Release Notes for Cisco Identity Services Engine, Release 1.1.x

Release Notes for Cisco Identity Services Engine,
Release 1.1.x
Revised: January 9, 2015, OL-26136-01
These release notes describe the features, limitations and restrictions (caveats), and related information
for Cisco Identity Services Engine (Cisco ISE), Release 1.1.1, 1.1.2, 1.1.3, and 1.1.4. These release notes
supplement the Cisco ISE documentation that is included with the product hardware and software
release.
Cisco Identity Services Engine, Release 1.1.4
Cisco ISE, Release 1.1.4 provides support for the Cisco SNS-3400 Series appliance. In addition to the
hardware support for installation on the SNS-3400 Series appliance, Cisco ISE 1.1.4 supports all the
features in Cisco ISE 1.1.3. You can also install Cisco ISE 1.1.4 on previously supported appliances,
such as ISE-3315-K9, ISE-3355-K9, and ISE-3395-K9.
Cisco Identity Services Engine, Release 1.1.3
Cisco ISE, Release 1.1.3 features critical bug fixes derived from Cisco ISE, Release 1.0.4, 1.1, 1.1.1, and
1.1.2 while rolling patch fixes for Cisco ISE, Release 1.1.1 and 1.1.2 into 1.1.3.
Cisco Identity Services Engine, Release 1.1.2
Cisco ISE, Release 1.1.2 features critical bug fixes derived from Cisco ISE, Release 1.0.4, 1.1, and 1.1.1,
while rolling three patch fixes for Cisco ISE, Release 1.1.1 into 1.1.2.
Cisco Identity Services Engine, Release 1.1.1
Cisco ISE, Release 1.1.1 features a number of important product function enhancements and new
capabilities, as well as critical bug fixes derived from Cisco ISE, Release 1.0.4 and 1.1.
Cisco Systems, Inc.
www.cisco.com
Contents
Contents
•
Introduction, page 3
•
Node Types, Personas, Roles, and Services, page 3
•
Hardware Requirements, page 5
•
FIPS Compliance, page 8
•
Installing Cisco ISE Software, page 8
•
Upgrading Cisco ISE Software, page 14
•
Cisco Secure ACS to Cisco ISE Migration, page 18
•
Cisco ISE License Information, page 18
•
New Features in Cisco ISE, Release 1.1.4, page 18
•
New Features in Cisco ISE, Release 1.1.3, page 18
•
New Features in Cisco ISE, Release 1.1.2, page 18
•
New Features in Cisco ISE, Release 1.1.1, page 19
•
Cisco ISE Install Files, Updates, and Client Resources, page 22
•
Support for Windows 8.1 and Mac OS X 10.9, page 25
•
Cisco ISE, Release 1.1.4 Patch Updates, page 25
•
Cisco ISE, Release 1.1.3 Patch Updates, page 44
•
Cisco ISE, Release 1.1.2 Patch Updates, page 64
•
Cisco ISE, Release 1.1.1 Patch Updates, page 74
•
Cisco ISE Antivirus and Antispyware Support, page 80
•
Cisco ISE Release 1.1.x Open Caveats, page 80
•
Cisco ISE Release 1.1.x Resolved SPW Caveats, page 122
•
Cisco ISE Release 1.1.4 Resolved Caveats, page 123
•
Cisco ISE Release 1.1.3 Resolved Caveats, page 126
•
Cisco ISE Release 1.1.2 Resolved Caveats, page 130
•
Cisco ISE Release 1.1.1 Resolved Caveats, page 132
•
Known Issues, page 133
•
Documentation Updates, page 136
•
Related Documentation, page 139
Release Notes for Cisco Identity Services Engine, Release 1.1.x
2
OL-26136-01
Introduction
Introduction
The Cisco ISE platform is a comprehensive, next-generation, contextually-based access control solution.
Cisco ISE offers authenticated network access, profiling, posture, guest management, and security group
access services along with monitoring, reporting, and troubleshooting capabilities on a single physical
or virtual appliance. Cisco ISE ships on a range of physical appliances with different performance
characterization and also allows the addition of more appliances to a deployment for performance, scale,
and resiliency. Cisco ISE has a highly available and scalable architecture that supports standalone and
distributed deployments, but with centralized configuration and management. Cisco ISE also allows for
configuration and management of distinct Cisco ISE personas and services. This feature gives you the
ability to create and apply Cisco ISE services where they are needed in the network, but still operate the
Cisco ISE deployment as a complete and coordinated system.
Node Types, Personas, Roles, and Services
Cisco ISE provides a highly available and scalable architecture that supports both standalone and
distributed deployments. In a distributed environment, you configure one primary Administration node
and the rest are secondary nodes. The topics in this section provide information about Cisco ISE
terminology, supported node types, distributed deployment, and the basic architecture.
Cisco ISE Deployment Terminology
Table 1 describes some of the common terms used in Cisco ISE deployment scenarios.
Table 1
Cisco Cisco ISE Deployment Terminology
Term
Description
Service
A service is a specific feature that a persona provides such as network access, profiler,
posture, security group access, and monitoring.
Node
A node is an individual instance that runs the Cisco ISE software. Cisco ISE is
available as an appliance and also as a software that can be run on a VMware server.
Each instance (either running on a Cisco ISE appliance or on a VMware server) that
runs the Cisco ISE software is called a node.
Node type
A node can be of two types: ISE node and Inline Posture node. The node type and
persona determine the type of functionality provided by that node.
Persona
The persona or personas of a node determine the services provided by a node. A Cisco
ISE node can assume any or all of the following personas: Administration, Policy
Service, and Monitoring.
Role
Determines if a node is a standalone, primary, or secondary node. Applies only to
Administration and Monitoring nodes.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
3
Node Types, Personas, Roles, and Services
Types of Nodes and Personas
A Cisco ISE network has only two types of nodes:
•
Cisco ISE node—An ISE node could assume any of the following three personas:
– Administration—Allows you to perform all administrative operations on Cisco ISE. It handles
all system-related configuration and configurations related to functionality such as
authentication, authorization, auditing, and so on. In a distributed environment, you can have
only one or a maximum of two nodes running the Administration persona. The Administration
persona can take on any one of the following roles: standalone, primary, or secondary. If the
primary Administration node goes down, you have to manually promote the secondary
Administration node. There is no automatic failover for the Administration persona.
– Policy Service—Provides network access, posture, guest access, and profiling services. This
persona evaluates the policies and makes all the decisions. You can have more than one node
assuming this persona. Typically, there would be more than one Policy Service persona in a
distributed deployment. All Policy Service personas that reside behind a load balancer share a
common multicast address and can be grouped together to form a node group. If one of the
nodes in a node group fails, the other nodes in that group process the requests of the node that
has failed, thereby providing high availability.
Note
At least one node in your distributed setup should assume the Policy Service persona.
– Monitoring—Enables Cisco ISE to function as the log collector and store log messages from all
the Administration and Policy Service personas on the ISE nodes in your network. This persona
provides advanced monitoring and troubleshooting tools that you can use to effectively manage
your network and resources.
A node with this persona aggregates and correlates the data that it collects to provide you with
meaningful information in the form of reports. Cisco ISE allows you to have a maximum of two
nodes with this persona that can take on primary or secondary roles for high availability. Both the
primary and secondary Monitoring personas collect log messages. In case the primary Monitoring
persona goes down, the secondary Monitoring persona automatically assumes the role of the primary
Monitoring persona.
Note
•
Note
At least one node in your distributed setup should assume the Monitoring persona. It is
recommended that the Monitoring persona be on a separate, designated node for higher
performance in terms of data collection and report launching.
Inline Posture node—A gatekeeping node that is positioned behind network access devices such as
wireless LAN controllers (WLCs) and virtual private network (VPN) concentrators on the network.
Inline Posture enforces access policies after a user has been authenticated and granted access, and
handles Change of Authorization (CoA) requests that a WLC or VPN are unable to accommodate.
Cisco ISE allows up to 10,000 Inline Posture Nodes in a deployment. You can pair two Inline
Posture nodes together for high availability as a failover pair.
An Inline Posture node is dedicated solely to that service, and cannot operate concurrently with
other ISE services. Likewise, due to the specialized nature of its service, an Inline Posture node
cannot assume any persona. Inline Posture nodes are not supported on VMware server systems.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
4
OL-26136-01
Hardware Requirements
Note
Each ISE node in a deployment can assume more than one of the three personas (Administration, Policy
Service, or Monitoring) at a time. By contrast, each Inline Posture node operates only in a dedicated
gatekeeping role.
The following table lists the recommended minimum and maximum number of nodes/personas in a
distributed deployment:
Table 2
Deployment Nodes/Personas
Node / Persona
Minimum Number
in a Deployment
Maximum Number in a Deployment
Admin
1
2 (Configured as an HA pair)
Monitor
1
2 (Configured as an HA pair)
Policy Service
1
Inline Posture
0
•
2 — when all personas (Admin/Monitor/Policy
Service) are on same appliance
•
5 — when Admin and Monitor personas are on same
appliance
•
40 — when each persona is on a dedicated appliance
10k for maximum NADs per deployment
•
One primary Administration node and one secondary Administration node
•
One primary Monitoring node, with an optional secondary node
•
One or more Policy Service nodes
•
One primary Inline Posture node, with an optional secondary node
You can change the persona of a node. See the “Setting Up ISE in a Distributed Environment” chapter
of the Cisco Identity Services Engine User Guide, Release 1.1.x for information on how to configure
these personas on Cisco ISE nodes.
Hardware Requirements
This section describes the following topics:
Note
•
Supported Hardware, page 6
•
Supported Virtual Environments, page 8
•
Supported Devices, Browsers, and Agents, page 8
•
Supported Microsoft Active Directory, page 8
For more details on Cisco ISE hardware platforms and installation, see the Cisco Identity Services
Engine Hardware Installation Guide, Release 1.1.x.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
5
Hardware Requirements
Supported Hardware
Cisco ISE software is packaged with your appliance or image for installation. After installation, you can
configure Cisco ISE as any of the specified component personas (Administration, Policy Service, and
Monitoring) or as an Inline Posture node on the platforms that are listed in Table 3.
Table 3
Supported Hardware and Personas
Hardware Platform
Persona
Cisco ISE-3315-K9
(small)
Any
Cisco ISE-3355-K9
(medium)
Cisco ISE-3395-K9
(large)
Cisco SNS-3415-K9
Cisco SNS-3495-K9
Configuration
•
1x Xeon 2.66 GHz quad-core processor
•
4 GB RAM
•
2 x 250 GB SATA1 HDD2
•
4x 1 GB NIC3
•
1x Nehalem 2.0 GHz quad-core processor
•
4 GB RAM
•
2 x 300 GB 2.5 in. SATA HDD
•
RAID4 (disabled)
•
4x 1 GB NIC
•
Redundant AC power
•
2x Nehalem 2.0 GHz quad-core processor
•
4 GB RAM
•
4 x 300 GB 2.5 in. SAS II HDD
•
RAID 1
•
4x 1 GB NIC
•
Redundant AC power
Any
•
Cisco UCS C220 M3
Inline Posture is not
supported
•
Single socket Intel E5-2609 2.4Ghz CPU, 4 total
cores, 4 total threads
•
16-GB RAM
•
1 x 600-GB disk
•
No RAID
•
4 GE network interfaces
•
Cisco UCS C220 M3
•
Dual socket Intel E5-2609 2.4Ghz CPU, 8 total
cores, 8 total threads
•
32-GB RAM
•
2 x 600-GB disk
•
RAID 0+1
•
4 GE network interfaces
Any
Any
Stand-alone
Administration,
Monitoring, and
Policy Service
Inline Posture is not
supported
Release Notes for Cisco Identity Services Engine, Release 1.1.x
6
OL-26136-01
Hardware Requirements
Table 3
Supported Hardware and Personas (continued)
Hardware Platform
Persona
Configuration
Cisco ISE-VM-K9
(VMware)
Stand-alone
Administration,
Monitoring, and
Policy Service (no
Inline Posture)
•
CPU—Intel Dual-Core; 2.13 GHz or faster
•
Memory—4 GB RAM5
•
Hard Disks (minimum allocated memory):
– Stand-alone—600 GB
– Administration—200 GB
– Policy Service and Monitoring—600 GB
– Monitoring—500 GB
– Policy Service—100 GB
Note
For an evaluation and demo purposes, the
minimum required disk space is 60 GB to
support 100 endpoints. Cisco does not
recommend allocating any more than 600 GB
maximum space for any node.
•
NIC—1 GB NIC interface required (you can install
up to 4 NICs)
•
Supported VMware versions include:
– ESX 4.x
– ESXi 4.x
– ESXi 5.x
1. SATA = Serial Advanced Technology Attachment
2. HDD = hard disk drive
3. NIC = network interface card
4. RAID = redundant array of independent disks
5. Memory allocation of less than 4GB is not supported for any VMware appliance configuration. In the event of a Cisco ISE
behavior issue, all users will be required to change allocated memory to at least 4GB prior to opening a case with the Cisco
Technical Assistance Center.
If you are moving from Cisco Secure Access Control System (ACS) or Cisco NAC Appliance to Cisco
ISE, the Cisco Secure ACS 1121 and Cisco NAC 3315 appliances support small deployments, Cisco
NAC 3355 appliances support medium deployments, and Cisco NAC 3395 appliances support large
deployments.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
7
FIPS Compliance
Supported Virtual Environments
Cisco ISE supports the following virtual environment platforms:
•
VMware ESX 4.x
•
VMware ESXi 4.x
•
VMware ESXi 5.x
Supported Devices, Browsers, and Agents
Refer to Cisco Identity Services Engine Network Component Compatibility, Release 1.1.x for
information on supported devices, browsers, and agents.
Supported Microsoft Active Directory
Cisco ISE, Release 1.1.0 to 1.1.2 is tested with Microsoft Active Directory servers 2003, 2003 R2, 2008,
and 2008 R2 at all functional levels. Cisco ISE, Release 1.1.3 is tested with Microsoft Active Directory
server 2012 at all functional levels. Microsoft Active Directory version 2000 or its functional level is not
supported by Cisco ISE.
FIPS Compliance
Product Cisco Identity Services Engine, Release 1.1.x uses embedded FIPS 140-2 validated
cryptographic modules Cisco Common Cryptographic Module (Certificate #1643) and Network Security
Services (NSS) Cryptographic Module (Certificate #1497) running on a Cisco ADE-OS platform. For
details of the FIPS compliance claims, read the compliance letter for Cisco Identity Services Engine
(ISE) 1.1 listed under Current Certifications at the following URL:
http://wwwin.cisco.com/osp/gov/ggsg_eng/gct/fips.shtml.
Installing Cisco ISE Software
The following steps summarize how to install new Cisco ISE Release 1.1.x DVD software on supported
hardware platforms (see Supported Hardware, page 6 for support details).
With Cisco ISE Release 1.1.x, installation occurs in two phases:
1.
The software is installed using the following options:
•
For the Cisco ISE 3300 Series appliance, the software is installed from the DVD. When the
installation completes, the DVD is ejected from the appliance.
•
For the Cisco ISE 3400 Series appliance (SNS 3415 or 3495 Hardware), the software is installed
using CIMC or by creating a bootable USB drive to begin the installation process.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
8
OL-26136-01
Installing Cisco ISE Software
Note
2.
For more information on using CIMC, refer to the following section in the ISE 1.1.4
Installation Guide:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_ins.html#wp11
36661. Also, see Configuring CIMC, page 11. For more information on the USB boot
option, see Creating a Bootable USB Drive, page 14.
The administrator logs in and performs the initial configuration.
You can re-image a Cisco SNS-3400 series appliance over the Cisco Integrated Management Controller
Interface (CIMC) or with a USB key installation. You can download the
ISE_114_USB_Installation_tools.zip file from the Cisco download page, unzip the file, and follow the
instructions in the README.txt that is included with the zip file to create a bootable USB key.
The following sections describe how to configure CIMS and the process of creating a bootable USB key:
•
Configuring CIMC, page 11
•
Creating a Bootable USB Drive, page 14
For more information on the Installation of ISE 3400 Series hardware, refer to the following sections in
the ISE 1.1.4 Installation Guide:
Note
•
http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_b-hw_ins_3400.html
•
http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_ins.html#wp1136661
When using virtual machines (VMs), Cisco recommends that the guest VM have the correct time set
using an NTP server before installing the .ISO image on the VMs.
Step 1
Log into Cisco Download Software at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm.
You might be required to provide your Cisco.com login credentials.
Step 2
Navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity
Services Engine Software.
Step 3
Download the appropriate Cisco ISE .ISO image (for example. ise-1.1.1.268.i386.iso) and burn the
image as a bootable disk to a DVD-R.
Step 4
Insert the bootable device.
Step 5
•
For the Cisco ISE 3300 Series appliance, insert the DVD into the DVD-R drive of each
appliance, and reboot the appliance to initiate the Cisco ISE DVD installation process.
•
For the Cisco ISE 3400 Series appliance, use the USB boot option to initiate the Cisco ISE
installation process. For more information on the USB boot option, see Creating a Bootable
USB Drive, page 14. For more information on CIMC, see Configuring CIMC, page 11.
(If necessary) Install a valid FlexLM product license file and perform Cisco ISE initial configuration
according to the instructions in the Cisco Identity Services Engine Hardware Installation Guide, Release
1.1.x. Before you run the setup program, ensure that you know the configuration parameters listed in
Table 4.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
9
Installing Cisco ISE Software
Table 4
Identity Services Engine Network Configuration Parameters for Setup
Prompt
Description
Example
Hostname
Must not exceed 19 characters. Valid characters include upper- and
lower-case alphanumeric characters (A-Z, a-z, 0-9) with the
requirement that the first character must be an alphabetic character.
isenode1
(eth0) Ethernet
interface address
Must be a valid IPv4 address for the eth0 Ethernet interface.
