
|
Cisco ISE Release 3.1: Agentless posture flows fail when the domain user is configured for an endpoint login. |
|
In Cisco ISE Release 3.2, the order of the IP name-servers in the running configuration is fallible. |
|
Cisco ISE API desn't recognize the identity groups while creating user accounts. |
|
Vulnerabilities in log4net 2.0.8.0. |
|
Cisco ISE Release 3.2 Patches 2 and 3: Unable to create a user with authorization and privacy password that is equal to 40 characters. |
|
Unable to delete existing devices in My Device Portal following a restoration from Cisco ISE Release 2.7. |
|
NAD RADIUS shared secret key is incorrect when it starts with an apostrophe on Cisco ISE Release 3.1 Patches 1, 2, 3, 4, and 5. |
|
After an admin certificate change, Cisco ISE is not restarting services if the bond interface is configured. |
|
Cisco ISE Release 3.2 Patch 3 and Cisco ISE Release 3.3: The initialization of portals fail if IPV6 enable is the only IPV6 command on the interface. |
|
An endpoint's MAC address is not added to the endpoint identity group when using grace access in the guest portal. |
|
Cisco ISE SXP bindings API call returns 2xx response when the call fails. |
|
Cisco ISE Release 3.2 Patch 3: The adapter.log remains in the INFO state even if the Cisco ISE GUI configuration is set to TRACE or DEBUG. |
|
CRL retrieval is failing. |
|
Context visibility: Endpoint custom attributes cannot be filtered with special characters. |
|
In Cisco ISE Release 3.2, the authorization policy search feature is not working. |
|
Cisco ISE Sponsor Portal is displaying an invalid input error when special characters are used in the guest type. |
|
Cisco ISE Open API: /certs/system-certificate/import must support multi-node deployment. |
|
Guest portal FQDN is mapped with IP address of the node in the database. |
|
In Cisco ISE Release 3.2, the self-registered email subject line truncates everything after the equal (=) sign on the sponsor guest portal. |
|
In pxGrid direct, if the user data information is stored in a nested object within the data array, Cisco ISE is unable to process it. |
|
Cisco ISE cannot retrieve a peer certificate during EAP-TLS authentication. |
|
Cisco ISE: Enhancement for the encryption to only send AES256 for MS-RPC calls. |
|
Removing one of multiple DNS servers using "no ip name-server <IP_of_DNS_server>" command restarts Cisco ISE services without a restart prompt. |
|
Cisco ISE Release 2.7: Unable to disable the scheduled Active Directory Diagnostic Tool tests. |
|
pxGrid Direct: Premier license is required to add a connector. To use the feature, you need the Advantage license. |
|
Agentless posture script does not run when the endpoint is not connected to an AC power source. |
|
Terms and Conditions check box disappears when Portal Builder is used for Cisco ISE Release 3.0 and later releases. |
|
Cisco ISE Release 3.0 Patch 6: Policy export fails to export the policies. |
|
DockerMetrics - Report needs to be changed. |
|
Cisco ISE Release 3.1 on AWS gives a false negative on the DNS check for Health Checks. |
|
Cisco ISE Release 3.1: Services failed to start after restoring a backup from Cisco ISE Release 2.7. |
|
Guest account cannot be seen by sponsors in a specific sponsor group. |
|
Cisco ISE EasyConnect stitching does not happen when the PassiveID syslog is received by MnT before the active authentication syslog. |
|
Cisco ISE Release 3.2 Patch 3: CRL Download failure. |
|
The certificates API - /admin/API/PKI/TrustCertificates is not exposed but breaks Cisco DNA Center integration with AD username. |
|
"Configuration Missing" warning is seen when navigating to the Log Analytics page. |
|
Updates to the internal users using ERS APIs must retain the values of non-mandatory attributes. |
|
The Show CLI command throws an exception after configuring the log level to 5. |
|
Cisco ISE Release 3.2: GUI issues are noticed in Windows when adding a new context visibility dashboard. |
|
Cisco ISE 3.x: There is a spelling mistake in the API gateway settings. |
|
Aruba-MPSK-Passphrase needs encryption support. |
|
The user identity group and endpoint identity group description fields have a character limit of 1199. |
|
Cisco ISE Release 2.7 Patch 6 is unable to filter TACACS live logs by network device IP. |
|
Profiling is not processing calling station ID values with the following format: XXXXXXXXXXXX. |
|
Cisco ISE Release 3.1 Patch 5: Cannot generate pxGrid client certificate leveraging the CSR option. |
|
While registering node with left over certificates from deregistration, the certificates that are currently in use get deleted. |
|
Trash all or selected option at pxGrid policy should not touch entries for internal group. |
|
Cisco ISE patch GUI installation is stuck on a specific Cisco ISE node in deployment. |
|
Cisco ISE agentless posture does not support password containing a colon. |
|
An export of all the network devices on Cisco ISE results in an empty file. |
|
Cisco ISE: Get All Endpoints request takes a longer time to execute from Cisco ISE Release 2.7. |
