Introduction to Cisco Identity Services Engine

Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure access to network resources. Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices. An administrator can then use this information to make proactive governance decisions by creating access control policies for the various network elements, including access switches, wireless controllers, Virtual Private Network (VPN) gateways, Private 5G networks, and data center switches. Cisco ISE acts as the policy manager in the Cisco Group Based Policy solution and supports TrustSec software-defined segmentation.

Cisco ISE is available on secure network server appliances with different performance characterizations, virtual machines (VMs), or on the public cloud.

Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also enables the configuration and management of distinct personas and services, thereby giving you the ability to create and apply services, where needed, in a network, but operate the Cisco ISE deployment as a complete and coordinated system.

For detailed Cisco ISE ordering and licensing information, see the Cisco Identity Services Engine Ordering Guide.

For information on monitoring and troubleshooting the system, see the "Monitoring and Troubleshooting Cisco ISE" section in the Cisco Identity Services Engine Administrator Guide.

What is New in Cisco ISE, Release 3.3?

This section lists the new and changed features in Cisco ISE 3.3.

Access the Cisco ISE Admin GUI using HTTPS with TLS 1.3

From Cisco ISE Release 3.3, you can access the Cisco ISE Admin GUI using HTTPS with TLS 1.3 version. For more information, see "Configure Security Settings" in the chapter "Secure Access" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.

Bulk Update and Bulk Delete Support for Context-in API in pxGrid Cloud

From Cisco ISE Release 3.3, you have context-in API support in pxGrid Cloud for bulk updation and bulk deletion of endpoints. For more information, see the Cisco ISE API Reference Guide.

Certificate-based Authentication for API Calls

From Cisco ISE Release 3.3, you can configure authentication settings for API admin users such as API admin and OpenAPI admin in the Admin > System > Admin Acess > Authentication > Authentication Method window. The API Authentication Type section allows you to permit password-based or certificate-based authentications or both. These authentication settings do not apply to REST admin users such as pxGrid REST, MnT REST, and other REST admin users. For more information, see "Enable API Service" in the chapter "Basic Setup" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.

Cisco AI-ML Rule Proposals for Endpoint Profiling

Cisco ISE now provides profiling suggestions based on continuous learning from your networks, helping you to enhance endpoint profiling and management. You can use these suggestions to reduce the number of unknown or unprofiled endpoints in your network.

For more information, see "Cisco AI-ML Rule Proposals for Endpoint Profiling" in the Chapter "Asset Visibility" in the Cisco ISE Administration Guide, Release 3.3.

Configure Native IPSec in Cisco ISE

From Cisco ISE Release 3.3, you can configure IPSec using the native IPSec configuration. You can use native IPSec to establish security associations between Cisco ISE PSNs and NADs across an IPSec tunnel using IKEv1 and IKEv2 protocols. For more information, see "Configure Native IPSec on Cisco ISE" in the chapter "Secure Access" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.

Disable Endpoint Replication to all the nodes in a Cisco ISE Deployment

From Cisco ISE, Release 3.3, dynamically discovered endpoints are not replicated to all the nodes in the Cisco ISE deployment automatically. You can choose to enable or disable the replication of dynamically discovered endpoints across all nodes in your Cisco ISE deployment. For more information, see "Data Replication from Primary to Secondary Cisco ISE Nodes" in the Chapter "Deployment" in the Cisco ISE Administrator Guide, Release 3.3.

Data Connect

From Cisco ISE Release 3.3, the Data Connect feature uses the admin certificate to provide database access to Cisco ISE using an Open Database Connectivity (ODBC) or Java Database Connectivity (JDBC) driver, so that you can directly query the database server to generate reports of your choice. For more information, see "Data Connect" in the chapter "Basic Setup" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.

Enhanced Support for Unvalidated Operating Systems Releases in Posture Workflows

Cisco ISE now supports unvalidated versions of operating systems in agent-based and agentless posture workflows. In the earlier releases of Cisco ISE, only the endpoints that ran validated operating systems successfully met posture agent policies.

As a result, endpoints running an unvalidated operating system failed posture agent workflows with the error message, The operating system is not supported by the server.

For information on supported operating systems, see the Compatibility Matrix for your Cisco ISE release.

For example, posture agent flows for endpoints running operating system versions Windows 10 IoT Enterprise LTSC or Mac 14 failed while these operating system versions were not validated. When Cisco ISE validated these versions and the operating system data was published to the Feed Service, posture agents successfully matched these endpoints.

You can download the latest operating system data to Cisco ISE from the Feed Service in the Administration > System > Posture > Updates page of the Cisco ISE administration portal.

From Cisco ISE Release 3.3, unvalidated operating systems are matched to a known operating system listed in the Policy pages (Posture, Requirements, and Conditions pages) of the Cisco ISE administration portal, so that posture agent workflows can be completed successfully. For example, if Mac xx is not validated and an endpoint is running it, a posture agent can now match the endpoint with MacOSX. When Mac xx is validated and published to the Feed Service, and the posture agent runs on the endpoint again, the endpoint is matched with Mac xx. Posture reports display the operating system that an endpoint is matched with.

All the posture agents that are supported by Cisco ISE Release 3.3 are impacted by this change. No other Cisco ISE features, such as BYOD, are impacted.

ERS API Support for LDAP Profile Bind Account Password

From Cisco ISE Release 3.3, LDAP profile bind account password is supported by ERS APIs. You can configure a new LDAP server on the Cisco ISE GUI using the ERS API. The created LDAP server can be used to configure an identity source in other Cisco ISE portals. For more information, see the Cisco ISE API Reference Guide.

IPv6 Support for Agentless Posture

Cisco ISE Release 3.3 adds IPv6 support for Agentless Posture. Windows, and MacOS clients are currently supported.

For more information, see "Agentless Posture" in the Chapter "Compliance" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.

IPv6 Support for Portal and Profiler Features

Cisco ISE Release 3.3 adds IPv6 support for the following portals, portal features, and profiler features.

Cisco ISE Portals with IPv6 Support

  • Sponsor Portal

  • MyDevices Portal

  • Certificate Provisioning Portal

  • Hotspot Guest Portal

  • Self-Registered Guest Portal

Cisco ISE Portal Features with IPv6 Support

  • Single-Click Sponsor Approval

  • Grace Period

  • Validation of Credentials for Guest Portal

  • Active Directory

  • Guest Portal Posture Flow using Temporal Agent

  • Active Directory User - Posture Flow with AnyConnect

  • Dot1x User - Posture Flow with AnyConnect

  • Guest and Dot1x User - Posture Flow with Temporal Agent

Profiler Features with IPv6 Support

  • DHCP Probe

  • HTTP Proble

  • RADIUS Probe

  • Context Visibility Services

  • Endpoint Profiling


The static IP/host name/FQDN field for the common task of web redirection cannot take an IPv6 address.

Link External LDAP Users to Cisco ISE Endpoint Groups

From Cisco ISE Release 3.3, you can assign external LDAP user groups to Endpoint Identity Groups for guest devices using the Dynamic option. For more information, see "Create or Edit Guest Types" in the Chapter "Guest and Secure WiFi" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.

Managing Passwords of Cisco ISE Users

From Cisco ISE Release 3.3, as an internal user of Cisco ISE, you can choose to to add the Date Created and Date Modified columns to the Network Access User table in the Network Access Users window. For more information, see "Cisco ISE Users" in the Chapter "Asset Viisbility" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.

Multi-Factor Classification for Enhanced Endpoint Visibility

You can now create nuanced authorization policies using four specific attributes from the endpoints connecting to your network. The Multi-Factor Classification (MFC) profiler uses various profiling probes to fetch four new endpoint attributes to the Cisco ISE authorization policy creation workflows: MFC Endpoint Type, MFC Hardware Manufacturer, MFC Hardware Model, and MFC Operating System.