10.12.13.14
Netmask
Must be a valid IPv4 address for the netmask.
255.255.255.0
Default gateway
Must be a valid IPv4 address for the default gateway.
10.12.13.1
DNS domain name Cannot be an IP address. Valid characters include ASCII characters, mycompany.com
any numbers, hyphen (-), and period (.).
Primary name
server
Must be a valid IPv4 address for the primary Name server.
10.15.20.25
Add/Edit another
name server
Must be a valid IPv4 address for an additional Name server.
(Optional) Allows you to
configure multiple Name
servers. To do so, enter y to
continue.
Primary NTP
server
Must be a valid NTP server in a domain reachable from Cisco ISE.1
clock.nist.gov
Add/Edit another
NTP server
Must be a valid NTP server in a domain reachable from Cisco ISE.1
(Optional) Allows you to
configure multiple NTP servers.
To do so, enter y to continue.
System Time Zone Must be a valid time zone. Refer to the Cisco Identity Services Engine PST
CLI Reference Guide, Release 1.1.x for a table of time zones that
Cisco ISE supports. The default value is UTC.2
Note
The table lists the frequently used time zones. You can run the
show timezone command from the Cisco ISE CLI for a
complete list of supported time zones.
Username
admin (default)
Identifies the administrative username used for CLI access to the
Cisco ISE system. If you choose not to use the default, you must
create a new username, which must be from 3 to 8 characters in
length, and be composed of valid alphanumeric characters (A-Z, a-z,
or 0-9).
Password
MyIseYP@@ss
Identifies the administrative password used for CLI access to the
Cisco ISE system. You must create this password (there is no default).
The password must be a minimum of six characters in length and
include at least one lowercase letter (a-z), at least one uppercase letter
(A-Z), and at least one number (0-9).
Release Notes for Cisco Identity Services Engine, Release 1.1.x
10
OL-26136-01
Installing Cisco ISE Software
Table 4
Identity Services Engine Network Configuration Parameters for Setup (continued)
Prompt
Description
Database
Administrator
Password
Identifies the Cisco ISE database system-level password. You must ISE4adbp@ss
create this password (there is no default). The password must be a
minimum of 11 characters in length and include at least one
lowercase letter (a-z), at least one uppercase letter (A-Z), and at least
one number (0-9).
Note
Database User
Password
Example
Once you configure this password, Cisco ISE uses it
“internally.” That is, you do not have to enter it when logging
into the system at all.
Identifies the Cisco ISE database access-level password. You must
ISE5udbp@ss
create this password (there is no default). The password must be a
minimum of 11 characters in length and include at least one
lowercase letter (a-z), at least one uppercase letter (A-Z), and at least
one number (0-9).
Note
Once you configure this password, Cisco ISE uses it
“internally.” That is, you do not have to enter it when logging
into the system at all.
1. Changing the NTP server specification after Cisco ISE installation will likely affect the entire deployment.
2. Changing the time zone specification after Cisco ISE installation will likely affect the entire deployment.
Note
For additional information on configuring and managing Cisco ISE, use the list of documents in
Release-Specific Documents, page 139 to access other documents in the Cisco ISE documentation suite.
Configuring CIMC
You can perform all operations on the Cisco ISE 3400 series appliances through the CIMC. To do this,
you must first configure an IP address and IP gateway to access the CIMC from a web-based browser.
Step 1
Plug in the power cord.
Step 2
Press the Power button to boot the server. Watch for the prompt to press F8 as shown in TBD.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
11
Installing Cisco ISE Software
Step 3
During boot up, press F8 when prompted to open the BIOS CIMC Configuration Utility. The following
screen appears.
Step 4
Set the NIC mode to your choice for which ports to use to access the CIMC for server management (see
Figure 1-3 on page 1-3 for identification of the ports):
– Dedicated—The 1-Gb Ethernet management port is used to access the CIMC. You must select
NIC redundancy None and select IP settings.
– Shared LOM (default)—The two 1-Gb Ethernet ports are used to access the CIMC. This is the
factory default setting, along with Active-active NIC redundancy and DHCP enabled.
– Cisco Card—The ports on an installed Cisco UCS P81E VIC are used to access the CIMC. You
must select a NIC redundancy and IP setting.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
12
OL-26136-01
Installing Cisco ISE Software
Note
Step 5
The Cisco Card NIC mode is currently supported only with a Cisco UCS P81E VIC
(N2XX-ACPCI01) that is installed in PCIe slot 1. Refer to the following section in the Cisco
UCS C220 Server Installation and Service Guide: Special Considerations for Cisco UCS Virtual
Interface Cards.
Use this utility to change the NIC redundancy to your preference. This server has three possible NIC
redundancy settings:
– None—The Ethernet ports operate independently and do not fail over if there is a problem.
– Active-standby—If an active Ethernet port fails, traffic fails over to a standby port.
– Active-active—All Ethernet ports are utilized simultaneously.
Step 6
Choose whether to enable DHCP for dynamic network settings, or to enter static network settings.
Note
Step 7
Optional: Use this utility to make VLAN settings, and to set a default CIMC user password.
Note
Step 8
Before you enable DHCP, your DHCP server must be preconfigured with the range of MAC
addresses for this server. The MAC address is printed on a label on the rear of the server. This
server has a range of six MAC addresses assigned to the CIMC. The MAC address printed on
the label is the beginning of the range of six contiguous MAC addresses.
Changes to the settings take effect after approximately 45 seconds. Refresh with F5 and wait
until the new settings appear before you reboot the server in the next step.
Press F10 to save your settings and reboot the server.
Note
If you chose to enable DHCP, the dynamically assigned IP and MAC addresses are displayed on
the console screen during boot up.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
13
Upgrading Cisco ISE Software
Creating a Bootable USB Drive
The Cisco ISE 1.1.4 ISO image contains an “images” directory that has a Readme file and a script to
create a bootable USB to install Cisco ISE 1.1.4.
Before You Begin
•
Ensure that you have read the Readme in the “images” directory
•
You need the following:
– Linux machine with RHEL-5 or above, CentOS 5.x or above. If you are going to use your PC
or MAC, ensure that you have installed a Linux VM on it.
– An 8-GB USB drive
– The iso-to-usb.sh script
Step 1
Plug in your USB drive into the USB port.
Step 2
Copy the iso-to-usb.sh script and the Cisco ISE 1.1.4 ISO image to a directory on your linux machine.
Step 3
Enter the following command:
iso-to-usb.sh source_iso usb_device
For example, # ./iso-to-usb.sh ise-1.1.4.218.i386.iso /dev/sdb where iso-to-usb.sh is the name of the
script, ise-1.1.4.218.i386.iso is the name of the ISO image, and /dev/sdb is your USB device.
Step 4
A screen appears prompting you to specify the type of appliance (Cisco SNS 3415 or Cisco SNS 3495)
that you want to install.
Step 5
Enter a value corresponding to your appliance type to create a bootable USB drive.
Step 6
Enter Y to continue.
Step 7
A success message appears.
Step 8
Unplug your USB drive.
Upgrading Cisco ISE Software
If you installed Cisco Identity Services Engine Release 1.0 or Cisco Identity Services Engine
Maintenance Release 2 (MR2) previously and are planning to upgrade to the latest Cisco ISE release,
review the open caveats in this section before following the upgrade instructions in the “Upgrading Cisco
ISE” chapter of the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x.
Note
When you upgrade to Cisco ISE, Release 1.1.x, you may be required to open some network ports you
may not have been using in previous releases of Cisco ISE. Ensure you consult the table of required ports
to open in Cisco ISE in the “Cisco ISE 3300 Series Appliance Ports Reference” appendix of the Cisco
Identity Services Engine Hardware Installation Guide, Release 1.1.x.
This section covers the following upgrade issues:
•
Upgrade from Cisco ISE, Release 1.1.3 to release 1.1.4, page 15
•
Upgrade from Cisco ISE, Release 1.1.2 to release 1.1.3, page 15
Release Notes for Cisco Identity Services Engine, Release 1.1.x
14
OL-26136-01
Upgrading Cisco ISE Software
•
Upgrade from Cisco ISE, Release 1.1.1 to release 1.1.3, page 15
•
Upgrade from Cisco ISE, Release 1.1.1 to release 1.1.2, page 15
•
Upgrade from Cisco ISE, Release 1.1 to release 1.1.1, page 16
•
Upgrade from Cisco ISE, Release 1.0.4 to 1.1.1 with Inline Posture, page 16
•
Upgrade from Cisco ISE, Release 1.0.3.377, page 17
Upgrade from Cisco ISE, Release 1.1.3 to release 1.1.4
Prerequisite
Before you upgrade, ensure that you delete all policies that use the “Blacklist_Access” authorization
profile. For more details, refer to CSCub17140, page 111.
You can upgrade from Cisco ISE, Release 1.1.3 to release 1.1.4 normally, as described in the upgrade
instructions in the Cisco Identity Services Engine Upgrade Guide, Release 1.1.x.
Upgrade from Cisco ISE, Release 1.1.2 to release 1.1.3
Prerequisite
Before you upgrade, ensure that you delete all policies that use the “Blacklist_Access” authorization
profile. For more details, refer to CSCub17140, page 111.
You can upgrade from Cisco ISE, Release 1.1.2 to release 1.1.3 normally, as described in the upgrade
instructions in the Cisco Identity Services Engine Upgrade Guide, Release 1.1.x.
Upgrade from Cisco ISE, Release 1.1.1 to release 1.1.3
Prerequisite
Before you upgrade, ensure that you delete all policies that use the “Blacklist_Access” authorization
profile. For more details, refer to CSCub17140, page 111.
Before you can upgrade to Cisco ISE, Release 1.1.3, you must first be sure you have upgraded your
machine to Cisco ISE, Release 1.1.1 with patch 3 applied. For specific instructions on performing the
upgrade procedure, see the Cisco Identity Services Engine Upgrade Guide, Release 1.1.x.
Upgrade from Cisco ISE, Release 1.1.1 to release 1.1.2
Prerequisite
Before you upgrade, ensure that you delete all policies that use the “Blacklist_Access” authorization
profile. For more details, refer to CSCub17140, page 111.
Before you can upgrade to Cisco ISE, Release 1.1.2, you must first be sure you have upgraded your
machine to Cisco ISE, Release 1.1.1 with patch 3 applied. For specific instructions on performing the
upgrade procedure, see the Cisco Identity Services Engine Upgrade Guide, Release 1.1.x.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
15
Upgrading Cisco ISE Software
Upgrade from Cisco ISE, Release 1.1 to release 1.1.1
Prerequisite
Before you upgrade, ensure that you delete all policies that use the “Blacklist_Access” authorization
profile. For more details, refer to CSCub17140, page 111.
Before you can upgrade to Cisco ISE, Release 1.1.1 from Release 1.1, you must first be sure you have
applied Cisco Identity Services Engine Cumulative Patch 3 to your Release 1.1 machine(s). For
information on obtaining Cisco ISE, Release 1.1 patch 3, see the Release Notes for the Cisco Identity
Services Engine, Release 1.1. For specific instructions on performing the upgrade procedure, see the
Cisco Identity Services Engine Upgrade Guide, Release 1.1.x.
Upgrade from Cisco ISE, Release 1.0.4 to 1.1.1 with Inline Posture
In Cisco ISE 1.1.1, the Inline Posture node uses certificate based authentication and cannot connect to
the Administrative ISE node. Therefore you are required to disconnect the Inline Posture node from the
deployment prior to starting the upgrade procedure, then reconfigure the Inline Posture node after the
upgrade. To do so, follow the procedure outlined in this section.
Warning
You must have the proper certificates in place for your Inline Posture deployment to mutually
authenticate.
Prerequisite
Record all the configuration data for your Inline Posture node before you de-register the node.
Alternatively, you can save screenshots of each of the Inline Posture tabs (in the Admin user interface)
to record the data. Having this data on hand speeds up the process of re-registering the Inline Posture
node to complete the following task.
To upgrade to Cisco ISE 1.1.1 with Inline Posture, complete the following steps:
Step 1
From the Cisco Administration ISE node, de-register the Cisco Inline Posture node.
Note
You can verify that the Inline Posture node has returned to ISE node status by going to the CLI
and entering the following command: show application status ise If you discover that the node
has not reverted to an ISE node, then you can enter the following at the command prompt: pep
switch outof-pep However, it is recommended that you only do this as a last resort.
Step 2
Upgrade the Cisco Administration ISE node to 1.1.1, as described in the Cisco Identity Services Engine
Hardware Installation Guide, Release 1.1.x.
Step 3
Import CA root certificate, make CSR, create certificates on the Administration ISE node.
Note
Step 4
Certificates must have extended key usage for both client authentication and server
authentication. For an example of this type of extended key usage, see the Microsoft CA
Computer template.
Perform a fresh installation of ISE 1.1.1 on the ISE node (that was the former Inline Posture node), as
described in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
16
OL-26136-01
Upgrading Cisco ISE Software
Step 5
Import CA root certificate, make CSR, create certificates on the ISE node (that was the former Inline
Posture node), now in standalone mode.
Note
Certificates must have extended key usage; client authentication and server authentication. For
example, select the computer template from Microsoft CA.
Step 6
Register the newly upgraded ISE Node as an Inline Posture node.
Step 7
Reconfigure the Cisco Inline Posture node.
Upgrade from Cisco ISE, Release 1.0.3.377
Prerequisite
Before you upgrade, ensure that you delete all policies that use the “Blacklist_Access” authorization
profile. For more details, refer to CSCub17140, page 111.
There is a known issue regarding default “admin” administrator user interface access following upgrade
from Cisco Identity Services Engine Release version 1.0.3.377. This issue can affect Cisco ISE
customers who have not changed their default “admin” account password for administrator user interface
login since first installing Cisco Identity Services Engine Release 1.0.3.377.
Upon upgrading, administrators can be “locked out” of the Cisco ISE administrator user interface when
logging in via the default “admin” account where the password has not yet been updated from the
original default value.
To avoid this issue, Cisco recommends you do one or more of the following:
Note
1.
Verify they have changed password per the instructions in the “Managing Identities” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x prior to upgrade.
2.
Disable or modify the password lifetime setting in the Administration > System > Admin Access
> Password Policy page of the administrator user interface prior to upgrade to ensure the upgraded
policy behavior does not impact the default “admin” account.
3.
Enable password lifetime setting reminders in the Administration > System > Admin Access >
Password Policy page to alert admin users of imminent expiry. Administrators should change the
password when notified.
Although the above conditions apply to all administrator accounts, the change in behavior from Cisco
ISE version 1.0.3.377 only impacts the default “admin” account.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
17
Cisco Secure ACS to Cisco ISE Migration
Cisco Secure ACS to Cisco ISE Migration
Complete instructions for moving your Cisco Secure ACS 5.1 or 5.2 database to Cisco ISE, Release 1.1.x
are covered in the Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2,
Release 1.1.x.
Note
You must upgrade your Cisco Secure ACS deployment to Release 5.1 or 5.2 before you attempt to
perform the migration process to Cisco Identity Services Engine.
After you have moved your Cisco Secure ACS 5.1 or 5.2 database over, you will notice some differences
in existing data types and elements as they appear in the new Cisco ISE environment. Microsoft
Windows Internet Explorer (IE8 and IE7) browsers are not currently supported in this release.
Cisco ISE License Information
For detailed information on license types and obtaining licenses for Cisco ISE, see “Performing
Post-Installation Tasks” chapter of the Cisco Identity Services Engine Hardware Installation Guide,
Release 1.1.x.
New Features in Cisco ISE, Release 1.1.4
Cisco ISE, Release 1.1.4 provides support for the Cisco SNS 3400 Series appliance. For details on the
installing and configuring the Cisco SNS 3400 Series appliance, refer to the ISE 1.1.4 Installation Guide
at the following location:
•
http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_install_guide.html
New Features in Cisco ISE, Release 1.1.3
Cisco ISE, Release 1.1.3 features critical bug fixes derived from Cisco ISE, Release 1.0.4, 1.1, 1.1.1, and
1.1.2 while rolling patch fixes for Cisco ISE, Release 1.1.1 and 1.1.2 into 1.1.3.
New Features in Cisco ISE, Release 1.1.2
Cisco ISE, Release 1.1.2 offers the following features and services:
•
Global Setting for Endpoint Attribute Filter, page 18
Global Setting for Endpoint Attribute Filter
In Cisco ISE, Release 1.1.2, you can globally configure endpoint attribute filtering to help Cisco ISE
reduce the amount of profiling traffic replicated in the local database. This enhancement introduces a
new function called a “whitelist,” which drops any attributes that are not present in the whitelist to ensure
Cisco ISE database replication takes place as efficiently as possible. The whitelist is a dynamic list of
attributes based on the attribute(s) you use in your profiling policies. When profiling is enabled, the
Release Notes for Cisco Identity Services Engine, Release 1.1.x
18
OL-26136-01
New Features in Cisco ISE, Release 1.1.1
Policy Service nodes in your deployment collect information from various probes and send it to the
Administration ISE node. The Administration ISE node then stores and replicates this information.
Earlier releases of Cisco ISE do not feature any control over which attributes can be saved, and as a
result, would collect a significant amount of unnecessary information.
New Features in Cisco ISE, Release 1.1.1
Cisco ISE, Release 1.1.1 offers the following features and services:
•
New Default Authorization Profile (“Blacklist”), page 19
•
Dictionary Attribute-to-Attribute Authorization Policy Configuration, page 19
•
New Device Registration Task Navigator, page 20
•
Native Supplicant Provisioning Profile Configuration Page, page 20
•
Enhanced Client Provisioning Policy Configuration, page 20
•
SCEP Authority Profile Configuration Page, page 20
•
RADIUS Proxy Attribute, page 20
•
EAP Chaining, page 21
•
EAP-TLS as an Inner Method for EAP-FAST, page 21
•
Device Registration Portal, page 21
•
New Reports in Cisco ISE, Release 1.1.1, page 21
•
Change of Authorization, page 21
•
Creating Activated Guests, page 22
For more information on key features of Cisco ISE, see the “Overview of Cisco ISE” chapter in the Cisco
Identity Services Engine User Guide, Release 1.1.x.