|
RBAC policy with custom permissions is not working when the administration menu is hidden. |
|
Meraki Sync service not running immediately after a Cisco ISE application server restart. |
|
Endpoint .csv file import displays "no file chosen" after selecting the file. |
|
Cisco ISE Release 3.3 cannot register new nodes to the deployment post upgrade due to the node exporter password not being found. |
|
Profiler CoA sent with the wrong session ID. |
|
Operational backups from the Cisco ISE GUI to the SFTP repositories fail if the PKI key pair passphrase contains a plus (+) symbol. |
|
TopN device admin reports do not work when incoming TACACS exceeds 40M records per day. |
|
Cisco ISE Max Session Counter time limit is not working. |
|
Asynchronous policy engine affecting CoA for ANC quarantine of active VPN clients. |
|
pxgriddirect-connector.log shows a discrepancy between the actual clock time and the time it prints the logs. |
|
Unable to login to secondary admin node's GUI using AD credentials. |
|
Cisco ISE Release 3.0: A connection attempt to not allowed on the domains. |
|
Cisco ISE authorization rule evaluation is broken for attempts using EAP-chaining and Azure AD groups. |
|
A critical error seen in Client Provisioning Portal customization. |
|
Using an apostrophe in the First Name and/or Last name field presents an invalid name error. |
|
SXP can create inconsistent mapping between IP address and SGT. |
|
Cisco ISE Intune MDM integration may be disrupted due to end of support for MAC address-based APIs from Intune. |
|
Upgrade to Cisco ISE Release 3.2 with LSD disabled prior to the upgrade is causing EP profiler exception. |
|
Cisco ISE limits connection to AMP AMQP service to TLSv1.0. |
|
Cisco ISE and CVE-2023-24998. |
|
Cisco ISE - Unable to disable SHA1 for ports associated with Passive ID agents. |
|
Cisco ISE Release 3.1 Patch 7: Unable to change admin password if it contains special character '$'. |
|
Add the "disable EDR internet check" tag. |
|
Add a mechanism to fetch user data for pxGrid connector. |
|
Cisco ISE Release 3.2 Patch 3: CoA disconnect is sent instead of CoA push during posture assessment with the RSD disabled. |
|
GCMP256 auth with SHA384withRSA4096 certificate (Android 12 requirement) failing authorization. |
|
TCP Socket Exhaustion. |
|
Vulnerabilities in axios 0.21.1. |
|
Cisco ISE CLI user is unable login after about 2 months of not using the Cisco ISE CLI. |
|
Cisco ISE-PIC license expiration alarms. |
|
TACACS deployment with 0 days evaluation will not work after registering to smart licensing. |
|
Need CoA port-bounce while removing ANC policy with PORT_BOUNCE. |
|
Vulnerabilities in AntiSamy 1.5.9. |
|
After performing a reset configuration, there is a mismatch in the FQDN value in the GUI and CLI. |
|
The Cisco ISE automatic crash decoder is faulty. |
|
Profiler is triggering a port bounce when multiple sessions exist on a switch port. |
|
Enable password of the internal users is created when it has not been specified through the ERS API. |
|
German and Italian emails cannot be saved under Account Expiration Notification in Guest Types. |
|
The other conditions are reordered after saving in Client Provisioning Policy. |
|
ISEaaS: AWS - Support IMDS v2. |
|
Static IPV6 routes are removed after a reload in Cisco ISE Release 3.2. |
|
Cisco ISE Release 3.2 API: System certificate import does not work for Cisco ISE node in deployment. |
|
Unable to match Azure AD group if the user belongs to more than 99 groups. |
|
Smart license registration fails with "communication send error" alarms occur intermittently. |
|
Cisco ISE is changing the MAC address format according to the selected MAC Address Format even when it is not a MAC. |
|
Unable to edit or delete authorization profiles with parentheses in their names. |
|
Manual deletion of the static route will cause Cisco ISE to send a packet with wrong MAC addresses in Cisco ISE Release 3.0 Patch 7. |
|
ct_engine is using 100% CPU. |
|
Not able to schedule or edit schedule for configuration backup. |
|
ANC remediation is not functioning with AnyConnect VPN. |
|
Cisco ISE does not consume license when authorization with no authorization profile rule. |
|
Cannot edit or create admin user due to "xwt.widget.repeater.DataRepeater" error. |
|
Cisco ISE drops RADIUS request with the message "Request from a non-wireless device was dropped". |
|
Cisco ISE context visibility does not validate static MAC entries if they miss a separator like colon. |
|
Cisco ISE Release 3.1 Patch 7: Context Visibility and pxGrid ContextIn are missing custom attributes. |
|
Cisco ISE services are stuck in the initializing state with secure syslogs. |
|
ERS SDK developer resources on use cases are not loading properly. |
|
Threads get blocked on primary PAN if port 1521 is not available. |
Resolved Caveats in Cisco ISE Release 3.3
The resolved caveats in Cisco ISE Release 3.3, have parity with these Cisco ISE patch releases: 3.2 Patch 2, 3.1 Patch 7, and 3.0 Patch 7.