For more information, see "Multi-Factor Classification for Enhanced Endpoint Visibility" in the chapter "Asset Visibility" in the Cisco ISE Administration Guide, Release 3.3.

Navigation Improvement

The Cisco ISE home page GUI has been modified for a better user experience. When you click the menu icon at the left-hand corner of the home page, a pane is displayed. Hovering your cursor over each of the options on the pane displays the following submenus to choose from.

  • Context Visibility

  • Operations

  • Policy

  • Administration

  • Work Centers

Click Dashboard for the home page.

The left pane also contains a Bookmarks tab where you can save your recently viewed pages. Click the menu icon again to hide the pane.

If you log out when the left pane is displayed, and log in again, the pane continues to be displayed. However, if you log out after the pane is hidden, and log in again, you must click the menu icon for the pane to be displayed again.

You can now use the icon on the homepage to access the Search Pages option to search for a new page or visit recently searched pages.

For more information, see "Administration Portal" in the Chapter "Basic Setup" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.

Option to Disable Specific Ciphers

The Manually Configure Ciphers List option in the Security Settings window allows you to manually configure ciphers for communication with the following Cisco ISE components: admin UI, ERS, OpenAPI, secure ODBC, portals, and pxGrid.

A list of ciphers is displayed with allowed ciphers already selected. For example, if the Allow SHA1 Ciphers option is enabled, SHA1 ciphers are enabled in this list. If the Allow Only TLS_RSA_WITH_AES_128_CBC_SHA option is selected, then only this SHA1 cipher is enabled in this list. If the Allow SHA1 Ciphers option is disabled, you cannot enable any SHA1 cipher in this list.

For more information, see "Configure Security Settings" in the Chapter "Segmentation" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.

Posture and Client Provisioning Support for ARM64 Version of Agent

From Cisco ISE Release 3.3, posture policies and client-provisioning policies are supported for ARM64 endpoints. You can upload the ARM64 version of agent for ARM64 endpoints.

Note the following points while configuring an ARM64 client-provisioning policy:

  • ARM64 posture policies are supported for the following:

    • Windows Agent

    • Mac Agent

    • Mac Temporal Agent

    • Mac Agentless

    Windows policies run separate packages for ARM64 and Intel architectures. Windows Temporal and Windows Agentless are not supported on ARM64 architecture, but are supported on Intel architecture.

    macOS policies run the same package for both architectures.

  • ARM64 package is supported for Cisco AnyConnect VPN and Cisco Secure Client.


    Cisco Secure Client 5.0.4xxx and later versions support posture and client-provisioning policies for ARM64 endpoints.

    ARM64 compliance module 4.3.3583.8192 and later versions can be used with Cisco Secure Client 5.0.4xxx and later versions along with Cisco ISE 3.3 and later versions for ARM64 endpoints. You can download the compliance modules from the Software Download Center.

  • ARM64 agent auto upgrade and compliance module upgrade are supported.

  • Google Chrome and Microsoft Edge 89 and later versions support web redirection for OS Architecture conditions like arm64, 64-bit, and 32-bit.

    Firefox browser does not support web redirection for OS Architecture conditions like arm64, 64-bit, and 32-bit. Hence, it cannot be used to match ARM64 client-provisioning policies. The following message is displayed when you use the Firefox browser:

    ARM64 endpoints do not support Firefox browser, and there may be compatibility issues if you continue downloading this agent. We recommend that you use Chrome or Microsoft Edge browser instead.

  • You cannot combine BYOD and ARM64 client-provisioning policies.

  • Ensure that the ARM64 condition policy is at the top of the conditions list (listed above the policies without an ARM64 condition). This is because an endpoint is matched sequentially with the policies listed in the Client Provisioning Policy window.

For more information, see "Configure Client Provisioning Policy for ARM64 Version of Agent" in the Chapter "Compliance" in the Cisco Identity Services Engine Administrator Guide, Release 3.3.

pxGrid Context-in Enhancements

From Cisco ISE Release 3.3, you have context-in API support in pxGrid. You can create custom attributes for endpoints and use OpenAPI for context-in support. For more information, see the Cisco ISE API Reference Guide.

pxGrid Cloud Support for Context-in

From Cisco ISE Release 3.3, you have context-in API support in pxGrid Cloud. You can create custom attributes for endpoints and use OpenAPI for context-in support. For more information, see the Cisco ISE API Reference Guide.

pxGrid Direct Enhancements

pxGrid Direct is no longer a controlled introduction feature. Before you upgrade to Cisco ISE Release 3.3 from Cisco ISE Releases 3.2 or 3.2 Patch 1, we recommend that you delete all configured pxGrid Direct connectors and any authorization profiles and policies that use data from pxGrid Direct connectors. After you upgrade to Cisco ISE Release 3.3, reconfigure pxGrid Direct connectors.


If you do not delete the configured pxGrid Direct connectors, the connectors are automatically deleted during the upgrade. This deletion results in uneditable and unusable authorization profiles and policies that you must delete and replace with new ones.

For more information on changes to the pxGrid Direct feature, see "pxGrid Direct""" in the chapter "Asset Visibility" in the Cisco ISE Administration Guide, Release 3.3.

RADIUS Step Latency Dashboard

The RADIUS Step Latency dashboard (Log Analytics > Dashboard) displays the maximum and average latencies for the RADIUS authentication flow steps for the specified time period. You can also view the maximum and average latencies for the Active Directory authentication flow steps (if Active Directory is configured on that node) and the Top N RADIUS authentication steps with maximum or average latencies.

For more information, see "Log Analytics" in the Chapter "Maintain and Monitor" in the Cisco ISE Administration Guide, Release 3.3.

Schedule Application Restart After Admin Certificate Renewal

After you renew an admin certificate on the primary PAN, all the nodes in your deployment must be restarted. You can either restart each node immediately or schedule the restarts later. This feature allows you to ensure that no running processes are disrupted by the automatic restarts, giving you greater control over the process. You must schedule node restarts within 15 days of certificate renewal.

For more information, see "Schedule Application Restart After Admin Certificate Renewal" in the chapter "Basic Setup" in the Cisco ISE Administration Guide, Release 3.3.

Split Upgrade of Cisco ISE Deployment from GUI

Split upgrade is a multi step process that enables the upgrade of your Cisco ISE deployment while allowing other services to be available for users. The downtime can be limited in a split upgrade by upgrading the nodes in iterations or batches.

For more information, see "Split Upgrade of Cisco ISE Deployment from GUI" in the chapter "Perform the Upgrade" in the Cisco Identity Services Engine Upgrade Guide, Release 3.3.

Ukrainian Language Support in Portals

Guest, Sponsor, My Devices, and Client Provisioning portals now include Ukrainian as a supported localization language.

Wi-Fi Device Analytics Data from Cisco Catalyst 9800 Wireless LAN Controller

You can create profiling policies, authorization conditions, and authentication conditions and policies for Apple, Intel, and Samsung endpoints, using device analytics data from the Cisco Wireless LAN Controllers integrated with your Cisco ISE.

For more information, see "Wi-Fi Device Analytics Data from Cisco Catalyst 9800 Wireless LAN Controller" in the Chapter "Asset Visibility" in the Cisco ISE Administration Guide, Release 3.3.

System Requirements

For an uninterrupted Cisco ISE configuration, ensure that the following system requirements are fulfilled.

For more details on hardware platforms and installation of this Cisco ISE release, see the Cisco Identity Services Engine Hardware Installation Guide.


Cisco ISE cannot be installed on OpenStack.