New Default Authorization Profile (“Blacklist”)
The Cisco ISE administrator can now “blacklist” wireless user devices that get “lost,” or otherwise
become unusable or are taken out of circulation, until the device is reinstated or is completely removed
from the network. Cisco ISE removes “blacklisted” devices from the network, and they are not allowed
on the network again until the device is reinstated. In order to set up the authorization policy in Cisco
ISE, you also must ensure you add a compatible dynamic ACL on any associated network access devices
in your deployment to manage these wireless users.
This new default authorization profile is available in the Policy > Authorization Policy page of the
Cisco ISE administrator user interface.
Dictionary Attribute-to-Attribute Authorization Policy Configuration
In Cisco ISE, Release 1.1.1, you now have the option, when constructing policy conditions in an
authorization policy, to specify another dictionary attribute to which you can associate the source
attribute during policy configuration. Traditionally, you could only specify a text entry following the
requisite operators when setting conditions in authorization policies.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
19
New Features in Cisco ISE, Release 1.1.1
This enhancement affects the Policy > Authorization Policy page of the Cisco ISE administrator user
interface.
New Device Registration Task Navigator
The Device Registration Task Navigator in Cisco ISE, Release 1.1.1 provides a visual path through the
various Cisco ISE administration and configuration processes that are necessary to enable administrators
to set up Cisco ISE to provide multiple, configurable device support for end users. (As with previous
Task Navigator implementation, the linear presentation of the Task Navigator outlines the order in which
the tasks should be completed, while also providing direct links to the pages that are needed to perform
the tasks.)
Native Supplicant Provisioning Profile Configuration Page
In Cisco ISE, Release 1.1.1, you can now configure native supplicant profiles for client provisioning, in
addition to the existing “ISE Posture Agent Profiles” that are currently available in Cisco ISE, Releases
1.0.4 and 1.1. This profile type allows you to specify settings for user registration via personal devices
like iPhones, iPads, and Android devices.
Enhanced Client Provisioning Policy Configuration
In Cisco ISE, Release 1.1.1, you can now create or edit client provisioning policies to allow for expanded
personal device support, including iPhones, iPads, and Android devices. For specific personal device
support, you can configure the policy to upload the appropriate configuration wizard that is necessary to
enable the personal device to negotiate and register with Cisco ISE.
SCEP Authority Profile Configuration Page
To support enhanced personal device registration functions, Cisco ISE Release 1.1.1 enables you to
configure one or more Simple Certificate Enrollment Protocol (SCEP) authority profiles. Cisco ISE
verifies and maintains connectivity with the SCEP authority servers that you specify, and it even
performs load balancing among multiple servers to ensure optimal connectivity for users when they
access the network using their personal devices.
RADIUS Proxy Attribute
The RADIUS proxy attribute in Cisco ISE, Release 1.1.1 is used to enhance the RADIUS sequence flows
and processing. When the “Access-Accept” packet is received from an external RADIUS server, Cisco
ISE continues to the configured authorization policy for further decision-making that is based on
additional attributes and groups that are queried from Active Directory and LDAP.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
20
OL-26136-01
New Features in Cisco ISE, Release 1.1.1
EAP Chaining
In Cisco ISE, Release 1.1.1, Extensible Authentication Protocol (EAP) chaining solution allows you to
authenticate both the machine and user in the same EAP-FAST authentication in a configurable order.
When an EAP-FAST authentication result is determined, Cisco ISE allows you to apply an authorization
policy, depending on the result of both authentications. When EAP chaining is turned off, Cisco ISE
performs the usual EAP-FAST authentication.
EAP-TLS as an Inner Method for EAP-FAST
This feature in Cisco ISE, Release 1.1.1 allows you to use the Extensible Authentication
Protocol-Transport Layer Security (EAP-TLS) protocol as an inner method for the EAP-FAST protocol.
The implementation is the same as using EAP-TLS as the inner method for Protected Extensible
Authentication Protocol (PEAP).
Device Registration Portal
The device registration portal is a standalone portal that can be completely customized to suit your
organization. A network access user who is configured as an employee in an organization can access the
portal which allows the user to bring personal devices into an enterprise network. This is done through
an employee authentication and device registration process. Employees can manage their devices to add,
edit, reinstate, and delete their devices through this portal. Cisco ISE adds these devices to the endpoints
database and profiles them like any other endpoint. Cisco ISE administrators can manage the registered
endpoints from the administrator user interface, by using the identities list and reports.
A default authorization policy exists in Cisco ISE that does not allow devices to access an enterprise
network when they are marked “lost” in the device registration portal, and identified as blacklisted in an
endpoint identity group. An employee can also reinstate a blacklisted device in the device registration
portal, and register again to access the network.
New Reports in Cisco ISE, Release 1.1.1
Cisco ISE, Release 1.1.1 offers the following new reports:
•
Supplicant Provisioning Report—This report provides information about a list of endpoints that are
registered through the Asset Registration Portal (ARP) for a specific period of time.
•
Registered Endpoint Report—This report provides information about a list of endpoints that are
registered through the Asset Registration Portal (ARP) by a specific user for a selected period of
time.
Change of Authorization
Cisco ISE triggers a CoA when an endpoint is added or removed from an endpoint identity group that is
used by an authorization policy. A CoA is also triggered when an endpoint identity group assignment
changes due to either dynamic profiling or a static assignment.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
21
Cisco ISE Install Files, Updates, and Client Resources
Creating Activated Guests
Sponsor user can create activated guests by assigning them to the ActivatedGuest identity group. This is
a default identity group in Cisco ISE 1.1.1. Sponsor user should belong to a sponsor group that allows
for assigning of guests to ActivatedGuest identity group.
Cisco ISE Install Files, Updates, and Client Resources
There are three resources you can use to download installation packages, update packages, and other
client resources necessary to provision and provide policy service in Cisco ISE:
•
Cisco ISE Downloads from the Cisco Download Software Center, page 22
•
Cisco ISE Live Updates, page 23
•
Cisco ISE Offline Updates, page 23
Cisco ISE Downloads from the Cisco Download Software Center
In addition to the .ISO installation package required to perform a fresh installation of Cisco ISE as
described in Installing Cisco ISE Software, page 8, you can use the same software download location to
retrieve other vital Cisco ISE software elements, like Windows and Mac OS X agent installers and
AV/AS compliance modules.
Use this portal to get your first software packages prior to configuring your Cisco ISE deployment.
Downloaded agent files may be used for manual installation on a supported endpoint or used with
third-party software distribution packages for mass deployment.
To access the Cisco Download Software Center and download the necessary software from Cisco:
Step 1
Log into Cisco Download Software at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm.
You might be required to provide your Cisco.com login credentials.
Step 2
Navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity
Services Engine Software.
Choose from the following Cisco ISE installers and software packages available for download:
Step 3
•
Cisco ISE installer .ISO image
•
Windows client machine agent installation files (including MST and MSI versions for manual
provisioning)
•
Mac OS X client machine agent installation files
•
AV/AS compliance modules
Click Download Now or Add to Cart for any of the software items you require to set up your Cisco ISE
deployment.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
22
OL-26136-01
Cisco ISE Install Files, Updates, and Client Resources
Cisco ISE Live Updates
Cisco ISE Live Update locations allow you to automatically download agent, AV/AS support, and agent
installer helper packages that support the client provisioning and posture policy services. These live
update portals should be configured in ISE upon initial deployment to retrieve the latest client
provisioning and posture software directly from Cisco.com to the ISE appliance.
Prerequisite
If the default Update Feed URL is not reachable and your network requires a proxy server, you may need
to configure the proxy settings in the Administration > System > Settings > Proxy before you are able
to access the Live Update locations. For more information on proxy settings, see the “Specifying Proxy
Settings in Cisco ISE” section in the “Configuring Client Provisioning Policies” chapter of the Cisco
Identity Services Engine User Guide, Release 1.1.x.
Client Provisioning and Posture Live Update portals:
•
Client Provisioning—https://www.cisco.com/web/secure/pmbu/provisioning-update.xml
The following software elements are available at this URL:
– Windows and Mac OS X versions of the latest Cisco ISE persistent and temporal agents
– ActiveX and Java Applet installer helpers
– AV/AS compliance module files
For more information on automatically downloading the software packages that become available at
this portal to Cisco ISE, see the “Downloading Client Provisioning Resources Automatically”
section of the “Configuring Client Provisioning Policies” chapter in the Cisco Identity Services
Engine User Guide, Release 1.1.x.
•
Posture—https://www.cisco.com/web/secure/pmbu/posture-update.xml
The following software elements are available at this URL:
– Cisco predefined checks and rules
– Windows and Mac OS X AV/AS support charts
– Cisco ISE operating system support
For more information on automatically downloading the software packages that become available at
this portal to Cisco ISE, see the “Dynamic Posture Updates” section of the “Configuring Client
Posture Policies” chapter in the Cisco Identity Services Engine User Guide, Release 1.1.x.
If you do not enable the automatic download capabilities described above in Cisco ISE, you can choose
offline updates. See Cisco ISE Offline Updates, page 23.
Cisco ISE Offline Updates
Cisco ISE offline updates allow you to manually download agent, AV/AS support, and agent installer
helper packages that support the client provisioning and posture policy services. This option allows you
to upload client provisioning and posture updates in environments where direct Internet access to
Cisco.com from the ISE appliance is not available or not permitted by security policy.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
23
Cisco ISE Install Files, Updates, and Client Resources
To upload offline client provisioning resources, complete the following steps:
Step 1
Log into Cisco Download Software at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm.
You might be required to provide your Cisco.com login credentials.
Step 2
Navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity
Services Engine Software.
Choose from the following Off-Line Installation Packages available for download:
Step 3
•
compliancemodule-<version>-isebundle.zip — Off-Line Compliance Module Installation
Package
•
macagent-<version>-isebundle.zip — Off-Line Mac Agent Installation Package
•
nacagent-<version>-isebundle.zip — Off-Line NAC Agent Installation Package
•
webagent-<version>-isebundle.zip — Off-Line Web Agent Installation Package
Click Download Now or Add to Cart for any of the software items you require to set up your Cisco ISE
deployment.
For more information on adding the downloaded Installation Packages to Cisco ISE, refer to “Adding
Client Provisioning Resources from a Local Machine” section of the “Configuring Client Posture
Policies” chapter in the Cisco Identity Services Engine User Guide, Release 1.1.x.
You can update the checks, rules, antivirus and antispyware support charts for both the Windows and
Macintosh operating systems, and operating systems information offline from an archive on your local
system using the posture updates.
For offline updates, you need to ensure that the versions of the archive files match the version in the
configuration file. Use this portal once you have configured Cisco ISE and want to enable dynamic
updates for the posture policy service.
To upload offline posture updates, complete the following steps:
Step 1
Go to https://www.cisco.com/web/secure/pmbu/posture-offline.html.
The File Download window appears. From the File Download window, you can choose to save the
posture-offline.zip file to your local system. This file is used to update the checks, rules, antivirus and
antispyware support charts for both the Windows and Macintosh operating systems, and operating
systems information.
Step 2
Access the Cisco ISE administrator user interface and choose Administration > System > Settings >
Posture.
Step 3
Click the arrow to view the settings for posture.
Step 4
Choose Updates. The Posture Updates page appears.
Step 5
From the Posture Updates page, choose the Offline option.
Step 6
From the File to update field, click Browse to locate the single archive file (posture-offline.zip) from
the local folder on your system.
Note
The File to update field is a required (mandatory) field and it cannot be left empty. You can only
select a single archive file (.zip) that contains the appropriate files. Archive files other than .zip
(like .tar, and .gz) are not allowed.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
24
OL-26136-01
Support for Windows 8.1 and Mac OS X 10.9
Step 7
Click the Update Now button.
Once updated, the Posture Updates page displays the current Cisco updates version information as a
verification of an update under Update Information.
Support for Windows 8.1 and Mac OS X 10.9
Cisco ISE 1.1.4 Patch 8 and 1.1.3 Patch 8 supports clients using the Windows 8.1 and Mac OS X 10.9
operating systems.
See Cisco ISE Release 1.1.x Open Caveats, page 80 for workarounds for issues with Safari 7 and Internet
Explorer 11.
Cisco ISE, Release 1.1.4 Patch Updates
The following patch releases apply to Cisco ISE release 1.1.4:
•
Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 12, page 25
•
Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 11, page 26
•
Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 10, page 27
•
Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 9, page 27
•
Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 8, page 30
•
Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 7, page 31
•
Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 6, page 33
•
Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 5, page 33
•
Resolved issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 4, page 34
•
Resolved issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 3, page 34
•
Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 2, page 38
•
Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 1, page 42
Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 12
Table 5 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.4.218 cumulative patch 12.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
25
Cisco ISE, Release 1.1.4 Patch Updates
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 5
Cisco ISE Patch Version 1.1.4.218—Patch 12 Resolved Caveats
Caveat
Description
CSCur29078
ISE evaluation of SSLv3 POODLE vulnerability.
This fix addresses an issue where SSLV POODLE vulnerability impact on
third-party software was tested.
CSCur00532
ISE evaluation for CVE-2014-6271 and CVE-2014-7169 (AKA ShellShock).
This fix addresses an issue in ISE nodes that are SSH enabled. If SSH is enabled, a
remote user with ISE CLI credentials will be able to exploit the vulnerability and run
generic Linux commands.
PSIRT Evaluation
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The
Base and Temporal CVSS scores as of the time of evaluation are 7.5/7.5:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1
&version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from
multiple sources.
This includes the CVSS score assigned by the third-party vendor when available.
The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the
following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Workaround
Disable SSH and reload ISE node as follows: ise1/admin# configure terminal
ise1/admin(config)# no service sshd enable ise1/admin(config)# end ise1/admin#
reload Save the current ADE-OS running configuration? (yes/no) [yes]? yes
Continue with reboot? [y/n] y
Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 11
Table 6 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.4.218 cumulative patch 11.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
26
OL-26136-01
Cisco ISE, Release 1.1.4 Patch Updates
Table 6
Cisco ISE Patch Version 1.1.4.218—Patch 11 Resolved Caveats
Caveat
Description
CSCuo40875
Cisco ISE 1.1.x Not Able to Handle New User Agent Format
This fix addresses an issue where Cisco ISE 1.1.x considered the user agent string
sent by a 4.9.4.3 agent machine as user agent from a non-agent machine and
redirected to client provisioning page
Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 10
Table 7 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.4.218 cumulative patch 10.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 7
Cisco ISE Patch Version 1.1.4.218—Patch 10 Resolved Caveats
Caveat
Description
CSCui57374
ISE IPEP Invalid RADIUS Authenticator error during high load
This fix addresses an issue where the NAC agent stopped popping up for the clients
when there was a high load on the IPEP. Invalid RADIUS Authenticator errors were
recorded in the logs.
CSCun25178
Fetching Group Information Takes a Long Time Because of SIDHistory
This fix addresses an issue where Cisco ISE failed to resolve SIDHistory to group
names if the SIDHistory belonged to a trusted domain/forest.
The large number of SIDHistory values in the user's token used to cause long delay
(2-5 minutes) during user authentication.
CSCun77904
iPEP interfaces Issues After Upgrading to 1.1.4 Patch 9
This fix addresses an “interface flapping” issue with the eth0 and eth1 interfaces on
3315 and 3355 appliances that resulted from upgrading to Cisco ISE 1.1.4 patch 9.
Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 9
Table 8 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.4.218 cumulative patch 9.
Note
Cisco Recommends upgrading to Cisco ISE 1.1.4 patch 10 instead of patch 9 due to caveat CSCui57374.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
27
Cisco ISE, Release 1.1.4 Patch Updates
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
Table 8
Cisco ISE Patch Version 1.1.4.218—Patch 9 Resolved Caveats
Caveat
Description
CSCub35046
ISE custom guest portal results page includes unused fields
CSCub62481
This fix addresses an issue where unused, optional fields were displayed on the guest
self registration results page when using a custom self registration page and
specifying 'Unused' for the Optional Data fields in the Guest Details Policy.
CSCug90502
ISE Blind SQL Injection Vulnerability
This fix addresses an issue where the Cisco Identity Services Engine (ISE) was
vulnerable to blind SQL injection. This could allow a remote, authenticated user to
modify information in the database.
PSIRT Evaluation
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The
Base and Temporal CVSS scores as of the time of evaluation are 6/5.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1
&version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:U/RC:C
CVE ID CVE-2013-5525 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-552
5
Additional information on Cisco's security vulnerability policy can be found at the
following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Release Notes for Cisco Identity Services Engine, Release 1.1.x
28
OL-26136-01
Cisco ISE, Release 1.1.4 Patch Updates
Table 8
Cisco ISE Patch Version 1.1.4.218—Patch 9 Resolved Caveats
Caveat
Description
CSCui67495
Uploaded Filenames/Content Not Properly Sanitized
This fix addresses an issue where filenames and content uploaded to Cisco Identity
Services Engine (ISE) was not filtered/sanitized effectively. This could have resulted
in a file of incorrect type being uploaded to ISE or the filename leading to a potential
cross-site scripting (XSS) issue.
PSIRT Evaluation
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The
Base and Temporal CVSS scores as of the time of evaluation are 4/4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1
&version=2&vector=AV:N/AC:L/Au:S/C:N/I:P/A:N/E:H/RL:U/RC:C
CVE ID CVE-2013-5541 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-554
1
Additional information on Cisco's security vulnerability policy can be found at the
following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
CSCui67511
Certain File Types are not Filtered and are Executable
This fix addresses an issue where, due to insufficient filtering and access control,
potentially malicious file types could have been uploaded to, and executed within,
the Cisco Identity Services Engine (ISE) web interface.