The following table lists the resolved caveats in Release 3.3.
Caveat ID Number |
Description |
---|---|
The Upgrade tab in Cisco ISE shows that the upgrade is in progress after installing a patch. |
|
Cisco ISE privilege escalation vulnerability. |
|
The fetch command of ROPC groups with nearly 53k groups is not working in the Cisco ISE GUI. |
|
In Cisco ISE Release 3.2, the System 360 feature is not available with the Device Admin license. |
|
The Cisco ISE CRL Retrieval Failed alarm needs to display the server on which the CRL download failed. |
|
Unable to delete custom endpoint attribute in Cisco ISE. |
|
The Session.CurrentDate attribute is not calculated correctly during authentication of endpoints in Cisco ISE. |
|
The Cisco ISE - SSL buffer is causing problems with PAC decryption. This is affecting the EAP-FAST flows in Cisco ISE. |
|
Posture assessment by condition generates the following invalid identifier: ORA-00904: "SYSTEM_NAME" in the Cisco ISE GUI. |
|
Cisco ISE command injection vulnerability. |
|
The Configuration Changed field is not working when assigning an endpoint to a group in Cisco ISE. |
|
The TrustSec status cannot be changed if you are using the Japanese Cisco ISE GUI. |
|
The Policy Service Node is not accessible in the Cisco ISE GUI when the Device Administration license is enabled. |
|
In Cisco ISE Release 3.1, the copy command using the TFTP protocol times out. |
|
In Cisco ISE Release 3.2 patch 3, the disabled Cisco ISE-PIC smart license is being used erroneously for upgrade. |
|
The queue link error alarms are not displayed in Cisco ISE-PIC nodes. |
|
Cisco ISE privilege escalation vulnerability. |
|
Cisco ISE nodes upgraded using the CLI do not progress beyond the "Upgrading" status in the Cisco ISE GUI. |
|
Cisco ISE XML external entity injection vulnerability. |
|
Vulnerabilities in Sudo 1.8.29 (a third-party software) have been fixed. |
|
In Cisco ISE Release 3.1, the Active Directory Retrieve Groups window displays a blank screen when loading a large number of Active Directory groups. |
|
Unable to launch Cisco ISE Release 3.2 in Safe Mode. |
|
Common Policy (CDP) is not enabled by default in Cisco ISE Releases 3.1 and 3.2. |
|
Use the toggle button to enable or disable RSA PSS ciphers based on policy under Allowed Protocols in the Cisco ISE GUI. |
|
When a default static route is configured with an interface's subnet gateway excluding Giganet 0, the network connectivity to Cisco ISE is lost. |
|
Cisco ISE smart licensing now uses smart transport. |
|
The CoA is failing in Cisco ISE due to usage of old and stale audit session IDs. |
|
Users may experience some slowness on Support Bundle page because of the Download Logs page loading in the background. |
|
Cisco ISE Release 3.2 is cashing as soon as a RADIUS request is received with EAP-FAST and EAP Chaining. |
|
Unable to retrieve groups from different LDAPs when nodes are using servers that are undefined. |
|
PRRT should be sending unfragmented messages to the monitoring node if IMS is enabled. |
|
Cisco ISE PassiveID agent probes the status of all domains (including domains that do not have a PassiveID configuration). |
|
There are intermittent issues with app activation. |
|
The Cisco ISE GUI crashes while loading the authorization policy on Google Chrome and Microsoft Edge browsers. |
|
The duplicate manager doesn't remove relevant packets when there is an exception in the reading configuration. |
|
The RADIUS token server configuration accepts empty host IP address for secondary server. |
|
The self registration portal does not support the FQDNs of the nodes for the Approve/Deny links sent to the sponsors. |
|
Network Device Group information missing when a Cisco ISE admin account has only read access. |
|
In Cisco ISE Release 3.0 patch 6, the scheduled reports created by external admins are missing. |
|
Unable to change the identity source from internal source to external source in the RSA/RADIUS-token server. |
|
In Cisco ISE Release 3.1, the application server crashes if CRL of 5 MB or more is downloaded frequently. |
|
Multiple requests for the same IP, VN, and VPN combinations with different session IDs is creating duplicate records in Cisco ISE. |
|
Cisco ISE Releases 3.2, 3.1, and 3.0 display mismatched information on the "Get All Endpoints" report. |
|
A sponsor portal print issue in Cisco ISE displays guest user settings based on From-First-Login guest account setting instead of the configured purge settings. |
|
Cisco ISE insufficient access control vulnerability. |
|
The anomalous behavior detection is not working as expected in Cisco ISE. |
|
The latest IP access restriction configuration removes the previous configuration in Cisco ISE. |
|
The RADIUS server sequence page displays "no data available". |
|
The email notification when a guest account creation is denied is not sent to the admin. |
|
Cisco ISE authorization bypass vulnerability. |
|
Cisco ISE Release 3.2 does not support 16-character passwords for SFTP configuration. |
|
The SXP service gets stuck in the initial setup due to an exception on 9644. |
|
Cisco ISE command injection vulnerability. |
|
In Cisco ISE Release 3.1, the SXP Bindings report displays the "No data found" error. |