Supported Hardware

Cisco ISE 3.3 can be installed on the following Secure Network Server (SNS) hardware platforms:

Table 1. Supported Platforms

Hardware Platform


Cisco SNS-3615-K9 (small)

For appliance hardware specifications, see the Cisco Secure Network Server Appliance Hardware Installation Guide.

Cisco SNS-3655-K9 (medium)

Cisco SNS-3695-K9 (large)

Cisco SNS-3715-K9 (small)

Cisco SNS-3755-K9 (medium)

Cisco SNS-3795-K9 (large)


Note that the filenames of the OVA templates have been changed in Cisco ISE Release 3.3.

The following OVA templates can be used for SNS 3600 series appliances:

OVA Template

ISE Node Size



Extra Small













The following OVA templates can be used for both SNS 3600 and SNS 3700 series appliances:

OVA Template

ISE Node Size




Extra Small


























Supported Virtual Environments

Cisco ISE supports the following virtual environment platforms:

  • Cisco ISE Release 3.3 is the last release to support VMware ESXi 6.7.

    For Cisco ISE Release 3.0 and later releases, we recommend that you update to VMware ESXi 7.0.3 or later releases.

    In the case of vTPM devices, you must upgrade to VMware ESXi 7.0.3 or later releases.

    • OVA templates: VMware version 14 or higher on ESXi 6.7, ESXi 7.0, and ESXi 8.0.

    • ISO file supports ESXi 6.7, ESXi 7.0, and ESXi 8.0.

    You can deploy Cisco ISE on VMware cloud solutions on the following public cloud platforms:

    • VMware cloud in Amazon Web Services (AWS): Host Cisco ISE on a software-defined data centre provided by VMware Cloud on AWS.

    • Azure VMware Solution: Azure VMware Solution runs VMware workloads natively on Microsoft Azure. You can host Cisco ISE as a VMware virtual machine.

    • Google Cloud VMware Engine: Google Cloud VMware Engine runs software defined data centre by VMware on the Google Cloud. You can host Cisco ISE as a VMware virtual machine on the software defined data centre provided by the VMware Engine.

  • Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later

  • KVM on QEMU 2.12.0-99

  • Nutanix AHV 20220304.392

You can deploy Cisco ISE natively on the following public cloud platforms:

  • Amazon Web Services (AWS)

  • Microsoft Azure

  • Oracle Cloud Infrastructure (OCI)


From Cisco ISE 3.1, you can use the VMware migration feature to migrate virtual machine (VM) instances (running any persona) between hosts. Cisco ISE supports both hot and cold migration. Hot migration is also called live migration or vMotion. Cisco ISE need not be shutdown or powered off during the hot migration. You can migrate the Cisco ISE VM without any interruption in its availability.

For information about the virtual machine requirements, see the Cisco Identity Services Engine Installation Guide for your version of Cisco ISE.

Validated Browsers

Cisco ISE 3.3 has been validated with the following browsers:

  • Mozilla Firefox versions 113 and 114

  • Google Chrome versions 112, 114, 116, and 117

  • Microsoft Edge version 112, 115, and 117

Validated External Identity Sources


The supported Active Directory versions are the same for both Cisco ISE and Cisco ISE-PIC.

Table 2. Validated External Identity Sources

External Identity Source


Active Directory


Microsoft Windows Active Directory 2012

Windows Server 2012

Microsoft Windows Active Directory 2012 R2


Windows Server 2012 R2

Microsoft Windows Active Directory 2016

Windows Server 2016

Microsoft Windows Active Directory 2019


Windows Server 2019

LDAP Servers

SunONE LDAP Directory Server

Version 5.2

OpenLDAP Directory Server

Version 2.4.23

Any LDAP v3 compliant server

Any version that is LDAP v3 compliant


Windows Server 2022 with Patch Windows10.0-KB5025230-x64-V1.006.msu

Token Servers

RSA ACE/Server

6.x series

RSA Authentication Manager

7.x and 8.x series

Any RADIUS RFC 2865-compliant token server

Any version that is RFC 2865 compliant

Security Assertion Markup Language (SAML) Single Sign-On (SSO)

Microsoft Azure


Oracle Access Manager (OAM)


Oracle Identity Federation (OIF)


PingFederate Server


PingOne Cloud


Secure Auth


Any SAMLv2-compliant Identity Provider

Any Identity Provider version that is SAMLv2 compliant

Open Database Connectivity (ODBC) Identity Source

Microsoft SQL Server

Microsoft SQL Server 2012


Enterprise Edition Release







Social Login (for Guest User Accounts)




You can only add up to 200 Domain Controllers on Cisco ISE. On exceeding the limit, you will receive the following error:

Error creating <DC FQDN> - Number of DCs Exceeds allowed maximum of 200

Cisco ISE supports all the legacy features in Microsoft Windows Active Directory 2012 R2. However, the new features in Microsoft Windows Active Directory 2012 R2, such as Protective User Groups, are not supported.


Cisco ISE 2.6 Patch 4 and later support all the legacy features in Microsoft Windows Active Directory 2019.

See the Cisco Identity Services Engine Administrator Guide for more information.

Validated OpenSSL Version

Cisco ISE 3.3 is validated with OpenSSL 1.1.1t and Cisco SSL 7.3.265.

OpenSSL Update Requires CA:True in CA Certificates

For a certificate to be defined as a CA certificate, the certificate must contain the following property:


This property is mandatory to comply with recent OpenSSL updates.

Upgrade Information


Upgrades cannot be performed on Cisco ISE nodes deployed in native cloud environments. You must deploy a new node with a newer version of Cisco ISE and restore the configuration of your older Cisco ISE deployment onto it.

Upgrading to Release 3.3

You can directly upgrade to Release 3.3 from the following Cisco ISE releases:

  • 3.0

  • 3.1

  • 3.2

If you are on a version earlier than Cisco ISE, Release 3.0, you must first upgrade to one of the releases listed above, and then upgrade to Release 3.3.

We recommend that you upgrade to the latest patch in the existing version before starting the upgrade.

Cisco ISE, Release 3.3, has parity with the Cisco ISE patch release: 3.2 Patch 2, 3.1 Patch 7​, and 3.0 Patch 7​, and earlier patches.

Upgrade Procedure Prerequisites

  • Run the Upgrade Readiness Tool (URT) before the upgrade to check whether the configured data can be upgraded to the required Cisco ISE version. Most upgrade failures occur because of data upgrade issues. The URT validates the data before the actual upgrade and reports the issues, if any. The URT can be downloaded from the Cisco ISE Download Software Center.

  • We recommend that you install all the relevant patches before beginning the upgrade.

For more information, see the Cisco Identity Services Engine Upgrade Guide.

Cisco ISE Integration with Cisco Digital Network Architecture Center

Install a New Patch

For instructions on how to apply the patch to your system, see the "Cisco ISE Software Patches" section in the Cisco Identity Services Engine Upgrade Journey.

For instructions on how to install a patch using CLI, see the "Patch Install" section in the Cisco Identity Services Engine CLI Reference Guide.


If you have installed a hot patch on Cisco ISE 3.1, you must roll back the hot patch before installing a patch. Otherwise, the services might not be started due to integrity check security issue.


The Caveats section includes the bug ID and a short description of the bug. For details on the symptoms, conditions, and workaround for a specific caveat, use the Cisco Bug Search Tool (BST). The bug IDs are sorted alphanumerically.


The Open Caveats sections lists the open caveats that apply to the current release and might apply to releases earlier than Cisco ISE 3.3. A caveat that is open for an earlier release and is still unresolved applies to all future releases until it is resolved.