PSIRT Evaluation
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The
Base and Temporal CVSS scores as of the time of evaluation are 4/4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1
&version=2&vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:H/RL:U/RC:C
CVE ID CVE-2013-5539 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-553
9
Additional information on Cisco's security vulnerability policy can be found at the
following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
29
Cisco ISE, Release 1.1.4 Patch Updates
Table 8
Cisco ISE Patch Version 1.1.4.218—Patch 9 Resolved Caveats
Caveat
Description
CSCul02860
Struts Action Mapper Vulnerability
Previous versions of ISE Cisco ISE included a version of Apache Struts that is
affected by the vulnerabilities identified by the following Common Vulnerability
and Exposures (CVE) IDs:
CVE-2013-4310
Cisco has analyzed these vulnerabilities and concluded that the product is not
impacted, however the affected component has been updated as harden measure.
PSIRT Evaluation
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT
ownership or involvement. This issue will be addressed via normal resolution
channels.
If you believe that there is new information that would cause a change in the severity
of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the
following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
CSCul03127
Struts 2 Dynamic Method Invocation Vulnerability
Previous versions of Cisco ISE included a version of Apache Struts2 that is affected
by the vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2013-4316
PSIRT Evaluation
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The
Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.3:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1
&version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C
CVE ID CVE-2013-4316 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the
following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 8
Table 9 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.4.218 cumulative patch 8.
ISE 1.1.4 patch 8 also includes support for Windows 8.1 and Mac OS X 10.9. See Support for Windows
8.1 and Mac OS X 10.9, page 25 for more information.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
30
OL-26136-01
Cisco ISE, Release 1.1.4 Patch Updates
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 9
Cisco ISE Patch Version 1.1.4.218—Patch 8 Resolved Caveats
Caveat
Description
CSCuj45431
ISE Support for Mac OS X 10.9 NAC Agent
ISE 1.1.3 patch 8 supports a NAC Agent for Mac OS X 10.9.
CSCuj60796
ISE Support for IE 11
ISE 1.1.3 patch 8 supports Internet Explorer 11.
Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 7
Table 10 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.4.218 cumulative patch 7.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 10
Cisco ISE Patch Version 1.1.4.218—Patch 7 Resolved Caveats
Caveat
Description
CSCud83514
ISE session database growing too large, causing homepage blank
To resolve this issue, run the application configure ise command using the Reset
M&T Session Database option.
When the Monitoring and Session Database becomes corrupted, Cisco ISE may be
variably slow, unusable, have a full disk, become unable to perform replication, or
register/join a distributed deployment. You may observe alert(s) from the ISE
appliance with the title “Session directory write failed.” where the body of the alert
email states that the disk is full.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
31
Cisco ISE, Release 1.1.4 Patch Updates
Table 10
Cisco ISE Patch Version 1.1.4.218—Patch 7 Resolved Caveats
Caveat
Description
CSCue28066
IP address field is missing during editing/duplicating NADs
This fix addresses the issue where you cannot edit or duplicate NADs in the Network
Devices List page when the IP address field is not displayed in the Cisco ISE user
interface.
CSCue62940
Incremental Backup without Full Backup gets stuck in running state
This fix addresses the issue where an incremental backup fails in the absence of a
full backup file in the repository.
CSCug20065
Unable to enforce RBAC as desired to a custom admin
This fix addresses the issue where an admin user (custom created) cannot add
endpoints to an endpoint identity group (custom created) even after assigning the
correct role-based access control policy.
CSCug68792
Incomplete Backup Process Status in UI
This fix addresses the issue where the status of backup is still shown as running in
the user interface even though the process is interrupted in the middle of a backup.
CSCug77406
Increase retention of ASA VPN sessions to 120 hours (5 days)
This fix retains RADIUS active sessions up to 120 hours.
CSCug99304
ISE replication gets disabled due to expired certificates even though they are valid
This fix addresses the issue where you cannot perform manual synchronization to
secondary nodes, if the certificate has expired in any one of the secondary nodes in
a deployment.
CSCuh12487
Null value associated with SNMP GET after call from NMAP fails
This fix addresses the issue with MIB when mapping an endpoint profiling policy
with the device MAC address after an NMAP scan.
CSCuh43440
ISE needs to improve logging mechanism to keep track of backup failures
This fix addresses the issue where you can track information on previous backup
exceptions, which can be queried using "IncrBackupUtil" or "incrbackup" as a key
for incremental backup related errors in the ise-psc.log because the
IncrBackupRestoreException.log is overwritten every time an exception occurs
during backup.
CSCui75669
Endpoint update calls from guest-portal causing replication issues
This fix addresses the issue where the Guest portal generates endpoint update calls
on every redirect to the Guest portal login page for the same user-agent.
CSCuj35109
LWA is broken in iOS 7 devices with ISE 1.1.3 patch 6
This fix addresses the issue where LWA fails for Apple (iOS7) devices in the Cisco
ISE 1.1.3 patch 6.
CSCuj51094
Captured TCPDump file is not working.
This fix addresses the issue where you are unable to open the captured
TCPDump.pcap file in Wireshark.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
32
OL-26136-01
Cisco ISE, Release 1.1.4 Patch Updates
Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 6
Table 11 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.4.218 cumulative patch 6.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 11
Cisco ISE Patch Version 1.1.4.218—Patch 6 Resolved Caveats
Caveat
Description
CSCuf20919
Guests can view accounts from each other through self-service
Guest users can view other accounts that are created using the Self Service feature
in a custom guest portal or through the default portal.
CSCuh67300
ISE redirects to default guest pages when configured for custom pages
When using Google Chrome, guest users are redirected to the default guest portal
though Cisco ISE is configured to redirect users to the custom guest portal.
Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 5
Table 12 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.4.218 cumulative patch 5.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 12
Cisco ISE Patch Version 1.1.4.218—Patch 5 Resolved Caveats
Caveat
Description
CSCtx35984
Profiler unable to save into DB - SSL Handshake exception error
This fix addresses SSL Handshake related issues when a secondary PAN is
registered in a deployment.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
33
Cisco ISE, Release 1.1.4 Patch Updates
Table 12
Cisco ISE Patch Version 1.1.4.218—Patch 5 Resolved Caveats
Caveat
Description
CSCui41569
BYOD Supplicant Provisioning Status query should be optimized
This fix improves the response time for querying the monitoring database if the
device has been successfully provisioned or pending provisioning and to check the
status of device registration.
CSCui56071
ISE: Ignore 0.0.0.0 in Framed-IP-Address Profiler Updates
This fix filters incoming Framed-IP-Address that contains zero IP address (0.0.0.0)
to reduce replication.
Resolved issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 4
Table 13 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.4.218 cumulative patch 4.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 13
Cisco ISE Patch Version 1.1.4.218—Patch 4 Resolved Caveats
Caveat
Description
CSCuh70984
Database purging alarms on Cisco ISE due to open cursors exceeded
This fix addresses the database purging alarm issue where an hourly database purge
fails due to the maximum number of open cursors exceeding the threshold of 1500
per user session in the Monitoring node.
CSCui22841
Apache Struts2 command execution vulnerability
Cisco ISE includes a version of Apache Struts that is affected by the vulnerabilities
identified by the following Common Vulnerability and Exposures (CVE) IDs:
CVE-2013-2251. This fix addresses the potential impact on this product.
Resolved issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 3
Table 14 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.4.218 cumulative patch 3.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
34
OL-26136-01
Cisco ISE, Release 1.1.4 Patch Updates
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 14
Cisco ISE Patch Version 1.1.4.218—Patch 3 Resolved Caveats
Caveat
Description
CSCth95432
All OUIs in IEEE need to be resolved to names by profiler
This fix addresses that all OUIs are resolved to organization names by the Cisco ISE
profiler.
CSCuc29014
Profiling conditions edit throws null error with NullPointerException
This fix addresses the null error issue that occurs when editing a profiler condition.
This issue occurred when the policy rule existed in the profiler cache even after the
endpoint profiling policy that contained the rule was deleted.
CSCuc74270
Authorization policy match fails following Active Directory password change
This issue has been observed where users authenticate against Active Directory and
are prompted to change to a new password. The password change is successful in
Active Directory, but Cisco ISE fails to match with the appropriate authorization
policy based on session attributes.
This is most likely due to attributes used in authentication not being available for
authorization policy evaluation following a change in the Active Directory
password.
CSCue41912
NAC agent is not triggered on Windows 8 client
Ensure that you install the new NAC agent 4.9.0.52 on Windows 8 clients along with
the Cisco ISE 1.1.3 patch 3.
This fix addresses that you must install the Cisco ISE certificate on the Windows 8
client that allows the NAC agent to pop-up. Unlike Windows 7 and XP clients,
Windows 8 does not display the trust certificate dialog box to allow the NAC agent
to pop-up, if Cisco ISE is using the self-signed certificate, and if the Cisco ISE
certificate is not previously installed on the Windows 8 client.
CSCue59806
'NAC Server not available' error is thrown - EAP failure error (No response)
This fix addresses EAP timeout issue when it occurred on the session, but the session
is already accepted and the protocol runtime (prrt) will not remove any session
attribute.
If you see an EAP timeout from the client, the protocol runtime (prrt) cleans posture
session attributes. The posture runtime service, which looks for session attributes
will fail to fetch the session information.
CSCue60442
Authorization policies disappear after modifying the name of the parent endpoint
identity group in Cisco ISE
This fix addresses the issue where you can modify the name of the user-defined
endpoint identity groups and this does not impact the Authorization Policy page.
If you modify the name of the parent endpoint identity group (user-defined) when
you have referenced the child endpoint identity groups in the authorization policies,
the Authorization Policy page is empty and the configured authorization policies are
not displayed.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
35
Cisco ISE, Release 1.1.4 Patch Updates
Table 14
Cisco ISE Patch Version 1.1.4.218—Patch 3 Resolved Caveats
Caveat
Description
CSCue67900
Termination-Action returns RADIUS-Request
The fix addresses the issue where Termination-Action=Radius-Request in
Access-Accept is set only for the Inline Posture node.
Cisco ISE sends Termination-Action=Radius-Request in Access-Accept, which
indicates that re-authentication should occur on expiration of the Session-Time or
the session was terminated.
CSCue73865
Cisco ISE is unable to authenticate users against Active Directory with
SmbServerNameHardeningLevel=1
This fix addresses the issue that occurred when authenticating users against Active
Directory with SmbServerNameHardeningLevel=1. Authentications failed against
Active Directory with SmbServerNameHardeningLevel set to 1 with an error "24444
Active Directory operation has failed because of an unspecified error."
CSCuf56635
HP Jetdirect Printer is incorrectly profiled as HP-Device using DHCP probe
This fix addresses incorrect profiling of an HP Jetdirect Printer using DHCP probe.
If you change the parent policy of an existing profiling policy, and then add or delete
one or more profiling conditions in the profiling policy, endpoints are not profiled as
expected and you might encounter cache-related exceptions.
Workaround Use static endpoint profiling for HP printers when you have issues with
dynamic profiling using DHCP probe
CSCug06716
Cisco ISE Centrify AD domain whitelisting breaks machine authentication
Centrify version is upgraded to 4.6.0.114. This fix addresses the issue where
machine authentication fails against Active Directory whitelisted domains, if Cisco
ISE is configured with AD domains whitelist.
Run the application configure ise command to configure the AD whitelist domains.
ise/admin# application configure ise
Selection ISE configuration option
[1]Reset Active Directory settings to defaults
[2]Display Active Directory settings
[3]Configure Active Directory settings
[4]Restart/Apply Active Directory settings
[5]Clear Active Directory Trusts Cache and restart/apply Active
Directory settings
[6]Exit
Use the option 3 to configure the AD domains whitelist.
You are about to configure Active Directory settings.
Are you sure you want to proceed? y/n [n]: y
Parameter Name: adclient.included.domains
Parameter Value: abc.com
Active Directory internal setting modification should only be performed
if approved by ISE support. Please confirm this change has been approved
y/n [n]: y
Active Directory settings were modified.
Settings will take effect after choosing apply option from menu.
Use the option 5 to clear the Centrify cache and restart for the new configuration
options to take effect.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
36
OL-26136-01
Cisco ISE, Release 1.1.4 Patch Updates
Table 14
Cisco ISE Patch Version 1.1.4.218—Patch 3 Resolved Caveats
Caveat
Description
CSCug69605
BYOD: Fingerprint exception on Cisco ISE when CA certificate is retrieved via
SCEP
This fix addresses the issue where BYOD certificate-provisioning fails for all clients
with an error when CA certificate is retrieved via the SCEP server.
CSCug72958
Profiling functionality is broken while editing policies
This fix addresses incorrect profiling of endpoints when you change the parent
policy of an existing profiling policy, and then add or delete one or more profiling
conditions in the profiling policy.
CSCug74166
Identity groups are corrupted after changing the parent identity group name
This issue occurs only when editing the parent identity group name with the same
name of the child identity group.
Workaround We recommend that you create parent and child identity groups with
different names.
CSCug76995
Unable to add user after changing the parent user identity group name
This fix addresses the issue where you cannot add users to the user identity group
even after changing the parent user identity group name.
CSCug79181
Secure SSID is visible with a PEAP profile, but not with an EAP-TLS profile, when
the secure SSID was not broadcasted
This error occurs when a device connects to an open network using IOS, gets
redirected to CWS, and provides credentials, the device is registered, and the profile
is installed successfully. The user is then be prompted with a message to connect to
“XXXX SSID and try the original url.” If the profile was modified with PEAP, once
the boarding process is completed, the secure SSID is then visible, and you can
connect to the secure SSID.
Workaround There is no known workaround for this issue.
CSCug95429
Profiler: IP attribute unnecessarily being updated
This fix addresses the issue where the endpoint IP address was updated for the
following conditions:
CSCug98513
•
If Framed-IP-Address attribute contains the limited connectivity IP
(169.254.0.0/16) address, it is ignored by the RADIUS probe.
•
If endpoint IP address is assigned to 0.0.0.0 by the DHCP probe, it is ignored.
Integrate components to support AD 2012 or mixed mode (2008)
Centrify version is upgraded to support Active Directory 2012 and mixed 2008/2012
environments.
CSCuh17560
Suppress Accounting update packets in Cisco ISE 1.1.x
This fix controls the recording of accounting updates from the network access
devices (NADs) that causes the MnT database to grow larger, if NADs are
configured to send periodic accounting updates.
By default, no RADIUS accounting updates are recorded in the accounting report.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
37
Cisco ISE, Release 1.1.4 Patch Updates
Table 14
Cisco ISE Patch Version 1.1.4.218—Patch 3 Resolved Caveats
Caveat
Description
CSCuh23189
ISE: Using Internal Identity User can gain access to Admin Dashboard
This fix addresses the issue where internal users gain access to the Cisco ISE Admin
portal Home page when they are not mapped to any Cisco ISE administrator group.
CSCuh29915
ID group add button window shrinks
This fix addresses the issue where you cannot add endpoints to the endpoint identity
group from the Endpoints object selector.
CSCuh36595
Custom Guest Self Registration Result should not write to file system
This fix addresses the issue where the client browsers display the same credentials
for all guest users instead of displaying credentials for respective guest users after
self-registration.
CSCuh43470
Cisco ISE Authentication failures alarm threshold definition
This fix addresses the issue where the Cisco ISE alarms were displayed along with
the criteria mapped to the alarm.
CSCuh43528
Cisco ISE Alarm Authentication failures count incorrectly shows "%" in details
This fix addresses the issue where the Cisco ISE alarms were displayed along with
the criteria mapped to the alarm.
CSCuh54747
Search is not working in object selector if we change the views
The fix addresses the issue where you cannot search endpoints or users in the object
selector when you switch back to the list-view from the tree-view.
CSCuh56861
Cisco ISE Active Endpoints count on dashboard home page does not decrease
The fix addresses the issue where the active endpoint count is not decreasing on the
Cisco ISE dashboard if the session purge is not running properly.
Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 2
Table 15 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.4.218 cumulative patch 2.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
While upgrading from Cisco ISE Release 1.1.4 patch 1 to patch 2, the log targets configured for
�Authentication Flow Diagnostics’ might get removed. You need to manually reconfigure the log targets.
See Also CSCuh81724, page 94.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
38
OL-26136-01
Cisco ISE, Release 1.1.4 Patch Updates
Table 15
Cisco ISE Patch Version 1.1.4.218—Patch 2 Resolved Caveats
Caveat
Description
CSCud65479
Device registration Change of Authorization loop with posturing enabled
This fix addresses the device registration flow issue where the Cisco ISE Admin
node issues a second CoA after the endpoint becomes compliant and is authorized.
When a client connects to the SSID, authenticates, and is redirected to device
registration portal, the user agrees to the Acceptable Use Policy and is mapped to the
predetermined endpoint group and the client status changes to compliant. After a few
seconds, however, the client undergoes another Change of Authorization.
CSCue25407
Wrong Authentication Policy match: Cisco ISE initiates MAB instead of 802.1x
Before this fix, when 802.1x authentication happened for the employee user after
device registration over MAB in a wired device on-boarding case, authentication
policy matched for the user automatically resumed using MAB when it should have
started 802.1x. As a result, the end user received a “Windows Cannot connect to the
network” message.
The workaround was that once the device is not able to connect via 802.1x and the
user receives an error message, the user could try disconnecting the wire and
connecting again.
CSCue49305
Device registration is disabled if JavaScript is disabled for Safari or Chrome
browsers on iOS and Android platforms.
This fix allows the JavaScript to be disabled without disabling the device
registration.
CSCue49317
SCEP enrolment failure if the user name is prefixed with AD domain name
Before this fix, the device on-boarding process would return an error after
registering as part of certificate enrollment. This would occur during personal device
registration, when a username must be entered in the format
<domain>\<username>.
This issue has only been observed when using the <domain>\<username> format
to connect via 802.1x.
The workaround was to connect using just the username without the domain name.