|
Cisco ISE 3.2 does not support portal customization scripts that include single-line JavaScript comments. |
|
The TrustSec PAC Information Field attribute values are lost when importing a network device CSV template file. |
|
Scheduled reports with large data sizes are displayed as "empty" in the Cisco ISE repository. |
|
In Cisco ISE Release 3.1, the certificate-based login asks for license files only if the Device Admin license is enabled. |
|
Cisco ISE authentication latency is observed because of devices with no MAC addresses. |
|
"Read-only Admin" not available for Cisco ISE admin SAML authentication. |
|
The Cisco ISE admin account created from network access users can't change dark mode settings in the Cisco ISE GUI. |
|
Cisco ISE command injection vulnerability. |
|
Cisco ISE command injection vulnerability. |
|
Cisco ISE path traversal vulnerability. |
|
Endpoint Protection Service has been removed from the Cisco ISE code. |
|
The Cisco ISE network device captcha is prompted only when the filter matches a single network device. |
|
Certificate authentication permissions in the Cisco ISE GUI have been modified for Cisco ISE Release 3.1 patch 4. |
|
The Cisco ISE ERS SDK documentation for network device bulk requests is incorrect. |
|
Scheduled RADIUS authentication reports in Cisco ISE fail while exporting them to the SFTP repository. |
|
Windows server 2022 is working as the target domain controller and should be monitored. |
|
The resolution for CSCvz85074 breaks AD group retrieval in Cisco ISE. |
|
The Cisco ISE MNT authentication status API query should be optimized. |
|
The Cisco ISE-PIC agent provides session stitching support. |
|
The RADIUS used space in Cisco ISE reports incorrect usage. This is because it also takes TACACS tables into account for the final report. |
|
In Cisco ISE Release 3.2, hyper-V installations have DHCP enabled. |
|
Cisco ISE upgrade is failing because of custom security groups. |
|
Cisco ISE does not display an error message when importing a certificate and private key that contains "%" in the password. |
|
In Cisco ISE Release 3.2, the SFTP repositories are not operational from the Cisco ISE GUI even after clicking the "generate key pairs" option. |
|
Unable to download REST-ID stores from Download Logs on the Cisco ISE GUI. |
|
Vulnerabilities in TomCat 9.0.14. |
|
The NetworkSetupAssistance.exe digital signature certificate is expired in the BYOD flow when using Sierra Pacific Windows (SPW windows in Microsoft Windows). |
|
Cisco ISE Release 3.2 ROPC basic serviceability improvements. |
|
In Cisco ISE Release 3.2, the ports for Guest Portal configuration do not open on Cisco ISE nodes that are installed on AWS. |
|
Using potentially insecure methods - HTTP PUT method accepted. |
|
From Cisco ISE Release 3.2, text passwords must be entered in the identity-store command. |
|
The support bundle does not contain tterrors.log and times.log. |
|
Cisco ISE stored cross-site scripting vulnerability. |
|
The deferrred update condition will not work if the compliance module is not compatible with Cisco Secure client. |
|
Users cannot add the quotation character in a TACACS authorization profile. |
|
Cisco ISE TrustSec Logging: The SGT create event is not logged to ise-psc.log file. |
|
Automatic backup stops working after 3 to 5 days. |
|
High CPU utilization due to agentless posture configured in Cisco ISE. |
|
Unable to parse CLI Username with '-' (hyphen/dash) in Cisco ISE Release 3.2 Patch 1. |
|
Metaspace exhaustion causes crashes on the Cisco ISE node in Cisco ISE Release 3.1. |
|
Cisco ISE Release 3.2 crashing with VN in authorization profile. |
|
Cisco ISE Release 3.2 ERS POST /ers/config/networkdevicegroup fails has the broken attribute othername/type/ndgtype. |
|
Configuration changes to guest types are not updated in the audit reports. |
|
Full upgrade from Cisco ISE Release 3.0 to Cisco ISE Release 3.1 failed due to DB service timeout. |
|
Network Device Profile shows HTML code as name. |
|
In Cisco ISE Release 3.2, an error is displayed when entering the DNS domain in the Cisco ISE deploy instance on cloud. |
|
In Cisco ISE Release 3.2, the SAML sign authentication request setting is getting unchecked upon saving the setting. |
|
In Cisco ISE Release 3.2 Patch 1, connections are established to servers not listed in the Cisco ISE ports, resources, or the reference guide. |
|
Cisco ISE Release 3.1 creates cni-podman0 interface with IP 10.88.0.1 and IP route for 10.88.0.0/16. |
|
Cisco ISE fails to translate AD attribute of msRASSavedFramedIPAddress. |
|
The MDM connection to Microsoft SCCM fails after Windows DCOM Server Hardening for CVE-2021-26414. |
|
Post service licensing update, the Cisco ISE Licensing page shows Evaluation compliance status for consumed licenses. |
|
The ROPC authentication functionality is broken in Cisco ISE Release 3.2. |
|
The monitoring log processor service stops every night. |
|
Deleting SNMPv3 username with "-" or "_" character doesn't delete the hexadecimal username from Cisco ISE. |
|
Allow Guest Portal HTTP requests containing content-headers with {} characters. |
|
IotAsset information is missing when using Get All Endpoints. |