The BST, which is the online successor to the Bug Toolkit, is designed to improve the effectiveness of network risk management and device troubleshooting. You can search for bugs based on product, release, or keyword, and aggregate key data such as bug details, product, and version. For more details on the tool, see the Help page located at

New Features in Cisco ISE, Release 3.3 - Cumulative Patch 1

Cisco Duo Integration for Multifactor Authentication

From Cisco ISE Release 3.3 Patch 1, you can directly integrate Cisco Duo as an external identity source for multifactor authentication (MFA) workflows. In earlier releases of Cisco ISE, Cisco Duo was supported as an external RADIUS proxy server and this configuration continues to be supported.

This Cisco Duo integration supports the following multifactor authentication use cases:

  1. VPN user authentication

  2. TACACS+ admin access authentication

For more information on this feature, see "Integrate Cisco Duo With Cisco ISE for Multifactor Authentication" in the Chapter "Segmentation" of the Cisco ISE Administration Guide, Release 3.3.

Customer Experience Surveys

Cisco ISE now presents customer satisfaction surveys to its users within the administration portal. The periodic administration of customer satisfaction surveys helps us better understand your Cisco ISE experiences, track what is working well, and identify areas of improvement. After you submit a survey, you are not presented with another survey for the next 90 days.

The surveys are enabled by default in all Cisco ISE deployments. You can disable the surveys at a user level or for a Cisco ISE deployment.

For more information, see "Customer Experience Surveys" in the Chapter "Basic Setup" in the Cisco ISE Administrator Guide, Release 3.3.

Microsoft Intune Ends Support for UDID-Based Queries for Its MDM Integrations

From March 24, 2024, Microsoft Intune will not support UDID-based queries for its MDM integrations, as detailed in this Field Notice. The Cisco ISE APIs that fetch required endpoint information from Microsoft Intune MDM integrations have changed in response to this end of support.

From Cisco ISE Release 3.3 Patch 1, Microsoft Intune only provides the following endpoint details in response to compliance APIs:

  • Device compliance status

  • Managed by Intune

  • MAC address

  • Registration status

For more information on these changes, see Integrate MDM and UEM Servers with Cisco ISE.

Resolved Caveats in Cisco ISE Release 3.3 - Cumulative Patch 1




Cisco ISE Passive ID sessions are always cleared after an hour.


Read-only admin group users have full accesss when logging into Cisco ISE GUI through SAML authentication.


Data corruption is causing an authenticaltion failure with the error messages: FailureReason=11007 or FailureReason=15022.


Sponsor permissions are disabled on sponsor portal when accessed from the primary PAN persona.


In the pxGrid Endpoints page, the endpoint details are not displayed accurately.


The dedicated MnT nodes in a Cisco ISE deployment do not replicate the SMTP configuration.


Cisco ISE REST API documentation provides incorrect script while creating endpoint group.


A match authorization profile with SGT, VN name, VLAN fields empty causes port to crash.


Expired guest accounts don't receive SMS when they try to reactivate account.


Disabled essential license leads to limited Cisco ISE GUI page access and inability to regenerate root CA.


Acs.Username is not being updated with guest username in 1st device connection.


Local or global exception rules are not matched for authorization policy.


GUI doesn't load when trying to edit Client Provisioning Portal config


The OpenAPI for endpoints are not working for the existing IOT asset attributes.


The sync status is displayed as failed when the maximum number of TrustSec objects are selected for syncing.


The PreferredDCs registry value cannot be set during advanced tuning.


Date of last purge has a wrong timestamp.


MNT log processor is enabled on non-MNT admin Cisco ISE node.


In Cisco ISE Release 3.2, the SNMP is not working following a node restart.


Allow launch program remediation to have a set order.


The Sponsor portal shows the wrong days of week information from the [Setting date] tab when using the Japanese Cisco ISE GUI.


Inconsistency in VLAN ID results in erorr message: Not a valid ODBC dictionary.


In Cisco ISE Release 3.1 Patch 5: Some internal users passwords are not expiring after the configured global password expiry dates.


In Cisco ISE Release 3.1 Patch 5: An attempt to remove the guest portal after a PAN failure leads to a ORA-02292 integrity constraint.


Removal of EPS from the Cisco ISE code.


Cisco ISE GUI pages are not loading properly with custom admin menu workcenter permissions.


Cisco ISE cannot load corrupted NAD profiles causing authorization failures with the following reasons: failureReasons 11007 and 15022.


Cisco ISE Alarm and Dashboard Summary does not load.


Cisco ISE he hot patches are not getting installed when both the patch and hot patches are in ZTP configuration.


RADIUS server sequence configuration gets corrupted.


Reconfiguring repository with credentials is required following the restoration of a configuration backup.


Cisco ISE Release 3.1: Administrator Login Report shows 'Administrator authentication failed' every 5 minutes.


pxGrid does not show the topic registratrion details.


Agentless posture is not working in Windows if the username starts with the special character '$'.


The AnyConnect posture script does not run when the script condition name contains a period.


Cisco ISE Release 3.1: Agentless posture flows fail when the domain user is configured for an endpoint login.


In Cisco ISE Release 3.2, the order of the IP name-servers in the running configuration is fallible.


Cisco ISE API desn't recognize the identity groups while creating user accounts.


Vulnerabilities in log4net


Cisco ISE Release 3.2 Patches 2 and 3: Unable to create a user with authorization and privacy password that is equal to 40 characters.


Unable to delete existing devices in My Device Portal following a restoration from Cisco ISE Release 2.7.


NAD RADIUS shared secret key is incorrect when it starts with an apostrophe on Cisco ISE Release 3.1 Patches 1, 2, 3, 4, and 5.


After an admin certificate change, Cisco ISE is not restarting services if the bond interface is configured.


Cisco ISE Release 3.2 Patch 3 and Cisco ISE Release 3.3: The initialization of portals fail if IPV6 enable is the only IPV6 command on the interface.


An endpoint's MAC address is not added to the endpoint identity group when using grace access in the guest portal.


Cisco ISE SXP bindings API call returns 2xx response when the call fails.


Cisco ISE Release 3.2 Patch 3: The adapter.log remains in the INFO state even if the Cisco ISE GUI configuration is set to TRACE or DEBUG.


CRL retrieval is failing.


Context visibility: Endpoint custom attributes cannot be filtered with special characters.


In Cisco ISE Release 3.2, the authorization policy search feature is not working.


Cisco ISE Sponsor Portal is displaying an invalid input error when special characters are used in the guest type.


Cisco ISE Open API: /certs/system-certificate/import must support multi-node deployment.


Guest portal FQDN is mapped with IP address of the node in the database.


In Cisco ISE Release 3.2 , the self-registered email subject line truncates everything after the equal (=) sign on the sponsor guest portal.


In pxGrid direct, if the user data information is stored in a nested object within the data array, Cisco ISE is unable to process it.


Cisco ISE cannot retrieve a peer certificate during EAP-TLS authentication.


Cisco ISE: Enhancement for the encryption to only send AES256 for MS-RPC calls.


Removing one of multiple DNS servers using "no ip name-server <IP_of_DNS_server>" command restarts Cisco ISE services without a restart prompt.


Cisco ISE Release 2.7: Unable to disable the scheduled Active Directory Diagnostic Tool tests.


pxGrid Direct: Premier license is required to add a connector. To use the feature, you need the Advantage license.


Agentless posture script does not run when the endpoint is not connected to an AC power source.


Terms and Conditions checkbox disappears when Portal Builder is used for Cisco ISE Release 3.0 and later releases.


Cisco ISE Release 3.0 Patch 6: Policy export fails to export the policies.


DockerMetrics - Report needs to be changed.


Cisco ISE Release 3.1 on AWS gives a false negative on the DNS check for Health Checks.


Cisco ISE Release 3.1: Services failed to start after restoring a backup from Cisco ISE Release 2.7.


Guest account cannot be seen by sponsors in a specific sponsor group.


Cisco ISE EasyConnect stitching does not happen when the PassiveID syslog is received by MnT before the active authentication syslog.