CSCue50838
An arrayOutOfBoundException occurs during Certificate provisioning.
This exception no longer occurs.
CSCue71407
Guest and Sponsor language templates disappear from database.
Before this fix, all configured field values in the language templates for both the
Sponsor and Guest portals would disappear. The portals would display the correct
themes and images, but not text. The names of the language templates would also
not appear in the "SEC_RES_MASTER" table.
CSCue83454
In CWA, ISE is not able to learn guest user IP address
In CWA, the NAD has no knowledge of the guest username, so RADIUS accounting
cannot do the username-IP mapping. However, ISE can fetch the client IP address
and show it in the Live Authentications or in the Guest reports.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
39
Cisco ISE, Release 1.1.4 Patch Updates
Table 15
Cisco ISE Patch Version 1.1.4.218—Patch 2 Resolved Caveats (continued)
Caveat
Description
CSCue90444
When an active IPEP node fails, the VPN traffic drops.
This fix ensures that VPN traffic is not dropped. The error occurred because when
the standby IPEP device becoming active as a result of a failure of an active IPEP
node, the VPN session information was not being updated.
The workaround was to disconnect and then reconnect the VPN session.
CSCuf05267
BYOD usability - Provide API to poll BYOD status.
An API has been provided to poll the BYOD Status, which can be used by the Guest
Service.
CSCuf08298
Collect only the attributes that are used in profiling policies
This is an enhancement to CSCua89503, which was resolved in 1.1.2. It enhances
the ability to globally configure endpoint attribute filtering to help Cisco ISE reduce
the amount of profiling traffic replicated in the local database. Now any attributes
that are not present in the whitelist are dropped when attribute filtering is enabled.
CSCuf47857
BYOD enhancements
This fix provides BYOD usability enhancements for guest CR
CSCuf66747
Guest user notification substitution uses system timezone instead of user timezone
Guest user notifications use system timezone for account-start-time and
account-end-time when the %starttime% and %endtime% variables are used in guest
user notification within the Sponsor portal language templates. This substitution
uses start-time and end-time adjusted to the Cisco ISE system timezone instead of
guest user timezone.
CSCuf71124
PAP admin login failed for consecutive purge operations
This issue was intermittent. Before this fix, when there were successful data purges
of the Management node, attempts to log into the PAP admin UI would fail with the
following error message: “Authentication failed due to zero RBAC Group.”
CSCuf90492
ISE cannot process large SGT matrices or send radius messages larger than 4k
ISE now supports large SGT matrices. It no longer displays the following error
message in the AAA diagnostics: “Invalid attributes in outgoing radius packet possibly some attributes exceeded their size limit.”
CSCuf90513
Multiple Policy Service node’s attempt to write the same profile data to the database
that causes high CPU usage.
When multiple Policy Service nodes receive the same profiling data from an
endpoint, each Policy Service node attempts to write to the Cisco ISE database.
However, only one Policy service node can write data to the database, and therefore
CPU utilization will be high in other Policy Service nodes when they are not able to
write data to the database during reprofiling endpoints.
This might result in disabling the data replication from the Administration ISE node.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
40
OL-26136-01
Cisco ISE, Release 1.1.4 Patch Updates
Table 15
Cisco ISE Patch Version 1.1.4.218—Patch 2 Resolved Caveats (continued)
Caveat
Description
CSCug04743
The order of policies change on Authentication, Posture and CP Policy pages when
using Google Chrome
Before this fix, when a policy was inserted or duplicated on either the Posture Policy
page, CP Policy page, or Authentication Policy. After the policy was saved, and you
returned to the Policy page, the policies would be listed in a different order.
This issue occurred only when there are more than 10 policies.
CSCug15615
BYOD CR: Error message needs to be modified for a disabled NSP policy
(NSPMsg.FAIL_NSP_DISABLE)
The following error message has been enhanced to indicate that the error occurs
when the NSP policy is configured but disabled: “System administrator has not
configured a policy for your device. Contact your system administrator.” The new
error message is: “System administrator has not configured a policy or has to enable
a policy for your device. Contact your system administrator.”
CSCug34981
Incorrect authorization policy match for Self Service Guests when the profiler CoA
is set to ReAuth
The authorization policy match for Self Service Guests is now correct.
CSCug35133
The attribute Service-Type is changing often with the radius probe and causing high
CPU usage
This is not a key attribute and it has been removed from the static list. It is no longer
triggering frequent profiling updates on EndPoints.
CSCug37245
SCEP enrolment fails when using certificates from different CAs
SCEP enrolment can now use certificates from different CAs.
CSCug44228
BYOD success message is shown before CoA and can cause a loop and a network
connection error message on the browser
Before this fix, a BYOD success message would be received too early, and
sometimes when an attempt was made to browse the Internet, an error message was
shown stating that the client cannot connect to network.
This issue would occur when a BYOD device would connect to an Open SSID with
PEAP initially and browse the Internet. This would cause the device to be redirected
to the device registration page and would be asked to download a profile. Once the
device was registered and the profile was downloaded, a success message was
shown. However, this occurred before CoA had happen.
CSCug78350
To install the NAC Agent on IE 10, you must enable compatible mode
This fix ensures that you no longer have to enable compatibility mode to install the
NAC Agent. This issue would occur after authenticating to ISE, opening IE 10 as an
administrator, redirecting to the CP page, and clicking Install. Only Active-x would
be installed and no error messages were displayed on the server.
The workaround was to enable Compatibility Mode on IE.
CSCug78636
Disable Diagnostics Issue
Before this fix, it was recommended that diagnostics be disabled to improve the
response time of the UI. You can now leave the diagnostics at the default setting of
logging only warning or error level messages.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
41
Cisco ISE, Release 1.1.4 Patch Updates
Table 15
Cisco ISE Patch Version 1.1.4.218—Patch 2 Resolved Caveats (continued)
Caveat
Description
CSCug79123
Messages are displaying in vertical format in IE
The following BYOD flow message is no longer displaying in vertical format on the
device registration page when the CP policy was disabled: “The system
administrator has not configured a policy or has to enable a policy for your device.”
The message now displays correctly in the horizontal format. The message always
displayed correctly for Chrome and Firefox.
CSCug80970
Wrong button is displayed when the session is lost during NSPWizard installation
process
Before this fix, the Run Network Setup Assistant button was displayed when the
session was staled in a dual SSID scenario.
This fix now allows only the Try Again button to be displayed, as expected because
the session does not exist in server, and stops the Run Network Setup Assistant
button from being displayed. This occurs when a dual SSID flow is Configured, a
Windows device is redirected to the guest portal, the Register button is clicked to
start the NSP Wizard installation, and the session is staled during NSP Wizard
installation. Then when you exit the NSP profile window and go back to browser, the
correct message is displayed.
Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 1
Table 16 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.4.218 cumulative patch 1.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 16
Cisco ISE Patch Version 1.1.4.218—Patch 1 Resolved Caveats
Caveat
Description
CSCuc07816
Must be able to purge MnT data from CLI
This fix allows Cisco ISE administrators to purge monitoring and troubleshooting
operational data on demand using the application configure ise command.
CSCuc48613
Google Chrome can cause reordering of Authorization Policy rules
This fix addresses the issue where after upgrade to Cisco ISE 1.1.1, if you use the
Google Chrome browser to edit the authorization policy rules, you find the rules
reordered and some of the rules appear grayed out.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
42
OL-26136-01
Cisco ISE, Release 1.1.4 Patch Updates
Table 16
Cisco ISE Patch Version 1.1.4.218—Patch 1 Resolved Caveats (continued)
Caveat
Description
CSCuc58992
IP address of the endpoints is not getting updated correctly
Cisco ISE Release 1.1.x uses the following authoritative attributes to create IP
address-to-MAC address mapping:
•
DHCP-REQUESTED-ADDRESS
•
FRAMED-IP-ADDRESS
•
CDPCACHEADDRESS
In the case of DHCP span, if Cisco ISE gets an actual assignment from the DHCP
server, then DHCP can be authoritative. Unfortunately, in the case of IP Helper, only
the requested address is visible, and in some cases, the server responds with a
different address than the requested one. To address some of the inaccuracies with
the IP-MAC mapping, Cisco has moved the Framed-IP-Address so that it has a better
preference than the dhcp-request-address.
CSCue14864
Endpoint statically assigned to ID group may appear in different group
This fix addresses an issue where endpoints that are statically assigned to an
Endpoint ID group unexpectedly appear in another group. The potential issue is that,
where authorization profiles are based on ID group, these endpoints may wind up
getting assigned the wrong authorization result.
This issue has been observed where the administrator creates endpoint identity
groups and manually add endpoints to the Cisco ISE database, making them static.
CSCue16774
Profiler purge process is not running, EndPoint Cache grows past memory limits
This fix addresses the Cisco ISE application restart issue that occurs if purge process
in profiler has stopped and EndPoint Cache size increases beyond the memory limit.
CSCue31190
Sponsor users editing guest accounts may cause internal server errors
This fix addresses the issue where an "internal server error" message would appear
in the Cisco ISE Administrator User Interface when attempting to edit a guest user
via the Cisco ISE Sponsor portal.
CSCue53508
Limit SNMP Query based of RADIUS Acct Start Event
Once it receives a RADIUS accounting message, Cisco ISE schedules an SNMP
query on that port. If too many messages come in, the server can get overwhelmed.
Cisco has added a time-out parameter to control how often Cisco ISE performs
SNMP queries for particular endpoints. (At most one query per day per endpoint.)
CSCue58842
Valid email refused in Cisco ISE Guest Portal
This fix validates the email address entered in the Cisco ISE Guest portal.
If you enter a valid email address such as abc.x@abc.com and there is only one
character after the period in the username, Cisco ISE refuses it as an invalid email
address for a sponsored guest email ID.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
43
Cisco ISE, Release 1.1.3 Patch Updates
Table 16
Cisco ISE Patch Version 1.1.4.218—Patch 1 Resolved Caveats (continued)
Caveat
Description
CSCue71478
Remove ACS-Session-ID from attribute suppression white-list
The ACS-Session-ID attribute is used in Profiler to detect which Policy Service node
issues a Change of Authorization. This attribute changes frequently in case of failed
authorization events because new sessions are created. This means that even with
attribute suppression enabled, because this attribute is essential, Cisco ISE generates
a database replication event for it. The fix is to drop the attribute and instead extract
the AAA server attribute, which corresponds to the node that evaluates the request.
For example:
AAA-Server1-admin
Previously, Cisco ISE would use the ACS-Session-ID which would have been:
AcsSessionID positron-mehdi/151281952/12
In the context of very high Accounting or Authorization failures, this should reduce
the number of database events.
CSCue71874
Re-profiling process check continuously running
Due to the 60 second buffering in persistence to allow for replication events
reduction, Cisco ISE delays re-profiling if any profiler policy is changed. This delay
is now disabled for the Primary node where re-profiling occurs.
CSCue86661
Cisco ISE does not match a compound condition with multiple conditions in a policy
rule
This fix addresses the issue where Cisco ISE evaluates only the last compound
condition in a policy rule with multiple conditions.
Earlier, the workaround was to remove the compound condition from the policy rule
and add it again.
CSCue96626
Address purging issues
Purge failure and the resulting impact on Monitoring operations are addressed in this
fix.
Cisco ISE, Release 1.1.3 Patch Updates
The following patch releases apply to Cisco ISE release 1.1.3:
•
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 12, page 45
•
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 11, page 46
•
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 10, page 47
•
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 9, page 47
•
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 8, page 50
•
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 7, page 51
•
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 6, page 53
•
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 5, page 53
Release Notes for Cisco Identity Services Engine, Release 1.1.x
44
OL-26136-01
Cisco ISE, Release 1.1.3 Patch Updates
•
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 4, page 54
•
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 3, page 54
•
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 2, page 58
•
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 1, page 62
The following patch releases apply to Cisco ISE release 1.1.2 and have been rolled into release 1.1.3:
•
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 6, page 67
•
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 5, page 68
•
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 4, page 70
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 12
Table 17 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.3.124 cumulative patch 12.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 17
Cisco ISE Patch Version 1.1.3.124—Patch 12 Resolved Caveats
Caveat
Description
CSCur29078
ISE evaluation of SSLv3 POODLE vulnerability.
This fix addresses an issue where SSLV POODLE vulnerability impact on
third-party software was tested.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
45
Cisco ISE, Release 1.1.3 Patch Updates
Table 17
Cisco ISE Patch Version 1.1.3.124—Patch 12 Resolved Caveats
Caveat
Description
CSCur00532
ISE evaluation for CVE-2014-6271 and CVE-2014-7169 (AKA ShellShock).
This fix addresses an issue in ISE nodes that are SSH enabled. If SSH is enabled, a
remote user with ISE CLI credentials will be able to exploit the vulnerability and run
generic Linux commands.
PSIRT Evaluation
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The
Base and Temporal CVSS scores as of the time of evaluation are 7.5/7.5:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1
&version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from
multiple sources.
This includes the CVSS score assigned by the third-party vendor when available.
The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the
following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Workaround
Disable SSH and reload ISE node as follows: ise1/admin# configure terminal
ise1/admin(config)# no service sshd enable ise1/admin(config)# end ise1/admin#
reload Save the current ADE-OS running configuration? (yes/no) [yes]? yes
Continue with reboot? [y/n] y
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 11
Table 18 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.3.124 cumulative patch 11.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
46
OL-26136-01
Cisco ISE, Release 1.1.3 Patch Updates
Table 18
Cisco ISE Patch Version 1.1.3.124—Patch 11 Resolved Caveats
Caveat
Description
CSCuo40875
Cisco ISE 1.1.x Not Able to Handle New User Agent Format
This fix addresses an issue where Cisco ISE 1.1.x considered the user agent string
sent by a 4.9.4.3 agent machine as user agent from a non-agent machine and
redirected to client provisioning page
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 10
Table 19 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.3.124 cumulative patch 10.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 19
Cisco ISE Patch Version 1.1.3.124—Patch 10 Resolved Caveats
Caveat
Description
CSCun25178
Fetching Group Information Takes a Long Time Because of SIDHistory
This fix addresses an issue where Cisco ISE failed to resolve SIDHistory to group
names if the SIDHistory belonged to a trusted domain/forest.
The large number of SIDHistory values in the user's token used to cause long delay
(2-5 minutes) during user authentication.
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 9
Table 20 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.3.124 cumulative patch 9.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
47
Cisco ISE, Release 1.1.3 Patch Updates
Table 20
Cisco ISE Patch Version 1.1.3.124—Patch 9 Resolved Caveats
Caveat
Description
CSCub35046
ISE Custom Guest Portal Results Page Includes Unused Fields
CSCub62481
This fix addresses an issue where unused, optional fields were displayed on the guest
self registration results page when using a custom self registration page and
specifying 'Unused' for the Optional Data fields in the Guest Details Policy.
CSCug90502
ISE Blind SQL Injection Vulnerability
This fix addresses an issue where the Cisco Identity Services Engine (ISE) was
vulnerable to blind SQL injection. This could allow a remote, authenticated user to
modify information in the database.
PSIRT Evaluation
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The
Base and Temporal CVSS scores as of the time of evaluation are 6/5.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1
&version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:U/RC:C
CVE ID CVE-2013-5525 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-552
5
Additional information on Cisco's security vulnerability policy can be found at the
following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
CSCui57374
ISE IPEP Invalid RADIUS Authenticator error during high load
This fix addresses an issue where the NAC agent stopped popping up for the clients
when there was a high load on the IPEP. Invalid RADIUS Authenticator errors were
recorded in the logs.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
48
OL-26136-01
Cisco ISE, Release 1.1.3 Patch Updates
Table 20
Cisco ISE Patch Version 1.1.3.124—Patch 9 Resolved Caveats
Caveat
Description
CSCui67495
Uploaded Filenames/Content Not Properly Sanitized
This fix addresses an issue where filenames and content uploaded to Cisco Identity
Services Engine (ISE) was not filtered/sanitized effectively. This could have resulted
in a file of incorrect type being uploaded to ISE or the filename leading to a potential
cross-site scripting (XSS) issue.
PSIRT Evaluation
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The
Base and Temporal CVSS scores as of the time of evaluation are 4/4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1
&version=2&vector=AV:N/AC:L/Au:S/C:N/I:P/A:N/E:H/RL:U/RC:C
CVE ID CVE-2013-5541 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-554
1
Additional information on Cisco's security vulnerability policy can be found at the
following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
CSCui67511
Certain File Types are not Filtered and are Executable
This fix addresses an issue where, due to insufficient filtering and access control,
potentially malicious file types could have been uploaded to, and executed within,
the Cisco Identity Services Engine (ISE) web interface.
PSIRT Evaluation
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The
Base and Temporal CVSS scores as of the time of evaluation are 4/4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1
&version=2&vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:H/RL:U/RC:C
CVE ID CVE-2013-5539 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-553
9
Additional information on Cisco's security vulnerability policy can be found at the
following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
49
Cisco ISE, Release 1.1.3 Patch Updates
Table 20
Cisco ISE Patch Version 1.1.3.124—Patch 9 Resolved Caveats
Caveat
Description
CSCul02860
Struts Action Mapper Vulnerability
Previous versions of ISE Cisco ISE included a version of Apache Struts that is
affected by the vulnerabilities identified by the following Common Vulnerability
and Exposures (CVE) IDs:
CVE-2013-4310
Cisco has analyzed these vulnerabilities and concluded that the product is not
impacted, however the affected component has been updated as harden measure.
PSIRT Evaluation
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT
ownership or involvement. This issue will be addressed via normal resolution
channels.
If you believe that there is new information that would cause a change in the severity
of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the
following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
CSCul03127
Struts 2 Dynamic Method Invocation Vulnerability
Previous versions of Cisco ISE included a version of Apache Struts2 that is affected
by the vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2013-4316
PSIRT Evaluation
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The
Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.3:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1
&version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C
CVE ID CVE-2013-4316 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the
following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 8
Table 21 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.3.124 cumulative patch 8.