|
Cisco ISE command injection vulnerability. |
|
The guest locations do not load in the Cisco ISE Guest Portal. |
|
RMQForwarder thread to control platform properties in the hardware appliance in Cisco ISE Release 2.7 patch 7. |
|
The Cisco ISE hourly cleanup should clean the cached buffers instead of the 95% memory usage. |
|
Cisco ISE command injection vulnerability. |
|
Cisco ISE OpenAPI HTTP repo patch install fails when direct listing is disabled. |
|
Cisco ISE with two interfaces configured for portal access is broken. |
|
Agentless posture fails when using multiple domain users in the endpoint login configuration. |
|
Cisco ISE vPSN with IMS performance degrades by 30-40% compared to UDP syslog. |
|
Queue link errors "Unknown CA" when utilizing third-party signed certificate for IMS. |
|
Attempt to delete "Is IPSEC Device" NDG causes all subsequent RADIUS/TACACS+ authentications to fail. |
|
The vertical scroll bar is missing in RBAC Data and Menu Permissions window in Cisco ISE Release 3.1. |
|
Cisco ISE filter of REST ID Store Groups displays "Error processing this request." |
|
Failed to handle API resource request: Failed to convert condition. |
|
Cisco ISE arbitrary file download vulnerability. |
|
ISE IP SGT static mapping is not sent to SXP Domain upon moving it to another mapping group. |
|
Primary administration node application server remains stuck at the initializing stage. |
|
Cisco ISE Release 2.6 patch 7 is unable to match "identityaccessrestricted equals true" in the authorization policy. |
|
Data is lost when accessing Total Compromised Endpoints in the Cisco ISE dashboard Threat for TC-NAC. |
|
Cisco ISE is unable to join node to AD by REST API. |
|
Authentication step latency for policy evaluation due to garbage collection activity in Cisco ISE. |
|
Cisco ISE - Apache TomCat vulnerability CVE-2022-25762. |
|
Cisco ISE 3.0 is not saving SCCM MDM server objects with new password but works when a new instance is in use. |
|
Error loading page error is the output when creating a guest account in the Self-Registered Guest Portal in Cisco ISE. |
|
Make MDM API V3 certificate string case insensitive. |
|
Using "Export Selected" under Network Devices leads to the login screen with more selections. |
|
Cisco ISE Release 3.2 URT fails with "Failed (Import into cloned database failed)" on Cisco ISE Release 3.1. |
|
Cisco ISE Africa or Cairo timezone DST. |
|
APIC integration in Cisco ISE Release 3.2 is missing fvIP subscription. |
|
Cisco ISE Certificate API fails to return Trusted Certificate with hash character in the Friendly Name field. |
|
APIC integration in Cisco ISE Release 3.2 fails to get EPs null (com.cisco.cpm.apic.ConfImporter:521). |
|
Cisco ISE interface feature insufficient access control vulnerability. |
|
Posture Requirements only show the default entry in Cisco ISE. |
|
Cisco ISE Release 3.2 is missing secondary policy administration node key for PKI-based SFTP. |
|
Cisco ISE Live Session gets stuck at "Authenticated" state. |
|
Cisco ISE Release 3.1 Patch 1 does not create the Rest ID or ROPC folder logs. |
|
CIAM: openjdk - multiple versions. |
|
Cisco ISE GUI is not validating the default value while adding custom attributes. |
|
Unable to select ISE Messaging usage (appears grayed out) for an existing certificate in the Cisco ISE GUI. |
|
Cisco ISE SAML certificate is not replicating to other nodes. |
|
Evaluate Configuration Validator gets stuck when using a password with special characters in Cisco ISE. |
|
Cisco ISE GUI TCP DUMP gets stuck in the "Stop_In_Progress" state. |
|
IndexRebuild.sql script ran over the monitoring node in Cisco ISE. |
|
Entering the incorrect password in the Cisco ISE GUI shows the end user agreement in Cisco ISE Release 3.1 patch 1. |
|
Save button for SAML configuration is grayed out in the Cisco ISE GUI. |
|
Cisco ISE path traversal vulnerability. |
|
Hostnames on Cisco ISE should not exceed 19 characters when deployed via AWS. |
|
MAC - CSC 5.0554 web deployment packages failed to upload. |
|
Cisco ISE unauthorized file access vulnerability. |
|
Static IP-SGT mapping with VN reference causes Cisco DNA Center Group-Based Policy sync to fail. |
|
Cisco ISE is not deleting all the sessions from the SXP mapping table. |
|
The transaction table should be truncated after a 2 million record count. |
|
Cisco ISE cross-site scripting vulnerability. |
|
Unable to create a scheduled backup with the admin user from "System Admin" AdminGroup in Cisco ISE. |
|
CPU spike due to memory leak with EP purge call. |
|
Accept client certificate without KU purpose validation per CiscoSSL rules. |
|
PIC license consumption in Cisco ISE-PIC Release 3.1. |
|
Cisco ISE- SQLException sent to the Collection Failure Alarm caused by NAS-Port-ID length. |
|
Cisco ISE cross-site scripting vulnerability. |
|
Cisco ISE stored cross-site scripting vulnerability. |
|
Cisco ISE displaying Tomcat stacktrace when using a specific URL. |
|
Cisco ISE Release 3.1 patch 5 verifies CA certificate EKU causing the "unsupported certificate" error. |
|
Internal CA certificate chain becomes invalid if the original primary administration node is removed. |
|
Unable to enable the firewall condition in Cisco ISE Release 3.1. |