Cisco ISE Release 3.2 Patch 3: CRL Download failure.


The certificates API - /admin/API/PKI/TrustCertificates is not exposed but breaks Cisco DNA Center integration with AD username.


"Configuration Missing" warning is seen when navigating to the Log Analytics page.


Updates to the internal users using ERS APIs must retain the values of non-mandatory attributes.


The Show CLI command throws an exception after configuring the log level to 5.


Cisco ISE Release 3.2: GUI issues are noticed in Windows when adding a new context visibility dashboard.


Cisco ISE 3.x: There is a spelling mistake in the API gateway settings.


Aruba-MPSK-Passphrase needs encryption support.


The user identity group and endpoint identity group description fields have a character limit of 1199.


Cisco ISE Release 2.7 Patch 6 is unable to filter TACACS live logs by network device IP.


Profiling is not processing calling station ID values with the following format: XXXXXXXXXXXX.


Cisco ISE Release 3.1 Patch 5: Cannot generate pxGrid client certificate leveraging the CSR option.


While registering node with left over certificates from deregistration, the certificates that are currently in use get deleted.


Trash all or selected option at pxGrid policy should not touch entries for internal group.


Cisco ISE patch GUI installation is stuck on a specific Cisco ISE node in deployment.


Cisco ISE agentless posture does not support password containing a colon.


An export of all the network devices on Cisco ISE results in an empty file.


Cisco ISE: Get All Endpoints request takes a longer time to execute from Cisco ISE Release 2.7.


RBAC policy with custom permissions is not working when the administration menu is hidden.


Meraki Sync service not running immediately after a Cisco ISE application server restart.


Endpoint .csv file import displays "no file chosen" after selecting the file.


Cisco ISE Release 3.3 cannot register new nodes to the deployment post upgrade due to the node exporter password not being found.


Profiler CoA sent with the wrong session ID.


Operational backups from the Cisco ISE GUI to the SFTP repositories fail if the PKI key pair passphrase contains a plus (+) symbol.


TopN device admin reports do not work when incoming TACACS exceeds 40M records per day.


Cisco ISE Max Session Counter time limit is not working.


Asynchronous policy engine affecting CoA for ANC quarantine of active VPN clients.


pxgriddirect-connector.log shows a discrepancy between the actual clock time and the time it prints the logs.


Unable to login to sescondary admin node's GUI using AD credentials.


Cisco ISE Release 3.0: A connection attempt to not allowedon the domains.


Cisco ISE authorization rule evaluation is broken for attempts using EAP-chaining and Azure AD groups.


A critical error seen in Client Provisioning Portal customization.


Using an apostrophe in the First Name and/or Last name field presents an invalid name error.


SXP can create inconsistent mapping between IP address and SGT.


Cisco ISE Intune MDM integration may be disrupted due to end of support for MAC address-based APIs from Intune.


Upgrade to Cisco ISE Release 3.2 with LSD disabled prior to the upgrade is causing EP profiler exception.


Cisco ISE limits connection to AMP AMQP service to TLSv1.0.


Cisco ISE and CVE-2023-24998.


Cisco ISE - Unable to disable SHA1 for ports associated with Passive ID agents.


Cisco ISE Release 3.1 Patch 7: Unable to change admin password if it contains special character '$'.


Add the "disable EDR internet check" tag.


Add a mechanism to fetch user data for pxGrid connector.


Cisco ISE Release 3.2 Patch 3: CoA disconnect is sent instead of CoA push during posture assessment with the RSD disabled.


GCMP256 auth with SHA384withRSA4096 certificate (Android 12 requirement) failing authorization.


TCP Socket Exhaustion.


Vulnerabilities in axios 0.21.1.


Cisco ISE CLI admin user is unable login after about 2 months of not using the Cisco ISE CLI.


Cisco ISE-PIC license expiration alarms.


TACACS deployment with 0 days evaluation will not work after registering to smart licensing.


Need CoA port-bounce while removing ANC policy with PORT_BOUNCE.


Vulnerabilities in antisamy 1.5.9.


After performing a reset configuration, there is a mismatch in the FQDN value in the GUI and CLI.


The Cisco ISE automatic crash decoder is faulty.


Profiler is triggering a port bounce when multiple sessions exist on a switch port.


Enable password of the internal users is created when it has not been specified through the ERS API.


German and Italian emails cannot be saved under Account Expiration Notification in Guest Types.


The other conditions are re-ordered after saving in Client Provisioning Policy.


ISEaaS: AWS - Support IMDS v2.


Static IPV6 routes are removed after a reload in Cisco ISE Release 3.2.


Cisco ISE Release 3.2 API: System certificate import does not work for Cisco ISE node in deployment.


Unable to match Azure AD group if the user belongs to more than 99 groups.


Smart license registration failure with "communication send error" alarms happens intermittently.


Cisco ISE is changing the MAC address format according tp the selected MAC Address Format even when it is not a MAC.


Unable to edit or delete authorization profiles with parentheses in their names.


Manual deletion of the static route will cause Cisco ISE to send a packet with wrong MAC addresses in Cisco ISE Release 3.0 Patch 7.


ct_engine is using 100% CPU.


Not able to schedule or edit schedule for configuration backup.


ANC remediation is not functioning with AnyConnect VPN.


Cisco ISE does not consume license when authorization with no authorization profile rule.


Cannot edit or create admin user due to "xwt.widget.repeater.DataRepeater" error.


Cisco ISE drops RADIUS request with the message "Request from a non-wireless device was dropped".


Cisco ISE context visibility does not validate static MAC entries if they miss a separator like colon.


Cisco ISE Release 3.1 Patch 7: Context Visibility and pxGrid ContextIn are missing custom attributes


Cisco ISE services are stuck in the initializing state with secure syslogs.


ERS SDK developer resources on use cases is not loading properly.


Threads get blocked on primary PAN if port 1521 is not available.

Open Caveats in Cisco ISE Release 3.3 - Cumulative Patch 1

Caveat ID Number



Cisco ISE Releases 3.1 and 3.2: Missing validation for existing routes during CLI configuration.


In Cisco ISE Release 3.2 Patch 1, the Cisco ISE GUI and CLI are inaccessible following a configuration restoration with ADE-OS.

Resolved Caveats in Cisco ISE Release 3.3

The following table lists the resolved caveats in Release 3.3.

Caveat ID Number



The Upgrade tab in Cisco ISE shows that the upgrade is in progress after installing a patch.


Cisco ISE privilege escalation vulnerability.


The fetch command of ROPC groups with nearly 53k groups is not working in the Cisco ISE GUI.


In Cisco ISE Release 3.2, the System 360 feature is not available with the Device Admin license.


The Cisco ISE CRL Retrieval Failed alarm needs to display the server on which the CRL download failed.


Unable to delete custom endpoint attribute in Cisco ISE.


The Session.CurrentDate attribute is not calculated correctly during authentication of endpoints in Cisco ISE.


The Cisco ISE - SSL buffer is causing problems with PAC decryption. This is affecting the EAP-FAST flows in Cisco ISE.


Posture assessment by condition generates the following invalid identifier: ORA-00904: "SYSTEM_NAME" in the Cisco ISE GUI.


Cisco ISE command injection vulnerability.


The Configuration Changed field is not working when assigning an endpoint to a group in Cisco ISE.


The TrustSec status cannot be changed if you are using the Japanese Cisco ISE GUI.


The Policy Service Node is not accessible in the Cisco ISE GUI when the Device Administration license is enabled.


In Cisco ISE Release 3.1, the copy command using the TFTP protocol times out.


In Cisco ISE Release 3.2 patch 3, the disabled Cisco ISE-PIC smart license is being used erroneously for upgrade.