ISE 1.1.3 patch 8 also includes support for Windows 8.1 and Mac OS X 10.9. See Support for Windows
8.1 and Mac OS X 10.9, page 25 for more information.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
50
OL-26136-01
Cisco ISE, Release 1.1.3 Patch Updates
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 21
Cisco ISE Patch Version 1.1.3.124—Patch 8 Resolved Caveats
Caveat
Description
CSCuj45431
ISE Support for Mac OS X 10.9 NAC Agent
ISE 1.1.3 patch 8 supports a NAC Agent for Mac OS X 10.9.
CSCuj60796
ISE Support for IE 11
ISE 1.1.3 patch 8 supports Internet Explorer 11.
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 7
Table 22 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.3.124 cumulative patch 7.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 22
Cisco ISE Patch Version 1.1.3.124—Patch 7 Resolved Caveats
Caveat
Description
CSCud83514
ISE session database growing too large, causing homepage blank
To resolve this issue, run the application configure ise command using the Reset
M&T Session Database option.
When the Monitoring and Session Database becomes corrupted, Cisco ISE may be
variably slow, unusable, have a full disk, become unable to perform replication, or
register/join a distributed deployment. You may observe alert(s) from the ISE
appliance with the title “Session directory write failed.” where the body of the alert
email states that the disk is full.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
51
Cisco ISE, Release 1.1.3 Patch Updates
Table 22
Cisco ISE Patch Version 1.1.3.124—Patch 7 Resolved Caveats
Caveat
Description
CSCue28066
IP address field is missing during editing/duplicating NADs
This fix addresses the issue where you cannot edit or duplicate NADs in the Network
Devices List page when the IP address field is not displayed in the Cisco ISE user
interface.
CSCue62940
Incremental Backup without Full Backup gets stuck in running state
This fix addresses the issue where an incremental backup fails in the absence of a
full backup file in the repository.
CSCug20065
Unable to enforce RBAC as desired to a custom admin
This fix addresses the issue where an admin user (custom created) cannot add
endpoints to an endpoint identity group (custom created) even after assigning the
correct role-based access control policy.
CSCug68792
Incomplete Backup Process Status in UI
This fix addresses the issue where the status of backup is still shown as running in
the user interface even though the process is interrupted in the middle of a backup.
CSCug77406
Increase retention of ASA VPN sessions to 120 hours (5 days)
This fix retains RADIUS active sessions up to 120 hours.
CSCug99304
ISE replication gets disabled due to expired certificates even though they are valid
This fix addresses the issue where you cannot perform manual synchronization to
secondary nodes, if the certificate has expired in any one of the secondary nodes in
a deployment.
CSCuh12487
Null value associated with SNMP GET after call from NMAP fails
This fix addresses the issue with MIB when mapping an endpoint profiling policy
with the device MAC address after an NMAP scan.
CSCuh43440
ISE needs to improve logging mechanism to keep track of backup failures
This fix addresses the issue where you can track information on previous backup
exceptions, which can be queried using "IncrBackupUtil" or "incrbackup" as a key
for incremental backup related errors in the ise-psc.log because the
IncrBackupRestoreException.log is overwritten every time an exception occurs
during backup.
CSCui75669
Endpoint update calls from guest-portal causing replication issues
This fix addresses the issue where the Guest portal generates endpoint update calls
on every redirect to the Guest portal login page for the same user-agent.
CSCuj35109
LWA is broken in iOS 7 devices with ISE 1.1.3 patch 6
This fix addresses the issue where LWA fails for Apple (iOS7) devices in the Cisco
ISE 1.1.3 patch 6.
CSCuj51094
Captured TCPDump file is not working.
This fix addresses the issue where you are unable to open the captured
TCPDump.pcap file in Wireshark.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
52
OL-26136-01
Cisco ISE, Release 1.1.3 Patch Updates
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 6
Table 23 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.3.124 cumulative patch 6.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 23
Cisco ISE Patch Version 1.1.3.124—Patch 6 Resolved Caveats
Caveat
Description
CSCuf20919
Guests can view accounts from each other through self-service
Guest users can view other accounts that are created using the Self Service feature
in a custom guest portal or through the default portal.
CSCuh67300
ISE redirects to default guest pages when configured for custom pages
When using Google Chrome, guest users are redirected to the default guest portal
though Cisco ISE is configured to redirect users to the custom guest portal.
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 5
Table 24 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.3.124 cumulative patch 5.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 24
Cisco ISE Patch Version 1.1.3.124—Patch 5 Resolved Caveats
Caveat
Description
CSCtx35984
Profiler unable to save into DB - SSL Handshake exception error
This fix addresses SSL Handshake related issues when a secondary PAN is
registered in a deployment.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
53
Cisco ISE, Release 1.1.3 Patch Updates
Table 24
Cisco ISE Patch Version 1.1.3.124—Patch 5 Resolved Caveats
Caveat
Description
CSCui41569
BYOD Supplicant Provisioning Status query should be optimized
This fix improves the response time for querying the monitoring database if the
device has been successfully provisioned or pending provisioning and to check the
status of device registration.
CSCui56071
ISE: Ignore 0.0.0.0 in Framed-IP-Address Profiler Updates
This fix filters incoming Framed-IP-Address that contains zero IP address (0.0.0.0)
to reduce replication.
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 4
Table 25 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.3.124 cumulative patch 4.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 25
Cisco ISE Patch Version 1.1.3.124—Patch 4 Resolved Caveats
Caveat
Description
CSCuh70984
Database purging alarms on Cisco ISE due to open cursors exceeded
This fix addresses the database purging alarms issue where an hourly database
purging fails due to the maximum number of open cursors exceeds the threshold of
1500 per user session in the Monitoring ISE node.
CSCui22841
Apache Struts2 command execution vulnerability
Cisco ISE includes a version of Apache Struts that is affected by the vulnerabilities
identified by the following Common Vulnerability and Exposures (CVE) IDs:
CVE-2013-2251. This fix addresses the potential impact on this product.
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 3
Table 26 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.3.124 cumulative patch 3.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
54
OL-26136-01
Cisco ISE, Release 1.1.3 Patch Updates
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 26
Cisco ISE Patch Version 1.1.3.124—Patch 3 Resolved Caveats
Caveat
Description
CSCth95432
All OUIs in IEEE need to be resolved to names by profiler
This fix addresses that all OUIs are resolved to organization names by the Cisco ISE
profiler.
CSCuc29014
Profiling conditions edit throws null error with NullPointerException
This fix addresses the null error issue that occurs when editing a profiler condition.
This issue occurred when the policy rule existed in the profiler cache even after the
endpoint profiling policy that contained the rule was deleted.
CSCuc74270
Authorization policy match fails following Active Directory password change
This issue has been observed where users authenticate against Active Directory and
are prompted to change to a new password. The password change is successful in
Active Directory, but Cisco ISE fails to match with the appropriate authorization
policy based on session attributes.
This is most likely due to attributes used in authentication not being available for
authorization policy evaluation following a change in the Active Directory
password.
CSCue41912
NAC agent is not triggered on Windows 8 client
Ensure that you install the new NAC agent 4.9.0.52 on Windows 8 clients along with
the Cisco ISE 1.1.3 patch 3.
This fix addresses that you must install the Cisco ISE certificate on the Windows 8
client that allows the NAC agent to pop-up. Unlike Windows 7 and XP clients,
Windows 8 does not display the trust certificate dialog box to allow the NAC agent
to pop-up, if Cisco ISE is using the self-signed certificate, and if the Cisco ISE
certificate is not previously installed on the Windows 8 client.
CSCue59806
'NAC Server not available' error is thrown - EAP failure error (No response)
This fix addresses EAP timeout issue when it occurred on the session, but the session
is already accepted and the protocol runtime (prrt) will not remove any session
attribute.
If you see an EAP timeout from the client, the protocol runtime (prrt) cleans posture
session attributes. The posture runtime service, which looks for session attributes
will fail to fetch the session information.
CSCue60442
Authorization policies disappear after modifying the name of the parent endpoint
identity group in Cisco ISE
This fix addresses the issue where you can modify the name of the user-defined
endpoint identity groups and this does not impact the Authorization Policy page.
If you modify the name of the parent endpoint identity group (user-defined) when
you have referenced the child endpoint identity groups in the authorization policies,
the Authorization Policy page is empty and the configured authorization policies are
not displayed.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
55
Cisco ISE, Release 1.1.3 Patch Updates
Table 26
Cisco ISE Patch Version 1.1.3.124—Patch 3 Resolved Caveats
Caveat
Description
CSCue67900
Termination-Action returns RADIUS-Request
The fix addresses the issue where Termination-Action=Radius-Request in
Access-Accept is set only for the Inline Posture node.
Cisco ISE sends Termination-Action=Radius-Request in Access-Accept, which
indicates that re-authentication should occur on expiration of the Session-Time or
the session was terminated.
CSCue73865
Cisco ISE is unable to authenticate users against Active Directory with
SmbServerNameHardeningLevel=1
This fix addresses the issue that occurred when authenticating users against Active
Directory with SmbServerNameHardeningLevel=1. Authentications failed against
Active Directory with SmbServerNameHardeningLevel set to 1 with an error "24444
Active Directory operation has failed because of an unspecified error."
CSCuf56635
HP Jetdirect Printer is incorrectly profiled as HP-Device using DHCP probe
This fix addresses incorrect profiling of an HP Jetdirect Printer using DHCP probe.
If you change the parent policy of an existing profiling policy, and then add or delete
one or more profiling conditions in the profiling policy, endpoints are not profiled as
expected and you might encounter cache-related exceptions.
Workaround Use static endpoint profiling for HP printers when you have issues with
dynamic profiling using DHCP probe
CSCug06716
Cisco ISE Centrify AD domain whitelisting breaks machine authentication
Centrify version is upgraded to 4.6.0.114. This fix addresses the issue where
machine authentication fails against Active Directory whitelisted domains, if Cisco
ISE is configured with AD domains whitelist.
Run the application configure ise command to configure the AD whitelist domains.
ise/admin# application configure ise
Selection ISE configuration option
[1]Reset Active Directory settings to defaults
[2]Display Active Directory settings
[3]Configure Active Directory settings
[4]Restart/Apply Active Directory settings
[5]Clear Active Directory Trusts Cache and restart/apply Active
Directory settings
[6]Exit
Use the option 3 to configure the AD domains whitelist.
You are about to configure Active Directory settings.
Are you sure you want to proceed? y/n [n]: y
Parameter Name: adclient.included.domains
Parameter Value: abc.com
Active Directory internal setting modification should only be performed
if approved by ISE support. Please confirm this change has been approved
y/n [n]: y
Active Directory settings were modified.
Settings will take effect after choosing apply option from menu.
Use the option 5 to clear the Centrify cache and restart for the new configuration
options to take effect.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
56
OL-26136-01
Cisco ISE, Release 1.1.3 Patch Updates
Table 26
Cisco ISE Patch Version 1.1.3.124—Patch 3 Resolved Caveats
Caveat
Description
CSCug69605
BYOD: Fingerprint exception on Cisco ISE when CA certificate is retrieved via
SCEP
This fix addresses the issue where BYOD certificate-provisioning fails for all clients
with an error when CA certificate is retrieved via the SCEP server.
CSCug72958
Profiling functionality is broken while editing policies
This fix addresses incorrect profiling of endpoints when you change the parent
policy of an existing profiling policy, and then add or delete one or more profiling
conditions in the profiling policy.
CSCug74166
Identity groups are corrupted after changing the parent identity group name
This issue occurs only when editing the parent identity group name with the same
name of the child identity group.
Workaround We recommend that you create parent and child identity groups with
different names.
CSCug76995
Unable to add user after changing the parent user identity group name
This fix addresses the issue where you cannot add users to the user identity group
even after changing the parent user identity group name.
CSCug79181
Secure SSID is visible with a PEAP profile, but not with an EAP-TLS profile, when
the secure SSID was not broadcasted
This error occurs when a device connects to an open network using IOS, gets
redirected to CWS, and provides credentials, the device is registered, and the profile
is installed successfully. The user is then be prompted with a message to connect to
“XXXX SSID and try the original url.” If the profile was modified with PEAP, once
the boarding process is completed, the secure SSID is then visible, and you can
connect to the secure SSID.
Workaround There is no known workaround for this issue.
CSCug95429
Profiler: IP attribute unnecessarily being updated
This fix addresses the issue where the endpoint IP address was updated for the
following conditions:
CSCug98513
•
If Framed-IP-Address attribute contains the limited connectivity IP
(169.254.0.0/16) address, it is ignored by the RADIUS probe.
•
If endpoint IP address is assigned to 0.0.0.0 by the DHCP probe, it is ignored.
Integrate components to support AD 2012 or mixed mode (2008)
Centrify version is upgraded to support Active Directory 2012 and mixed 2008/2012
environments.
CSCuh17560
Suppress Accounting update packets in Cisco ISE 1.1.x
This fix controls the recording of accounting updates from the network access
devices (NADs) that causes the MnT database to grow larger, if NADs are
configured to send periodic accounting updates.
By default, no RADIUS accounting updates are recorded in the accounting report.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
57
Cisco ISE, Release 1.1.3 Patch Updates
Table 26
Cisco ISE Patch Version 1.1.3.124—Patch 3 Resolved Caveats
Caveat
Description
CSCuh23189
ISE: Using Internal Identity User can gain access to Admin Dashboard
This fix addresses the issue where internal users gain access to the Cisco ISE Admin
portal Home page when they are not mapped to any Cisco ISE administrator group.
CSCuh29915
ID group add button window shrinks
This fix addresses the issue where you cannot add endpoints to the endpoint identity
group from the Endpoints object selector.
CSCuh36595
Custom Guest Self Registration Result should not write to file system
This fix addresses the issue where the client browsers display the same credentials
for all guest users instead of displaying credentials for respective guest users after
self-registration.
CSCuh43470
Cisco ISE Authentication failures alarm threshold definition
This fix addresses the issue where the Cisco ISE alarms were displayed along with
the criteria mapped to the alarm.
CSCuh43528
Cisco ISE Alarm Authentication failures count incorrectly shows "%" in details
This fix addresses the issue where the Cisco ISE alarms were displayed along with
the criteria mapped to the alarm.
CSCuh54747
Search is not working in object selector if we change the views
The fix addresses the issue where you cannot search endpoints or users in the object
selector when you switch back to the list-view from the tree-view.
CSCuh56861
Cisco ISE Active Endpoints count on dashboard home page does not decrease
The fix addresses the issue where the active endpoint count is not decreasing on the
Cisco ISE dashboard if the session purge is not running properly.
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 2
Table 27 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.3.124 cumulative patch 2.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
58
OL-26136-01
Cisco ISE, Release 1.1.3 Patch Updates
Table 27
Cisco ISE Patch Version 1.1.3.124—Patch 2 Resolved Caveats
Caveat
Description
CSCud65479
Device registration Change of Authorization loop with posturing enabled
This fix addresses the device registration flow issue where the Cisco ISE Admin
node issues a second CoA after the endpoint becomes compliant and is authorized.
When a client connects to the SSID, authenticates, and is redirected to device
registration portal, the user agrees to the Acceptable Use Policy and is mapped to the
predetermined endpoint group and the client status changes to compliant. After a few
seconds, however, the client undergoes another Change of Authorization.
CSCue25407
Wrong Authentication Policy match: Cisco ISE initiates MAB instead of 802.1x
Before this fix, when 802.1x authentication happened for the employee user after
device registration over MAB in a wired device on-boarding case, authentication
policy matched for the user automatically resumed using MAB when it should have
started 802.1x. As a result, the end user received a “Windows Cannot connect to the
network” message.
The workaround was that once the device is not able to connect via 802.1x and the
user receives an error message, the user could try disconnecting the wire and
connecting again.
CSCue49305
Device registration is disabled if JavaScript is disabled for Safari or Chrome
browsers on iOS and Android platforms.
This fix allows the JavaScript to be disabled without disabling the device
registration.
CSCue49317
SCEP enrolment failure if the user name is prefixed with AD domain name
Before this fix, the device on-boarding process would return an error after
registering as part of certificate enrollment. This would occur during personal device
registration, when a username must be entered in the format
<domain>\<username>.
This issue has only been observed when using the <domain>\<username> format
to connect via 802.1x.
The workaround was to connect using just the username without the domain name.
CSCue50838
An arrayOutOfBoundException occurs during Certificate provisioning.
This exception no longer occurs.
CSCue71407
Guest and Sponsor language templates disappear from database.
Before this fix, all configured field values in the language templates for both the
Sponsor and Guest portals would disappear. The portals would display the correct
themes and images, but not text. The names of the language templates would also
not appear in the "SEC_RES_MASTER" table.
CSCue83454
In CWA, ISE is not able to learn guest user IP address
In CWA, the NAD has no knowledge of the guest username, so RADIUS accounting
cannot do the username-IP mapping. However, ISE can fetch the client IP address
and show it in the Live Authentications or in the Guest reports.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
59
Cisco ISE, Release 1.1.3 Patch Updates
Table 27
Cisco ISE Patch Version 1.1.3.124—Patch 2 Resolved Caveats (continued)
Caveat
Description
CSCue90444
When an active IPEP node fails, the VPN traffic drops.
This fix ensures that VPN traffic is not dropped. The error occurred because when
the standby IPEP device becoming active as a result of a failure of an active IPEP
node, the VPN session information was not being updated.
The workaround was to disconnect and then reconnect the VPN session.
CSCuf05267
BYOD usability - Provide API to poll BYOD status.
An API has been provided to poll the BYOD Status, which can be used by the Guest
Service.
CSCuf08298
Collect only the attributes that are used in profiling policies
This is an enhancement to CSCua89503, which was resolved in 1.1.2. It enhances
the ability to globally configure endpoint attribute filtering to help Cisco ISE reduce
the amount of profiling traffic replicated in the local database. Now any attributes
that are not present in the whitelist are dropped when attribute filtering is enabled.