|
There are issues in the Trusted Certificates menu in Cisco ISE Release 3.1. |
|
Getting pxGrid error logs in ise-psc.log after disabling pxGrid. |
|
Cisco ISE is not sending the hostname attribute to Cisco DNA Center. |
|
"Posture Configuration detection" alarms should be at the "INFO" level and must be reworded. |
|
In Cisco ISE Release 3.2, users are not able to delete the rules that were added during IP access rule addition. |
|
"All devices were successfully deleted" error after trying to delete one particular network access device by filtering. |
|
PUT operation failing with payload via Cisco DNA Center to Cisco ISE (ERS). |
|
Cisco ISE RADIUS and PassiveID session merging. |
|
Not able to access Time Settings Configuration Export on Cisco ISE ERS API. |
|
Add serviceability & fix "Could not get a resource since the pool is exhausted" Error in Cisco ISE Release 3.0. |
|
REST AUTH services not running after upgrading from Cisco ISE Release 3.1 to Cisco ISE Release 3.2. |
|
Cisco ISE integration with Cisco DNA Center fails if there are invalid certificates in the Cisco ISE trusted store. |
|
Unable to import certificates on Secondary node post registration to the deployment. |
|
Latency is observed during query of Session.PostureStatus. |
|
TACACS Command Accounting report export is not working. |
|
Not able to configure KRON job. |
|
SG and contracts with multiple backslash characters in a row in the description cannot sync to Cisco ISE. |
|
In Cisco ISE, the SMS Javascript customization is not working for SMS email gateway. |
|
Cisco ISE Change Configuration Audit Report does not clearly indicate the SGT creation and deletion events. |
|
CIAM: openjdk - multiple versions. |
|
Cisco ISE cannot retrieve repositories and scan policies of Tenable Security Center. |
|
Cisco ISE arbitrary file download vulnerability. |
|
Cisco ISE abruptly stops consuming passive-id session from a third-party syslog server. |
|
Cisco ISE Release 3.1 configuration backup is executed on the primary monitoring node. |
|
Unable to add Network Access Device due to the error: "There is an overlapping IP Address in your device". |
|
PKI-enabled SFTP Repositories not working in Cisco ISE Release 3.2. |
|
Smart license registration is not working. |
|
Sponsored Portal in Germany - Calendar shows Thursday (Donnerstag) as Di not Do. |
|
Cisco ISE Authorization Profile displays wrong Security Group or VN value. |
|
In Cisco ISE Release 3.1 Patch 3, the Sponsor Portal - Session Cookie SameSite value set to none. |
|
Cisco ISE TCP DUMP stuck at the error "COPY_REPO_FAILED" state when no repository is selected. |
|
SXP service gets stuck at initializing due to H2 DB delay in querying bindings. |
|
LSD is causing high CPU usage. |
|
Registered Endpoint Report shows unregistered guest devices. |
|
Profiler should ignore non-positive RADIUS syslog messages while forwarding the messages from the default RADIUS probe. |
|
In Cisco ISE Release 3.1, the error "Illegal hex characters in escape (%) pattern ? For input string: ^F" is displayed. |
|
The Cisco ISE GUI shows HTML hexadecimal code for the characters in the command set. |
|
The row of "Manage SXP Domain filters" only displays maximum 25. |
|
Cisco ISE and CVE-2023-24998. |
|
Vulnerabilities in jszip 3.0.0. |
|
Cisco ISE TACACS primary service node crashed during maximum user session authentication flow. |
|
Cisco ISE VMSA-2022-0024 - VMware Tools update addresses a local privilege escalation vulnerability. |
|
Authorization policy evaluation failing due to NullPointerException in LicenseConsumptionUtil.java. |
|
Cisco ISE XML external entity injection vulnerability. |
|
No validation of PBIS registration key configuration on the advance tuning page. |
|
Identity user cannot be created if the user custom attribute includes $ or ++. |
|
Patch install from the Cisco ISE GUI fails. |
|
LSD is causing high bandwidth utilization. |
|
Network Device Port Conditions: IP Addresses or Device Groups don't accept valid port strings. |
|
Cisco ISE BETA certificate is shown as stale certificate and must be cleaned up. |
|
The Guest portal page displays "Error Loading Page" when the reason for the visit field contains special characters. |
|
Cisco ISE Release 3.1 Patch 4 Passive DC configuration is not saving the username correctly. |
|
pxGrid session publishing stops when reintegrating FMC while P-PIC is down. |
|
During upgrade the deregister call fails to remove all the nodes from the database. |
|
EAP-TLS authentication with ECDSA certificate fails on Cisco ISE Release 3.1. |
|
In Cisco ISE Release 3.1 Patch 3, SAML SSO does not work if the active policy service node goes down. |
|
SFTP and FTP validation is failing through CLI when 16+ characters in the password is configured. |
|
Cisco ISE’s Application Server process is restarting during Dot1X due to buffer length = 0 for eapTLS. |
|
Unable to add many authorization profiles with the active sessions alarm setting. |
|
Node syncup fails to replicate wildcard certificate with the portal role. |
|
Qualys adapter is unable to download the knowledge base: Stuck with the error "knowledge download in progress". |
|