The queue link error alarms are not displayed in Cisco ISE-PIC nodes.


Cisco ISE privilege escalation vulnerability.


Cisco ISE nodes upgraded using the CLI do not progress beyond the "Upgrading" status in the Cisco ISE GUI.


Cisco ISE XML external entity injection vulnerability.


Vulnerabilities in Sudo 1.8.29 (a third-party software) have been fixed.


In Cisco ISE Release 3.1, the Active Directory Retrieve Groups window displays a blank screen when loading a large number of Active Directory groups.


Unable to launch Cisco ISE Release 3.2 in Safe Mode.


Common Policy (CDP) is not enabled by default in Cisco ISE Releases 3.1 and 3.2.


Use the toggle button to enable or disable RSA PSS ciphers based on policy under Allowed Protocols in the Cisco ISE GUI.


When a default static route is configured with an interface's subnet gateway excluding Giganet 0, the network connectivity to Cisco ISE is lost.


Cisco ISE smart licensing now uses smart transport.


The CoA is failing in Cisco ISE due to usage of old and stale audit session IDs.


Users may experience some slowness on Support Bundle page because of the Download Logs page loading in the background.


Cisco ISE Release 3.2 is cashing as soon as a RADIUS request is received with EAP-FAST and EAP Chaining.


Unable to retrieve groups from different LDAPs when nodes are using servers that are undefined.


PRRT should be sending unfragmented messages to the monitoring node if IMS is enabled.


Cisco ISE PassiveID agent probes the status of all domains (including domains that do not have a PassiveID configuation.


There are intermittent issues with app activation.


The Cisco ISE GUI crashes while loading the authorization policy on Google chrome and Microsoft Edge browsers.


The duplicate manager doesn't remove relevant packets when there is an exception in the reading configuration.


The RADIUS token server configuration accepts empty host IP address for secondary server.


The self registration portal does not support the FQDNS of the nodes for the Approve/Deny links sent to the sponsors.


Network Device Group information missing when a Cisco ISE admin account is has only read access.


In Cisco ISE Release 3.0 patch 6, the scheduled reports created by external admins are missing.


Unable to change the identity source from internal source to external source in theRSA/RADIUS-token server.


In Cisco ISE Release 3.1, the application server crashes if CRL of 5MB or more is downloaded frequently.


Multiple requests for the same IP, VN, and VPN combinations with different session IDs is creating duplicate records in Cisco ISE.


Cisco ISE Releases 3.2, 3.1, and 3.0 display mismatched information on the "Get All Endpoints" report.


A sponsor portal print issue in Cisco ISE displays guest user seetings based on From-First-Login guest account setting instead of the configured purge settings.


Cisco ISE insufficient access control vulnerability.


The anomalous behavior detection is not working as expected in Cisco ISE.


The latest IP access restriction configuration removes the previous configuration in Cisco ISE.


The RADIUS server sequence page displaya "no data available".


The email notification when a guest account creation is denied is not sent to the admin.


Cisco ISE authorization bypass vulnerability.


Cisco ISE Release 3.2 does not support 16-character passwords for SFTP configuration.


The SXP service gets stuck in the initial setup due to an exception on 9644.


Cisco ISE command injection vulnerability.


In Cisco ISE Release 3.1, the SXP Bindings report displays the "No data found" error.


Cisco ISE 3.2 does not support portal customization scripts that include single-line JavaScript comments.


The TrustSec PAC Information Field attribute values are lost when importing a network device CSV template file.


Scheduled reports with large data sizes are displayed as "empty" in the Cisco ISE repository.


In Cisco ISE Release 3.1, the certificate based login asks for license files only if the Device Admin license is enabled.


Cisco ISE authentication latency is observed because of devices with no MAC addresses.


"Read-only Admin" not available for Cisco ISE admin SAML authentication.


The Cisco ISE admin account created from network access users can't change dark mode settings in the Cisco ISE GUI.


Cisco ISE command injection vulnerability.


Cisco ISE command injection vulnerability.


Cisco ISE path traversal vulnerability.


Endpoint Protection Service has been removed from the Cisco ISE code.


The Cisco ISE network device captcha is prompted only when the filter matches a single network device.


Certificate authentication permissions in the Cisco ISE GUI have been modified for Cisco ISE Release 3.1 patch 4.


The Cisco ISE ERS SDK documentation for network device bulk requests is incorrect.


Scheduled RADIUS authentication reports in Cisco ISE fail while exporting them to the SFTP repository.


Windows server 2022 is working as the target domain controller and should be monitored.


The resolution for CSCvz85074 breaks AD group retrieval in Cisco ISE.


The Cisco ISE MNT authentication status API query should be optimized.


The Cisco ISE-PIC aganet provides session stitching support.


The RADIUS used space in Cisco ISE reports incorrect usage. This is because it also takes TACACS tables into account for the final report.


In Cisco ISE Release 3.2, hyper-V installations have DHCP enabled.


Cisco ISE upgrade is failing because of custom security groups.


Cisco ISE does not display an error message when importing a certificate and private key that contains '% " in the password.


In Cisco ISE Release 3.2, the SFTP repositories are not operational from the Cisco ISE GUI even after clicking the "generate key pairs" option.


Unable to download REST-ID stores from Download Logs on the Cisco ISE GUI.


Vulnerabilities in TomCat 9.0.14.


The NetworkSetupAssistance.exe digital signature certificate is expired in the BYOD flow when using Sierra Pacific Windows (SPW windows in Microsoft Windows).


Cisco ISE Release 3.2 ROPC basic serviceability improvements.


In Cisco ISE Release 3.2, the ports for Guest Portal configuration do not open on Cisco ISE nodes that are installed on AWS.


Using potentially insecure methods:- HTTP PUT method accepted.


From Cisco ISE Release 3.2, text passwords must be entered in the identity-store command.


The support bundle does not contain tterrors.log and times.log.


Cisco ISE stored cross-site scripting vulnerability


The deferrred update condition will not work if the compliance module is not compatible with Cisco Secure client.


Users cannot add the quotation character in a TACACS authorization profile.


Cisco ISE TrustSec Logging: The SGT create event is not logged to ise-psc.log file.


Automatic backup stops working after 3 to 5 days.


High CPU utilization due To agentless posture configured in Cisco ISE.


Unable to parse CLI Username with '-' (hyphen/dash) in Cisco ISE Release 3.2 Patch 1.


Metaspace exhaustion causes crashes on the Cisco ISE nodein Cisco ISE Release 3.1.


Cisco ISE Release 3.2 crashing with VN in authorization profile.


Cisco ISE Release 3.2 ERS POST /ers/config/networkdevicegroup fails has the broken attribute othername/type/ndgtype.


Configuration changes to guest types is not updated in the audit reports.


Full upgrade from Cisco ISE Release 3.0 to Cisco ISE Release 3.1 failed due to DB service timeout.


Network Device Profile shows HTML code as name.


In Cisco ISE Release 3.2, an error is displayed when entering the DNS domain in the Cisco ISE deploy instance on cloud.


In Cisco ISE Release 3.2, the SAML sign authentication request setting is getting unchecked upon saving the setting.


In Cisco ISE Release 3.2 Patch 1, connections are established to servers not listed in the Cisco ISE ports, resources, or the reference guide.


Cisco ISE Release 3.1 creates cni-podman0 interface with IP and IP route for


Cisco ISE fails to translate AD attribute of msRASSavedFramedIPAddress.


The MDM connection to Microsoft SCCM fails after Windows DCOM Server Hardening for CVE-2021-26414.


Post service licensing update, the Cisco ISE Licensing page shows Evaluation compliance status for consumed licenses.


The ROPC authentication functionality is broken in Cisco ISE Release 3.2.


The monitoring log processor service stops every night.