CSCuf47857
BYOD enhancements
This fix provides BYOD usability enhancements for guest CR
CSCuf66747
Guest user notification substitution uses system timezone instead of user timezone
Guest user notifications use system timezone for account-start-time and
account-end-time when the %starttime% and %endtime% variables are used in guest
user notification within the Sponsor portal language templates. This substitution
uses start-time and end-time adjusted to the Cisco ISE system timezone instead of
guest user timezone.
CSCuf71124
PAP admin login failed for consecutive purge operations
This issue was intermittent. Before this fix, when there were successful data purges
of the Management node, attempts to log into the PAP admin UI would fail with the
following error message: “Authentication failed due to zero RBAC Group.”
CSCuf90492
ISE cannot process large SGT matrices or send radius messages larger than 4k
ISE now supports large SGT matrices. It no longer displays the following error
message in the AAA diagnostics: “Invalid attributes in outgoing radius packet possibly some attributes exceeded their size limit.”
CSCuf90513
Multiple Policy Service node’s attempt to write the same profile data to the database
that causes high CPU usage.
When multiple Policy Service nodes receive the same profiling data from an
endpoint, each Policy Service node attempts to write to the Cisco ISE database.
However, only one Policy service node can write data to the database, and therefore
CPU utilization will be high in other Policy Service nodes when they are not able to
write data to the database during reprofiling endpoints.
This might result in disabling the data replication from the Administration ISE node.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
60
OL-26136-01
Cisco ISE, Release 1.1.3 Patch Updates
Table 27
Cisco ISE Patch Version 1.1.3.124—Patch 2 Resolved Caveats (continued)
Caveat
Description
CSCug04743
The order of policies change on Authentication, Posture and CP Policy pages when
using Google Chrome
Before this fix, when a policy was inserted or duplicated on either the Posture Policy
page, CP Policy page, or Authentication Policy. After the policy was saved, and you
returned to the Policy page, the policies would be listed in a different order.
This issue occurred only when there are more than 10 policies.
CSCug15615
BYOD CR: Error message needs to be modified for a disabled NSP policy
(NSPMsg.FAIL_NSP_DISABLE)
The following error message has been enhanced to indicate that the error occurs
when the NSP policy is configured but disabled: “System administrator has not
configured a policy for your device. Contact your system administrator.” The new
error message is: “System administrator has not configured a policy or has to enable
a policy for your device. Contact your system administrator.”
CSCug34981
Incorrect authorization policy match for Self Service Guests when the profiler CoA
is set to ReAuth
The authorization policy match for Self Service Guests is now correct.
CSCug35133
The attribute Service-Type is changing often with the radius probe and causing high
CPU usage
This is not a key attribute and it has been removed from the static list. It is no longer
triggering frequent profiling updates on EndPoints.
CSCug37245
SCEP enrolment fails when using certificates from different CAs
SCEP enrolment can now use certificates from different CAs.
CSCug44228
BYOD success message is shown before CoA and can cause a loop and a network
connection error message on the browser
Before this fix, a BYOD success message would be received too early, and
sometimes when an attempt was made to browse the Internet, an error message was
shown stating that the client cannot connect to network.
This issue would occur when a BYOD device would connect to an Open SSID with
PEAP initially and browse the Internet. This would cause the device to be redirected
to the device registration page and would be asked to download a profile. Once the
device was registered and the profile was downloaded, a success message was
shown. However, this occurred before CoA had happen.
CSCug78350
To install the NAC Agent on IE 10, you must enable compatible mode
This fix ensures that you no longer have to enable compatibility mode to install the
NAC Agent. This issue would occur after authenticating to ISE, opening IE 10 as an
administrator, redirecting to the CP page, and clicking Install. Only Active-x would
be installed and no error messages were displayed on the server.
The workaround was to enable Compatibility Mode on IE.
CSCug78636
Disable Diagnostics Issue
Before this fix, it was recommended that diagnostics be disabled to improve the
response time of the UI. You can now leave the diagnostics at the default setting of
logging only warning or error level messages.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
61
Cisco ISE, Release 1.1.3 Patch Updates
Table 27
Cisco ISE Patch Version 1.1.3.124—Patch 2 Resolved Caveats (continued)
Caveat
Description
CSCug79123
Messages are displaying in vertical format in IE
The following BYOD flow message is no longer displaying in vertical format on the
device registration page when the CP policy was disabled: “The system
administrator has not configured a policy or has to enable a policy for your device.”
The message now displays correctly in the horizontal format. The message always
displayed correctly for Chrome and Firefox.
CSCug80970
Wrong button is displayed when the session is lost during NSPWizard installation
process
Before this fix, the Run Network Setup Assistant button was displayed when the
session was staled in a dual SSID scenario.
This fix now allows only the Try Again button to be displayed, as expected because
the session does not exist in server, and stops the Run Network Setup Assistant
button from being displayed. This occurs when a dual SSID flow is Configured, a
Windows device is redirected to the guest portal, the Register button is clicked to
start the NSP Wizard installation, and the session is staled during NSP Wizard
installation. Then when you exit the NSP profile window and go back to browser, the
correct message is displayed.
Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 1
Table 28 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.3.124 cumulative patch 1.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 28
Cisco ISE Patch Version 1.1.3.124—Patch 1 Resolved Caveats
Caveat
Description
CSCuc07816
Must be able to purge MnT data from CLI
This fix allows Cisco ISE administrators to purge monitoring and troubleshooting
operational data on demand using the application configure ise command.
CSCuc48613
Google Chrome can cause reordering of Authorization Policy rules
This fix addresses the issue where after upgrade to Cisco ISE 1.1.1, if you use the
Google Chrome browser to edit the authorization policy rules, you find the rules
reordered and some of the rules appear grayed out.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
62
OL-26136-01
Cisco ISE, Release 1.1.3 Patch Updates
Table 28
Cisco ISE Patch Version 1.1.3.124—Patch 1 Resolved Caveats (continued)
Caveat
Description
CSCuc58992
IP address of the endpoints is not getting updated correctly
Cisco ISE Release 1.1.x uses the following authoritative attributes to create IP
address-to-MAC address mapping:
•
DHCP-REQUESTED-ADDRESS
•
FRAMED-IP-ADDRESS
•
CDPCACHEADDRESS
In the case of DHCP span, if Cisco ISE gets an actual assignment from the DHCP
server, then DHCP can be authoritative. Unfortunately, in the case of IP Helper, only
the requested address is visible, and in some cases, the server responds with a
different address than the requested one. To address some of the inaccuracies with
the IP-MAC mapping, Cisco has moved the Framed-IP-Address so that it has a better
preference than the dhcp-request-address.
CSCue14864
Endpoint statically assigned to ID group may appear in different group
This fix addresses an issue where endpoints that are statically assigned to an
Endpoint ID group unexpectedly appear in another group. The potential issue is that,
where authorization profiles are based on ID group, these endpoints may wind up
getting assigned the wrong authorization result.
This issue has been observed where the administrator creates endpoint identity
groups and manually add endpoints to the Cisco ISE database, making them static.
CSCue16774
Profiler purge process is not running, EndPoint Cache grows past memory limits
This fix addresses the Cisco ISE application restart issue that occurs if purge process
in profiler has stopped and EndPoint Cache size increases beyond the memory limit.
CSCue31190
Sponsor users editing guest accounts may cause internal server errors
This fix addresses the issue where an "internal server error" message would appear
in the Cisco ISE Administrator User Interface when attempting to edit a guest user
via the Cisco ISE Sponsor portal.
CSCue53508
Limit SNMP Query based of RADIUS Acct Start Event
Once it receives a RADIUS accounting message, Cisco ISE schedules an SNMP
query on that port. If too many messages come in, the server can get overwhelmed.
Cisco has added a time-out parameter to control how often Cisco ISE performs
SNMP queries for particular endpoints. (At most one query per day per endpoint.)
CSCue58842
Valid email refused in Cisco ISE Guest Portal
This fix validates the email address entered in the Cisco ISE Guest portal.
If you enter a valid email address such as abc.x@abc.com and there is only one
character after the period in the username, Cisco ISE refuses it as an invalid email
address for a sponsored guest email ID.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
63
Cisco ISE, Release 1.1.2 Patch Updates
Table 28
Cisco ISE Patch Version 1.1.3.124—Patch 1 Resolved Caveats (continued)
Caveat
Description
CSCue71478
Remove ACS-Session-ID from attribute suppression white-list
The ACS-Session-ID attribute is used in Profiler to detect which Policy Service node
issues a Change of Authorization. This attribute changes frequently in case of failed
authorization events because new sessions are created. This means that even with
attribute suppression enabled, because this attribute is essential, Cisco ISE generates
a database replication event for it. The fix is to drop the attribute and instead extract
the AAA server attribute, which corresponds to the node that evaluates the request.
For example:
AAA-Server1-admin
Previously, Cisco ISE would use the ACS-Session-ID which would have been:
AcsSessionID positron-mehdi/151281952/12
In the context of very high Accounting or Authorization failures, this should reduce
the number of database events.
CSCue71874
Re-profiling process check continuously running
Due to the 60 second buffering in persistence to allow for replication events
reduction, Cisco ISE delays re-profiling if any profiler policy is changed. This delay
is now disabled for the Primary node where re-profiling occurs.
CSCue86661
Cisco ISE does not match a compound condition with multiple conditions in a policy
rule
This fix addresses the issue where Cisco ISE evaluates only the last compound
condition in a policy rule with multiple conditions.
Earlier, the workaround was to remove the compound condition from the policy rule
and add it again.
CSCue96626
Address purging issues
Purge failure and the resulting impact on Monitoring operations are addressed in this
fix.
Cisco ISE, Release 1.1.2 Patch Updates
The following patch release applies to Cisco ISE release 1.1.2
•
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 10, page 65
•
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 9, page 65
•
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 8, page 66
•
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 7, page 66
•
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 6, page 67
The following patch releases apply to Cisco ISE release 1.1.2 and have been rolled into release 1.1.3:
•
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 6, page 67
•
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 5, page 68
Release Notes for Cisco Identity Services Engine, Release 1.1.x
64
OL-26136-01
Cisco ISE, Release 1.1.2 Patch Updates
•
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 4, page 70
•
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 3, page 70
•
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 2, page 71
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 10
Table 30 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.2.145 cumulative patch 10.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 29
Cisco ISE Patch Version 1.1.2.145—Patch 10 Resolved Caveats
Caveat
Description
CSCuj51094
Captured TCPDump file is not working
This fix addresses an issue where an exception occured when opening a captured
TCPDump file.
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 9
Table 30 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.2.145 cumulative patch 9.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
65
Cisco ISE, Release 1.1.2 Patch Updates
Table 30
Cisco ISE Patch Version 1.1.2.145—Patch 9 Resolved Caveats
Caveat
Description
CSCui22841
Apache Struts2 command execution vulnerability
Cisco ISE includes a version of Apache Struts that is affected by the vulnerabilities
identified by the following Common Vulnerability and Exposures (CVE) IDs:
CVE-2013-2251. This fix addresses the potential impact on this product.
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 8
Table 31 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.2.145 cumulative patch 8.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 31
Cisco ISE Patch Version 1.1.2.145—Patch 8 Resolved Caveats
Caveat
Description
CSCue59806
'NAC Server not available' error is thrown - EAP failure error (No response)
This fix addresses EAP timeout issue when it occurred on the session, but the session
is already accepted and the protocol runtime (prrt) will not remove any session
attribute.
If you see an EAP timeout from the client, the protocol runtime (prrt) cleans posture
session attributes. The posture runtime service, which looks for session attributes
will fail to fetch the session information.
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 7
Table 32 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.2.145 cumulative patch 7.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
66
OL-26136-01
Cisco ISE, Release 1.1.2 Patch Updates
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 32
Cisco ISE Patch Version 1.1.2.145—Patch 7 Resolved Caveats
Caveat
Description
CSCue60442
Authorization policies disappear after modifying the name of the parent endpoint
identity group in Cisco ISE
This fix addresses the issue where you can modify the name of the user-defined
endpoint identity groups and this does not impact the Authorization Policy page.
If you modify the name of the parent endpoint identity group (user-defined) when
you have referenced the child endpoint identity groups in the authorization policies,
the Authorization Policy page is empty and the configured authorization policies are
not displayed.
CSCuf56635
HP Jetdirect Printer is incorrectly profiled as HP-Device using DHCP probe
If you change the parent policy of an existing profiling policy, and then add or delete
one or more profiling conditions in the profiling policy, endpoints are not profiled as
expected and you might encounter cache-related exceptions.
Workaround To prevent such issues, you must create a new profiling policy instead
of modifying an existing policy.
•
If a secondary node has any profiling issue as described above, perform a
manual synchronization of nodes, which might resolve the issue.
•
If an existing profiling policy creates an issue as described above, delete the
existing policy and create a new profiling policy with the same set of attributes
and conditions.
If both of the workarounds listed here do not work, contact Cisco TAC for assistance.
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 6
Table 33 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.2.145 cumulative patch 6 (Revision Number 77241).
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
67
Cisco ISE, Release 1.1.2 Patch Updates
Table 33
Cisco ISE Patch Version 1.1.2.145—Patch 6 Resolved Caveats
Caveat
Description
CSCud65479
Device registration Change of Authorization loop with posturing enabled
This fix addresses the device registration flow issue where the Cisco ISE Admin
node issues a second CoA after the endpoint becomes compliant and is authorized.
When a client connects to the SSID, authenticates, and is redirected to device
registration portal, the user agrees to the Acceptable Use Policy and is mapped to the
predetermined endpoint group and the client status changes to compliant. After a few
seconds, however, the client undergoes another Change of Authorization.
Cisco ISE registers a “CoAHandler][]
cisco.profiler.infrastructure.profiling.CoAHandler- About to issue CoA on <MAC
address> due to Identity Group change.” entry repeatedly in the profiler.log file:
CSCuf08298
Collect only the attributes that are used in profiling policies
Earlier releases of Cisco ISE do not feature any control over which attributes can be
saved, and as a result, would collect a significant amount of unnecessary
information.
In Cisco ISE, Release 1.1.2, you can globally configure endpoint attribute filtering
to help Cisco ISE reduce the amount of profiling traffic replicated in the local
database. This enhancement introduces a new function called a “whitelist,” which
drops any attributes that are not present in the whitelist to ensure Cisco ISE database
replication takes place as efficiently as possible.
CSCuf66747
Guest user notification substitution uses system timezone instead of user timezone
Guest user notifications use system timezone for account-start-time and
account-end-time when the %starttime% and %endtime% variables are used in guest
user notification within the Sponsor portal language templates. This substitution
uses start-time and end-time adjusted to the Cisco ISE system timezone instead of
guest user timezone.
CSCuf90513
Multiple Policy Service node’s attempt to write the same profile data to the database
that causes high CPU usage.
When multiple Policy Service nodes receive the same profiling data from an
endpoint, each Policy Service node attempts to write to the Cisco ISE database.
However, only one Policy service node can write data to the database, and therefore
CPU utilization will be high in other Policy Service nodes when they are not able to
write data to the database during reprofiling endpoints.
This might result in disabling the data replication from the Administration ISE node.
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 5
Table 34 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.2.145 cumulative patch 5.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
68
OL-26136-01
Cisco ISE, Release 1.1.2 Patch Updates
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 34
Cisco ISE Patch Version 1.1.2.145—Patch 5 Resolved Caveats
Caveat
Description
CSCuc58992
IP address of the endpoints is not getting updated correctly
Cisco ISE Release 1.1.x uses the following authoritative attributes to create IP
address-to-MAC address mapping:
•
DHCP-REQUESTED-ADDRESS
•
FRAMED-IP-ADDRESS
•
CDPCACHEADDRESS
In the case of DHCP span, if Cisco ISE gets an actual assignment from the DHCP
server, then DHCP can be authoritative. Unfortunately, in the case of IP Helper, only
the requested address is visible, and in some cases, the server responds with a
different address than the requested one. To address some of the inaccuracies with
the IP-MAC mapping, Cisco has moved the Framed-IP-Address so that it has a better
preference than the dhcp-request-address.
CSCue53508
Limit SNMP Query based of RADIUS Acct Start Event
Once it receives a RADIUS accounting message, Cisco ISE schedules an SNMP
query on that port. If too many messages come in, the server can get overwhelmed.
Cisco has added a time-out parameter to control how often Cisco ISE performs
SNMP queries for particular endpoints. (At most one query per day per endpoint.)
CSCue71478
Remove ACS-Session-ID from attribute suppression white-list
The ACS-Session-ID attribute is used in Profiler to detect which Policy Service node
issues a Change of Authorization. This attribute changes frequently in case of failed
authorization events because new sessions are created. This means that even with
attribute suppression enabled, because this attribute is essential, Cisco ISE generates
a database replication event for it. The fix is to drop the attribute and instead extract
the AAA server attribute, which corresponds to the node that evaluates the request.
For example:
AAA-Server1-admin
Previously, Cisco ISE would use the ACS-Session-ID which would have been:
AcsSessionID positron-mehdi/151281952/12
In the context of very high Accounting or Authorization failures, this should reduce
the number of database events.
CSCue71874
Re-profiling process check continuously running
Due to the 60 second buffering in persistence to allow for replication events
reduction, Cisco ISE delays re-profiling if any profiler policy is changed. This delay
is now disabled for the Primary node where re-profiling occurs.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
69
Cisco ISE, Release 1.1.2 Patch Updates
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 4
Table 35 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.2.145 cumulative patch 4.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 35
Cisco ISE Patch Version 1.1.2.145—Patch 4 Resolved Caveats
Caveat
Description
CSCue14864
Endpoint statically assigned to ID group may appear in different group
This fix addresses an issue where endpoints that are statically assigned to an
Endpoint ID group unexpectedly appear in another group. The potential issue is that,
where authorization profiles are based on ID group, these endpoints may wind up
getting assigned the wrong authorization result.