Cisco ISE ERS API doesn't allow for use of minus character in "Network Device Group" name. |
|
Cisco ISE Release 3.1 portal tag has an issue with special character validation. |
|
Cisco ISE Release 3.0 NFS share stuck. |
|
Support for concatenating AD group attributes when they exceed the length of the RADIUS attribute. |
|
The session gets stuck indefinitely until Cisco ISE is restarted. |
|
Cisco ISE Release 3.1 Azure AD autodiscovery for MDM API V3 is incorrect. |
|
In Cisco ISE, the Mexico time zone incorrectly changes to Daylight Saving Time. |
|
Import of SAML metadata fails. |
|
In Cisco ISE Release 3.1, certain key attributes in the SessionCache are missing when a third-party network device profile is in use. |
|
Cisco ISE Release 3.1 displays an error when using the SNMPv3 privacy password. |
|
The command to enable DNSCache in FQDN syslog popup needs correction. |
|
Support for macOS 12.6. |
|
In Cisco ISE Release 3.2, the Data Connect password expiry alarm is consistently visible even when the Data Connect feature is disabled. |
|
All network access devices are deleted while filtering based on NDG location and IP address. |
|
Cisco ISE does not remove SXP mapping when the SGT changes after CoA. |
|
Cisco ISE fails to establish a secure connection when new certificates are imported for the guest portal. |
|
Cisco ISE XML external entity injection vulnerability. |
|
VLAN detection interval should not be more than 30 seconds. |
|
The Replogns table space on the primary administration node increases when there are replication issues in the deployment. |
|
Agentless posture failures cause the TMP folder to increase in size in Cisco ISE Release 3.1 Patch 5. |
|
DB Connections are increasing in longevity and the maximum DB connections are 994 in Cisco ISE Release 3.1 Patch 5. |
|
The reprofiling result is not updated to Oracle/VCS after a feed incremental update. |
|
Cisco ISE ERS API schema for network device group creation. |
|
Cisco ISE SAML Destination attribute is missing for signed authorization requests. |
|
MSAL support is needed for SCCM integration with Cisco ISE as MS is deprecating ADAL. |
|
In Cisco ISE Release 3.1 patch 3, users are unable to import endpoints from .csv file if SAML is used. |
|
Incorrect SLR out of compliance error reported in Cisco ISE. |
|
Unable to save the launch program remediation when the parameter contains a double quote (""). |
|
Cisco DNA Center integration issue due to more internal CA certificates. |
|
Session directory write failed alarm with Cisco NAD using "user defined" NAD profile. |
|
SyncRequest timeout monitor thread does not terminate the file transfer after timeout during Cisco ISE replication. |
|
Authentication failed due to missing certificate private key. |
|
"The phone number is invalid" error is displayed when trying to import users from .csv file. |
|
Users cannot change the condition operator from AND to OR in posture policy conditions. |
|
Authentication against ROPC identity store fails with RSA key generation error. |
|
Authorization policy failing due to wrong condition evaluation. |
|
Uploading the AnyConnect agent from the Cisco ISE GUI triggered high CPU utilization on the primary administration node and took nearly 7 hours to complete. |
|
Misspelled PassiveID errors seen in logs and reports. |
|
The SAML flow with load balancer is failing due to incorrect token handling on Cisco ISE. |
|
The Adaptive Network Control (ANC) CoA is sent to the NAS IP address instead of the Device IP address. |
|
In Cisco ISE Release 3.1, the previous version of the hot patch is still visible in the DB. |
|
Cisco ISE Release 3.2 does not support passwords with more than 16 characters for the identity-store configuration command. |
|
Unable to access the system certificates page for the registered node in Cisco ISE Release 3.0 patch 4. |
|
No response received from SNMP server when the "snmp-server host" is configured in Cisco ISE Release 3.2 patch 2. |
|
TLS 1.0/1.1 is accepted in the Cisco ISE Release 3.0 admin portal. |
|
Vulnerable JS library issue found while executing ZAP. |
|
Passive ID agent sending incorrect time format events. |
|
Permission for collector.log file is set to root automatically. |
|
Unable to download the support bundle of size greater than 1 GB from the Cisco ISE GUI. |
|
Cisco ISE nodes intermittently trigger the queue link alarms. |
|
Sysaux tablespace allocation should be done based on the profile of the node. |
|
An NTP authentication key with more than 15 characters is getting the error "% ERROR: Bad hashed key". |
|
Cisco ISE command injection vulnerability. |
|
Layering of drag and drop action in the Conditions Studio. |
|
Removing an IP access list from Cisco ISE destroys the distributed deployment. |
|
Some items are displayed as [Test] in the Japanese Cisco ISE GUI. |
Open Caveats
Known Limitations in Cisco ISE Release 3.3 - Cumulative Patch 4
Usage of special characters in osquery visibility condition
When an equal-to operator is used with special characters for attribute values (for example, CPU @ 1.20GH), the osquery visibility condition fails. As a workaround, you can use the Like operator (is_containing) for configuring osquery visibility conditions with special characters.