Deleting SNMPv3 username with "-" or "_" character doesn't delete the hexadecimal username from Cisco ISE.


Allow Guest Portal HTTP requests containing content-headers with {} characters.


IotAsset information is missing when using Get All Endpoints.


Cisco ISE command injection vulnerability.


The guest locations do not load in the Cisco ISE Guest Portal.


RMQForwarder thread to control platfor properties in the hardware appliance in Cisco ISE Release 2.7 patch 7.


The Cisco ISE hourly cleanup should clean the cached buffers instead of the 95% memory usage.


Cisco ISE command injection vulnerability.


Cisco ISE OpenAPI HTTP repo patch install fails when direct listing is disabled.


Cisco ISE with two interfaces configured for portal access is broken.


Agentless posture fails when using multiple domain users in the endpoint login configuration.


Cisco ISE vPSN with IMS performance degrades by 30-40% compared to UDP syslog.


Queue link errors "Unknown CA" when utilizing third-party signed certificate for IMS.


Attempt to delete "Is IPSEC Device" NDG causes all subsequent RADIUS/TACACS+ authentications to fail.


The vertical scroll bar is missing in RBAC Data and Menu Permissions window in Cisco ISE Release 3.1.


Cisco ISE filter of REST ID Store Groups displays "Error processing this request."


Failed to handle API resource request: Failed to convert condition


Cisco ISE arbitrary file download vulnerability.


ISE IP SGT static mapping is not sent to SXP Domain upon moving it to another mapping group


Primary administration node application server remains stuck at the initializing stage.


Cisco ISE Release 2.6 patch 7 is unable to match "identityaccessrestricted equals true" in the authorization policy.


Data is lost when accessing Total Compromised Endpoints in the Cisco ISE dashboard Threat for TC-NAC.


Cisco ISE is unable to join node to AD by REST API.


Authentication step latency for policy evaluation due to garbage collection activity in Cisco ISE.


Cisco ISE - Apache TomCat vulnerability CVE-2022-25762.


Cisco ISE 3.0 is not saving SCCM MDM server objects with new password but works when new a instance is in use.


Error loading page error is the output when creating a guest account in the Self-Registered Guest Portal in Cisco ISE.


Make MDM API V3 certificate string case insensitive.


Using "Export Selected" under Network Devices leads to the login screen with more selections.


Cisco ISE Release 3.2 URT fails with "Failed (Import into cloned database failed)" on Cisco ISE Release 3.1.


Cisco ISE Africa or Cairo timezone DST.


APIC integration in Cisco ISE Release 3.2 is missing fvIP subscription.


Cisco ISE Certificate API fails to return Trusted Certificate with hash character in the Friendly Name field.


APIC integration in Cisco ISE Release 3.2 fails to get EPs null (


Cisco ISE interface feature insufficient access control vulnerability.


Posture Requirements only show the default entry in Cisco ISE.


Cisco ISE Release 2.7 patch 8 lowers read test speeds from CLI causing the error "Insufficient Virtual Machine Resources".


Cisco ISE Release 3.2 is missing secondary policy administration node key for PKI-based SFTP.


Cisco ISE Live Session gets stuck at "Authenticated" state.


Cisco ISE Release 3.1 Patch 1 does not create the Rest ID or ROPC folder logs.


CIAM: openjdk - multiple versions.


Cisco ISE GUI is not validating the default value while adding custom attributes.


Unable to select ISE Messaging usage (appears grayed out) for an existing certificate in the Cisco ISE GUI.


Cisco ISE SAML certificate is not replicating to other nodes.


Evaluate Configuration Validator gets stuck when using a password with special characters in Cisco ISE.


Cisco ISE GUI TCP DUMP gets stuck in the "Stop_In_Progress" state.


IndexRebuild.sql script ran over the monitoring node in Cisco ISE.


Entering the incorrect password in the Cisco ISE GUI shows the end user agreement in Cisco ISE Release 3.1 patch 1.


Save button for SAML configuration is grayed out in the Cisco ISE GUI.


Cisco ISE path traversal vulnerability.


Hostnames on Cisco ISE should not exceed 19 characters when deployed via AWS.


MAC - CSC 5.0554 web dployment pkgs failed to upload.


Cisco ISE unauthorized file access vulnerability


Static IP-SGT mapping with VN reference causes Cisco DNA Center Group-Based Policy sync to fail.


Cisco ISE is not deleting all the sessions from the SXP mapping table.


The transaction table should be truncated after a 2 million record count.


Cisco ISE cross-site scripting vulnerability.


Unable to create a scheduled backup with the admin user from "System Admin" AdminGroup in Cisco ISE.


CPU spike due memory leak with EP purge call.


Accept client certificate without KU purpose validation per CiscoSSL rules.


PIC license consumption in Cisco ISE-PIC Release 3.1.


Cisco ISE- SQLException sent to the Collection Failure Alarm caused by NAS-Port-ID length.


Cisco ISE cross-site scripting vulnerability.


Cisco ISE stored cross-site scripting vulnerability.


Cisco ISE displaying Tomcat stacktrace when using a specific URL.


Cisco ISE Release 3.1 patch 5 verifies CA certificate EKU causing the "unsupported certificate" error.


Internal CA certificate chain cecomes invalid if the original primary administration node is removed.


Unable to enable the firewall condition in Cisco ISE Release 3.1.


There are issues in the Trusted Certificates menu in Cisco ISE Release 3.1.


Getting PxGrid error logs in ise-psc.log after disabling PxGrid.


Cisco ISE is not sending the hostname attribute to Cisco DNA Center.


"Posture Configuration detection" alarms should be at the"INFO" level and must be reworded.


In Cisco ISE Release 3.2, users are not able to delete the rules which were added during IP access rule addition.


"All devices were successfully deleted" error after trying to delete one particular network access device by filtering.


PUT operation failing with payload via Cisco DNA Center to Cisco ISE (ERS).


Cisco ISE RADIUS and PassiveID session merging.


Not able to access Time Settings Configuration Export on Cisco ISE ERS API.


Add serviceability & fix "Could not get a resource since the pool is exhausted" Error in Cisco ISE Release 3.0.


REST AUTH services not running after upgrading from Cisco ISE Release 3.1 to Cisco ISE Release 3.2.


Cisco ISE integration with Cisco DNA Center fails if there are invalid certificates in the Cisco ISE trusted store.


Unable to import certificates on Secondary node post registration to the deployment.


Latency is observed during query of Session.PostureStatus.


TACACS Command Accounting report export is not working.


Not able to configure KRON job.


SG and contracts with multiple backslash characters in a row in the description cannot sync to Cisco ISE.


In Cisco ISE, the SMS Javascript customization is not working for SMS email gateway.


Cisco ISE Change Configuration Audit Report does not clearly indicate the SGT creation and deletion events.


CIAM: openjdk - multiple versions.


Cisco ISE cannot retrieve repositories and scan policies of Tenable Security Center.


Cisco ISE arbitrary file download vulnerability.


Cisco ISE abruptly stops consuming passive-id session from a third party syslog server.


Cisco ISE Release 3.1 configuration backup is executed on the primary monitoring node.


Unable to add Network Access Device due to the error: "There is an overlapping IP Address in your device".


PKI-enabled SFTP Repositories not working in Cisco ISE Release 3.2.


Smart license registration is not working.


Sponsored Portal in Germany - Calendar shows Thursday (Donnerstag) as Di not Do.


Cisco ISE Authorization Profile displays wrong Security Group or VN value.


In Cisco ISE Release 3.1 Patch 3, the Sponsor Portal - Session Cookie SameSite value set to none.


Cisco ISE TCP DUMP stuck at the error "COPY_REPO_FAILED" state when no repository is selected.


SXP service gets stuck at initializing due to H2 DB delay in querying bindings.