Open Caveats in Cisco ISE Release 3.3 - Cumulative Patch 3
Caveat ID Number |
Description |
---|---|
AD credentials fail to integrate Cisco ISE with Cisco Catalyst Center 2.2.1.x and later. |
|
RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS). |
|
Cisco ISE 3.3 Patch 3 DUO MFA authentication fails instantly with a "22076 MFA Authentication failure" message in Live Logs. You must install the following hot patch to fix this issue: HP_3.3P3.zip |
Open Caveats in Cisco ISE Release 3.3 - Cumulative Patch 2
Caveat ID Number |
Description |
---|---|
AD group retrieval fails while evaluating authorization policy. |
|
Swap cleanup script to drop the swap area and program the cron. |
|
Post Adeos restore, appserver stuck at initializing. |
|
CSCwh92366 |
In Cisco ISE 3.1 Patch 8, observing insufficient virtual machine resource alarm in 3.1 Patch 8 longevity setup. |
Cisco ISE is running out of Context N. |
|
Make the PAN to honor the endpoint from DB when purging by purge routine on PAN only. |
|
Interrupting execution of "show tech-support" causes services to stop on Cisco ISE. |
|
Host not found in identity group due to profiler null pointer exception. |
|
In Cisco ISE 3.3, TACACS data is not retained and everything gets purged. |
Open Caveats in Cisco ISE Release 3.3 - Cumulative Patch 1
Caveat ID Number |
Description |
---|---|
Cisco ISE Releases 3.1 and 3.2: Missing validation for existing routes during CLI configuration. |
|
In Cisco ISE Release 3.2 Patch 1, the Cisco ISE GUI and CLI are inaccessible following a configuration restoration with ADE-OS. |
|
In 3.1 Patch 8: Observing Insufficient Virtual Machine Resource Alarm in 3.1Patch 8 Longevity setup. |
Open Caveats in Cisco ISE Release 3.3
The following table lists the open caveats in Release 3.3.
Caveat ID Number |
Description |
---|---|
Enabling log analytics in lower models 3615/3715 may cause Cisco ISE to become unresponsive. |
|
Cisco ISE Release 3.3: ML on Cisco ISE: Cisco ISE cluster will not be able to connect to ML cloud if clock diff is more than 5 minutes. |
|
Cisco ISE Release 3.3: Labelling ML-proposed rule has issues with special character and overlapping. |
|
MFC profiler shows "No data" for all the metrics in grafana dashboard. |
|
Cisco ISE Release 3.3: MFC_EPType isn't showing as Phone for iPhone in case of Wi-Fi analytics. |
|
"Configuration Missing" warning seen when browsing to log analytics page. |
|
Cisco ISE monitoring GUI page stuck at "Welcome to Grafana". |
|
Cisco ISE Release 3.3 cannot register new nodes to deployment post upgrade due to node exporter password not found. |
|
In 3.1 Patch 8: Observing Insufficient Virtual Machine Resource Alarm in 3.1Patch 8 Longevity setup |
|
Getting '500 internal error' when sending ISE 9060/ers/config/endpoint/{MAC address}/releaserejectedendpoint |
Additional References
See Cisco ISE End-User Resources for additional resources that you can use when working with Cisco ISE.
Communications, Services, and Additional Information
-
To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
-
To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
-
To submit a service request, visit Cisco Support.
-
To discover and browse secure, validated enterprise-class apps, products, solutions, and services, visit Cisco DevNet.
-
To obtain general networking, training, and certification titles, visit Cisco Press.
-
To find warranty information for a specific product or product family, access Cisco Warranty Finder.
Cisco Bug Search Tool
Cisco Bug Search Tool (BST) is a gateway to the Cisco bug-tracking system, which maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. The BST provides you with detailed defect information about your products and software.
Documentation Feedback
To provide feedback about Cisco technical documentation, use the feedback form available in the right pane of every online document.