LSD is causing high CPU usage.


Registered Endpoint Report shows unregistered guest devices.


Profiler should ignore non-positive RADIUS syslog messages while forwarding the messages from the default RADIUS probe.


In Cisco ISE Release 3.1, the error "Illegal hex characters in escape (%) pattern ? For input string: ^F" is displayed.


The Cisco ISE GUI shows HTML hexadecimal code for the characters in the command set.


The row of "Manage SXP Domain filters" only displays maximum 25.


Cisco ISE and CVE-2023-24998.


Vulnerabilities in jszip 3.0.0.


Cisco ISE TACACS primary service node crashed during maximum user session authentication flow.


Cisco ISE VMSA-2022-0024 - VMware Tools update addresses a local privilege escalation vulnerability.


Authorization policy evaluation failing due to NullPointerException in


Cisco ISE XML external entity injection vulnerability.


No validation of PBIS registration key configuration on the advance tuning page.


Identity user cannot be created if the user custom attribute includes $ or ++.


Patch install from the Cisco ISE GUI fails.


LSD is causing high bandwidth utilization.


Network Device Port Conditions: IP Addresses or Device Groups don't accept valid port strings.


Cisco ISE BETA certificate is shown as stale certificate and must be cleaned up.


The Guest portal page displays "Error Loading Page" when the reason for the visit field contains special characters.


Cisco ISE Release 3.1 Patch 4 Passive DC configuration is not saving the username correctly.


pxGrid session publishing stops when reintergrating FMC while P-PIC is down.


During upgrade the deregister call fails to remove all the nodes from the DB


EAP-TLS authentication with ECDSA certificate fails on Cisco ISE Release 3.1.


In Cisco ISE Release 3.1 Patch 3, SAML SSO does not work if the active policy servcie node goes down.


SFTP and FTP validation is failing through CLI when 16+ characters in the password is configured.


Cisco ISE’s Application Server process is restarting during Dot1X due to buffer length = 0 for eapTLS.


Unable to add many authorization profiles with the active sessions alarm setting.


Node syncup fails to replicate wildcard certificate with the portal role.


Qualys adapter is unable to download the knowledge base: Stuck with the error "knowledge download in progress".


Cisco ISE ERS API doesn't allow for use of minus character in "Network Device Group" name.


Cisco ISE Release 3.1 portal tag has an issue with special character validation.


Cisco ISE Release 3.0 NFS share stuck.


Support for concatenating AD group attributes when they exceed the length of the RADIUS attribute.


The session gets stuck indefinitely until Cisco ISE is restarted.


Cisco ISE Release 3.1 Azure AD autodiscovery for MDM API V3 is incorrect.


In Cisco ISE, the Mexico time zone incorrectly changes to Daylight Saving Time.


Import of SAML metadata fails.


In Cisco ISE Release 3.1, certain key attributes in the SessionCache is missing when a third-party network device profile is in use.


Cisco ISE Release 3.1 displays an error when using the SNMPv3 privacy password.


The command to enable DNSCache in FQDN syslog popup needs correction.


Support for macOS 12.6.


In Cisco ISE Release 3.2 , the Data Connect password expiry alarm is consistently visible even when the Data Connect feature is disabled.


All network access devices are deleted while filtering based on NDG location and IP address.


Cisco ISE does not remove SXP mapping when the SGT changes after CoA.


Cisco ISE fails to establish a secure connection when new certificates are imported for the guest portal.


Cisco ISE XML external entity injection vulnerability.


VLAN detection interval should not be more than 30 seconds.


The Replogns table space on the primary administration node increases when there are replication issues in the deployment.


Agentless posture failures cause the TMP folder to increase in size in Cisco ISE Release 3.1 Patch 5.


DB Connections are increasing in longevity and the maximum DB connections are 994 in Cisco ISE Release 3.1 Patch 5.


The reprofiling result is not updated to Oracle/VCS after a feed incremental update.


Cisco ISE ERS API schema for network device group creation.


Cisco ISE SAML Destination attribute is missing for signed authorization requests.


MSAL support is needed for SCCM integration with Cisco ISE as MS is deprecating ADAL.


In Cisco ISE Release 3.1 patch 3, users are unable to import endpoints from .csv file if SAML is used.


Incorrect SLR out of compliance error reported in Cisco ISE.


Unable to save the launch program remediation when the parameter contains a double quote ("").


Cisco DNA Center integration issue due to more internal CA certificates.


Session directory write failed alarm with Cisco NAD using "user defined" NAD profile.


SyncRequest timeout monitor thread does not terminate the file transfer after timeout during Cisco ISE replication.


Authentication failed due to missing certificate private key.


"The phone number is invalid" error is displayed when trying to import users from .csv file.


Users cannot change the condition operator from AND to OR in posture policy conditions.


Authentication against ROPC identity store fails with RSA key generation error.


Authorization policy failing due to wrong condition evaluation.


Uploading the AnyConnect agent from the Cisco ISE GUI triggered high CPU utilization on the primary administration node and took nearly 7 hours to complete.


Misspelled PassiveID errors seen in logs and reports.


The SAML flow with load balancer is failing due to incorrect token handling on Cisco ISE.


The Adaptive Network Control (ANC) CoA is sent to the NAS IP address instead of the Device IP address.


In Cisco ISE Release 3.1, the previous version of the hotpatch is still visible in the DB.


Cisco ISE Release 3.2 doe not support passwords with more than 16 characters for the identity-store configuration command.


Unable to access the system certificates page for the registered node in Cisco ISE Release 3.0 patch 4.


No response received from SNMP server when the "snmp-server host" is configured in Cisco ISE Release 3.2 patch 2.


TLS 1.0/1.1 is accepted in the Cisco ISE Release 3.0 admin portal.


Vulnerable JS library issue found while executing ZAP.


Passive ID agent sending incorrect time format events.


Permission for collector.log file is set to root automatically.


Unable to download the support bundle of size greater than 1GB from the Cisco ISE GUI.


Cisco ISE nodes intermittently trigger the queue link alarms.


Sysaux tablespace allocation should be done based on the profile of the node.


An NTP authentication key with more than 15 characters is getting the error "% ERROR: Bad hashed key".


Cisco ISE command injection vulnerability.


Layering of drag and drop action in the Conditions Studio.


Removing an IP access list from Cisco ISE destroys the distributed deployment.


Some items are displayed as [Test] in the Japanese Cisco ISE GUI>

Open Caveats in Cisco ISE Release 3.3

The following table lists the open caveats in Release 3.3.

Caveat ID Number



Enabling log analytics in lower models 3615/3715 may cause Cisco ISE to become unresponsive.


Cisco ISE Release 3.3: ML on Cisco ISE: Cisco ISE cluster will not be able to connect to ML cloud if clock diff is more than 5 minutes.


Cisco ISE Release 3.3: Labelling ML-proposed rule has issues with special character and overlapping.


MFC profiler shows "No data" for all the metrics in grafana dashboard.


Cisco ISE Release 3.3 : MFC_EPType isn't showing as Phone for iPhone in case of wifi analytics.


"Configuration Missing" warning seen when browsing to log analytics page.


Cisco ISE monitoring GUI page stuck at "Welcome to Grafana".


Cisco ISE Release 3.3 cannot register new nodes to deployment post upgrade due to node exporter password not found.

Communications, Services, and Additional Information

  • To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure, validated enterprise-class apps, products, solutions, and services, visit Cisco DevNet.

  • To obtain general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.

Cisco Bug Search Tool

Cisco Bug Search Tool (BST) is a gateway to the Cisco bug-tracking system, which maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. The BST provides you with detailed defect information about your products and software.

Documentation Feedback

To provide feedback about Cisco technical documentation, use the feedback form available in the right pane of every online document.