This issue has been observed where the administrator creates endpoint identity
groups and manually add endpoints to the Cisco ISE database, making them static.
Workaround The end users must manually authenticate the endpoint again.
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 3
Table 36 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.2.145 cumulative patch 3.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
70
OL-26136-01
Cisco ISE, Release 1.1.2 Patch Updates
Table 36
Cisco ISE Patch Version 1.1.2.145—Patch 3 Resolved Caveats
Caveat
Description
CSCud43467
Periodic Reassessment check functionality not working
This resolution addresses an issue where no periodic posture reassessment was
initiated on certain client machines logged into the Cisco ISE network.
Note
There is no known workaround for this issue.
Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 2
Note
There is no Patch 1 available for general deployment on the Cisco Download Software Site. Patch 1 was
a limited availability patch which is now superseded by Patch 2.
Table 37 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.2.145 cumulative patch 2.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 37
Cisco ISE Patch Version 1.1.2.145—Patch 2 Resolved Caveats
Caveat
Description
CSCto28988
Session cache entry not found with failed authentication entries
This fix addresses an issue where Cisco ISE would intermittently return session
failures citing the wrong password, unknown user, and/or EAP protocol failures.
Before this resolution, you would need to disconnect and reconnect to any wired
interface experiencing this issue, and (for wireless connections) either disconnect
from the interface and wait five minutes before reconnecting, or ask your network
administrator to manually clear the client session from a Wireless LAN Controller.
Note
This issue was not unique to guest login session flows.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
71
Cisco ISE, Release 1.1.2 Patch Updates
Table 37
Cisco ISE Patch Version 1.1.2.145—Patch 2 Resolved Caveats (continued)
Caveat
Description
CSCub32594
Inline posture node does not accept a policy from the associated Policy Service node
This resolution addresses an issue that could occur when multiple user sessions
trigger concurrent exchanges of RADIUS messages between the Inline Posture node
and the Policy Service node (in the case of an “Authorize-Only” query or DACL
download, for example) due to a race condition between two simultaneous threads.
To reproduce this issue, the best way is to generate many concurrent RADIUS
sessions.
Note
CSCuc13075
Historically, this issue might only occur on a very infrequent basis, possibly
taking months between subsequent occurrences.
Endpoints are being saved with EndpointPolicy as Unknown
This update fixes an issue where endpoint profiles were appearing in the Cisco ISE
administrator interface as designed, reading “Apple-Device,” but upon editing the
endpoint entry, the endpoint attributes “Endpoint Policy” and “Matched Policy”
appeared as “UNKNOWN.”
CSCuc21814
Incorrect profiler policy with Rate limiter delayed updates in few cases
This fix addresses an issue where the Cisco ISE profiling policy represents to an
incorrect value in certain cases due to delayed profiling updates by the
previously-implemented Rate Limiter enhancement.
CSCuc46719
High CPU usage observed when profiling data cannot be written to database
When profiler fails to write data to the Cisco ISE database, the process does not drop
that data and, instead, keeps trying to update the database, driving up CPU usage due
to the extra services required. One example recorded involved a RADIUS probe
where each user had a very large Active Directory group membership field. The
value of this field was larger than what the Cisco ISE database could store reliably,
and when Profiler tried repeatedly to add the data, the result was extremely high CPU
usage.
CSCud04633
Java causing “Out of Memory” errors in Cisco ISE
This issue was observed in Cisco ISE, Release 1.1.1 where client machines were
attempting to register with Cisco ISE using the EAP-TLS and PEAP protocols, as
well as during standard profiling functions.
Before this fix addressed the issue, you would have to manually restart services on
the Cisco ISE node in question to remedy the situation.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
72
OL-26136-01
Cisco ISE, Release 1.1.2 Patch Updates
Table 37
Cisco ISE Patch Version 1.1.2.145—Patch 2 Resolved Caveats (continued)
Caveat
Description
CSCud11139
XSS Vulnerability in Cisco ISE Guest Portal
A security scan of the Cisco ISE Guest Portal indicated that the product could be
vulnerable to an XSS cross-scripting attack. This issue was observed on Cisco ISE,
Release 1.1.1 and has now been addressed in this patch release.
Note
There is no known workaround for this issue.
PSIRT Evaluation
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The
Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1
&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:U/RC:C
CVE ID CVE-2012-5744 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the
following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
CSCud12095
Purge job fails to complete in Cisco ISE, Release 1.1.1
This fix addresses an issue resulting in an “explosion” of Monitoring and
Troubleshooting node tables reaching as high as 150GB in size, and the presence of
many associated “database failure” messages in the Cisco ISE alarm entries.
Prior to this fix, you would need to contact the Cisco TAC to get instructions
necessary to manually clean the oversized Monitoring and Troubleshooting node
tables.
CSCud20871
Session cache entry missing during Guest authentication
This fix addresses an issue with Cisco ISE Guest authentication failures returning
“86107-Session cache entry missing” errors from the Guest Portal.
In order to resolve the issue prior to this fix, you would have to:
1.
Manually remove the Guest login session from the access point.
2.
Wait for the resulting idle-timeout or session timeout to elapse on the access
point, and then attempt to re-establish the connection.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
73
Cisco ISE, Release 1.1.1 Patch Updates
Cisco ISE, Release 1.1.1 Patch Updates
The following patch releases apply to Cisco ISE release 1.1.1
•
Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 7, page 74
The following patch releases apply to Cisco ISE release 1.1.1 and 1.1.3:
•
Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 6, page 74
•
Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 5, page 75
•
Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 4, page 76
The following patch releases apply to Cisco ISE release 1.1.1 and have been rolled into release 1.1.2 and 1.1.3:
•
Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 3, page 77
•
Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 2, page 78
•
Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 1, page 79
Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 7
Table 38 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.1.268 cumulative patch 7.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.1, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 38
Cisco ISE Patch Version 1.1.1.268—Patch 7 Resolved Caveats
Caveat
Description
CSCuj51094
Captured TCPDump file is not working
This fix addresses an issue where an exception occured when opening a captured
TCPDump file.
Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 6
Table 39 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.1.268 cumulative patch 6.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.1, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
74
OL-26136-01
Cisco ISE, Release 1.1.1 Patch Updates
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 39
Cisco ISE Patch Version 1.1.1.268—Patch 6 Resolved Caveats
Caveat
Description
CSCui22841
Apache Struts2 command execution vulnerability
Cisco ISE includes a version of Apache Struts that is affected by the vulnerabilities
identified by the following Common Vulnerability and Exposures (CVE) IDs:
CVE-2013-2251. This fix addresses the potential impact on this product.
Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 5
Table 40 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.1.268 cumulative patch 5.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.1, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 40
Cisco ISE Patch Version 1.1.1.268—Patch 5 Resolved Caveats
Caveat
Description
CSCub32594
Inline posture node does not accept a policy from the associated Policy Service node
This resolution addresses an issue that could occur when multiple user sessions
trigger concurrent exchanges of RADIUS messages between the Inline Posture node
and the Policy Service node (in the case of an “Authorize-Only” query or DACL
download, for example) due to a race condition between two simultaneous threads.
To reproduce this issue, the best way is to generate many concurrent RADIUS
sessions.
Note
Historically, this issue might only occur on a very infrequent basis, possibly
taking months between subsequent occurrences.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
75
Cisco ISE, Release 1.1.1 Patch Updates
Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 4
Note
To properly apply patch 4 to your Cisco ISE nodes and gain the benefits of CSCua55485, you must install
the patch according to whether your nodes are deployed in different network domains:
•
If all of your Cisco ISE nodes are deployed are in same domain, you can apply patch 4 using the
standard administrator user interface method described below.
•
If your Cisco ISE nodes are deployed in different domains, you must install this patch on your Cisco
ISE nodes via the administrator CLI. Once the patch has been applied on the deployment, you can
then apply future patches using the standard Administrator user interface method.
Table 41 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.1.268 cumulative patch 4.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.1, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 41
Cisco ISE Patch Version 1.1.1.268—Patch 4 Resolved Caveats
Caveat
Description
CSCua55485
Cisco ISE distributed deployment does not work with split-domain configuration
This fix addresses an issue users can experience while adding nodes to an existing
distributed deployment. If the existing Cisco ISE nodes belong to different domains
(or even different sub-domains), you may not be able to introduce new nodes to the
deployment as designed. The primary cause of this failure involves Cisco ISE using
the hostnames from different domains to resolve to the IP address rather than using
the proper FQDN during registration.
Note
CSCuc13075
If all of your Cisco ISE nodes are deployed are in same domain, you can
apply this patch using the standard administrator user interface method. If
your Cisco ISE nodes are deployed in different domains, however, you must
install this patch on the Cisco ISE nodes via the administrator CLI. Once the
patch has been applied on the deployment, you can then apply future patches
using the standard Administrator user interface method.
Endpoints are being saved with EndpointPolicy as Unknown
This update fixes an issue where endpoint profiles were appearing in the Cisco ISE
administrator interface as designed, reading “Apple-Device,” but upon editing the
endpoint entry, the endpoint attributes “Endpoint Policy” and “Matched Policy”
appeared as “UNKNOWN.”
Release Notes for Cisco Identity Services Engine, Release 1.1.x
76
OL-26136-01
Cisco ISE, Release 1.1.1 Patch Updates
Table 41
Cisco ISE Patch Version 1.1.1.268—Patch 4 Resolved Caveats (continued)
Caveat
Description
CSCuc46719
High CPU usage observed when profiling data cannot be written to database
When profiler fails to write data to the Cisco ISE database, the process does not drop
that data and, instead, keeps trying to update the database, driving up CPU usage due
to the extra services required. One example recorded involved a RADIUS probe
where each user had a very large Active Directory group membership field. The
value of this field was larger than what the Cisco ISE database could store reliably,
and when Profiler tried repeatedly to add the data, the result was extremely high CPU
usage.
CSCuc64732
Detecting a name change behaves case-sensitive
This fix addresses an issue involving user names in Active Directory using a
different case format than the user names stored in the session Cache. The result of
this mismatch led to users experiencing a “loop” because the name comparison failed
repeatedly.
Workaround Without applying this patch, you must ensure that you use only lower
case names in Active Directory as well as when authenticating via a native
supplicant.
Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 3
Table 42 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.1.268 cumulative patch 3.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.1, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 42
Cisco ISE Patch Version 1.1.1.268—Patch 3 Resolved Caveats
Caveat
Description
CSCuc19682
Cisco ISE purge operation corrupts indexes in some database tables
This fix addresses an issue where a large number of authentication failures result due
to the Network Access Device pointing to the Policy Service Node for RADIUS. One
of the primary symptoms, however, involves the fact that those failures do not then
appear in the Administrative ISE node user interface. Prior to this fix, to resolve the
issue, you would have had to work with the Cisco escalation team to manually purge
some of these tables.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
77
Cisco ISE, Release 1.1.1 Patch Updates
Table 42
Cisco ISE Patch Version 1.1.1.268—Patch 3 Resolved Caveats (continued)
Caveat
Description
CSCuc51338
Sessions leak when rule-based policy performed with proxy result
This fix addresses an issue where Cisco ISE restarts periodically because of an “Out
Of Memory” condition due to a large number of authentication sessions when the
Authentication policy is configured as a “Rule-Based” policy and Cisco ISE is
configured to proxy requests through an external AAA server. Cisco ISE has a
default limit of 15,000 concurrent sessions, but when authentication requests are
proxied in this way, the number of sessions can grow beyond that limit.
Prior to this resolution, you would ordinarily have to periodically restart the Cisco
ISE server before reaching the upper limit of requests.
Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 2
Table 43 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.1.268 cumulative patch 2.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.1, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 43
Cisco ISE Patch Version 1.1.1.268—Patch 2 Resolved Caveats
Caveat
Description
CSCua64378
Large number of Profiler endpoint update messages causing an issue over WAN
deployment
This fix addresses an issue caused by an Oracle AQ limitation over WAN
deployments. Cisco ISE now reduces the incoming database updates to the primary
Administration ISE node by delaying Profiler endpoint updates so that, instead of
sending all the intermediate changes on endpoints, the Profiler just sends the latest
update at the end of the delay period. This collates a collection of updates into just
one update.
CSCua56980
Primary Administration ISE node is non-responsive over a period of time because of
frozen database
Cisco ISE has addressed this issue by sending just one consolidated update from all
the probes like DHCP, RADIUS, SNMP,HTTP, etc. that are triggered when a user is
coming onto the network. For new endpoints coming onto the network, the behavior
remains as it is currently, as there are no issues with delay applied to those sessions.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
78
OL-26136-01
Cisco ISE, Release 1.1.1 Patch Updates
Table 43
Cisco ISE Patch Version 1.1.1.268—Patch 2 Resolved Caveats (continued)
Caveat
Description
CSCua50327
Cisco ISE Deployment page takes 40 to 50 seconds to render
This fix resolves an issue in the Cisco ISE administrator user interface where the
Administration > System > Deployment page takes approximately 40 to 50 seconds
to load between peer nodes deployed over a WAN connection.
CSCub03210
Database connection “leakage” during rollback failure
This fix addresses an issue that comes up when profiler enabled on Policy Service
nodes and the Policy Service node keeps profiling endpoints which have already
been accounted for and logged in the Administration ISE node.
Where there are multiple Policy Service nodes in a deployment trying to log
information with the Administration ISE node and any of these transactions fail, the
Policy Service node tries to roll back the transaction, thus resulting in a database
connection “leakage.”
Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 1
Table 44 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release
1.1.1.268 cumulative patch 1.
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.1, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 44
Cisco ISE Patch Version 1.1.1.268—Patch 1 Resolved Caveats
Caveat
Description
CSCua92153
Cisco ISE does not validate Certificate Signing Requests correctly
This fix addresses an issue where Cisco ISE generates a CSR from a native
supplicant during device registration and uses the identity name as part of the request
subject. Cisco ISE, however, does not appropriately validate the identity. As a result,
an attacker can create a CSR with any name, and if there is a policy based on
“cert:subject name.” then Cisco ISE may authenticate the false user ID because the
policy allows it.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
79
Cisco ISE Antivirus and Antispyware Support
Cisco ISE Antivirus and Antispyware Support
See the following Cisco ISE documents for specific antivirus and antispyware support details using
Cisco NAC Agent and NAC Web Agent:
•
Cisco Identity Services Engine Release 1.1.x Supported Windows AV/AS Products
•
Cisco Identity Services Engine Release 1.1.x Supported Mac OS X AV/AS Products
Cisco NAC Agent Interoperability Between NAC Appliance and Identity
Services Engine
The Cisco NAC Agent versions 4.9.4.3 and later can be used on both Cisco NAC Appliance Releases
4.9(3), 4.9(4) and Cisco ISE Releases 1.1.3-patch 11, 1.1.4-patch 11, 1.2. This is the recommended
model of deploying the NAC agent in an environment where users will be roaming between ISE and NAC
deployments.
Integration with Cisco Prime Network Control System
Cisco Identity Services Engine, Release 1.1. x integrates with Cisco Prime Network Control System
(Prime NCS), Release 1.2 to manage wired and wireless networks.
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats
Caveat
Description
CSCus28288
After successful patch installation via GUI, the patch information fails to appear in
the Administration > Maintenance > Patch Management > Installed Patches page. As
a result, the Rollback option can be used only via the CLI. Also, successful
installation of patch can be validated only via the CLI.
Workaround Access the Rollback option from the CLI. Validate successful patch
installation from the CLI.
CSCul13185
When installing the NAC/Web Agent using ActiveX in Internet Explorer11, the
browser shows the loading symbol indefinitely without downloading the agent.
Workaround Close and reopen the browser.
CSCuj61976
Admin UI fails to display certain pages using Firefox 25
The ISE admin UI pages with tree view are not displayed correctly when using FF25
and above versions.</B>
Workaround Downgrade to Firefox 24.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
80
OL-26136-01
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCuj80131
ISE Client Provisioning - NSP does not launch on Safari 7 (Mac OS X 10.9)
Java Applet fails to install SPW/Agent from Client Provisioning page on Safari
browser version 7 available with Mac OSX 10.9.
Explicitly let it run by changing the website settings on the browser. The default
setting encourages users to whitelist individual sites/pages where JAVA is used.
Workaround To let the applet install agent/SPW, connect to ISE and get re-directed
to Client Provisioning page. Before clicking Click to Install Agent, go to:
Safari->Preferences->Security->Manage Website Settings->Java->Click on your
ISE URL->Run in unsafe mode.
CSCtc70053
Browser “Back” button not working properly
This issue has been observed in the Cisco ISE list page when switching from the list
view to edit view (i.e., when you click the Create or Edit button).
Workaround There is no known workaround for this issue.
CSCti60114
The Mac OS X agent 4.9.0.x install is allowing downgrade
The Mac OS X NAC Agent is allowing downgrades without warnings.
Note
CSCti71658
Mac OS X Agent builds differ in minor version updates only. For example,
4.9.0.638 and 4.9.0.637.
The Mac OS X Agent shows user as “logged-in” during remediation
The menu item icon for Mac OS X Agent might appear logged-in before getting full
network accesses
The client endpoints are connecting to an ISE 1.0 network or NAC using
device-filter/check with Mac OS X Agent 4.9.0.x.
Workaround Please ignore the icon changes after detecting the server and before
remediation is done.
CSCtj00178
Group QuickFilters not working as designed
After the administrator runs and saves an advanced filter, Cisco ISE does not display
the “Successful Save” pop-up after the filter is saved.
This issue has been observed using the Admin Groups, User Identity Groups,
Endpoint Identity Groups, and Guest Sponsor Groups filter options.
Workaround There is no known workaround for this issue.
CSCtj22050
Certificate dialog seen multiple times when certificate is not valid
When the certificate used by the agent to communicate with the server is not trusted,
the error message can be seen multiple times.
Workaround Make sure you have a valid certificate installed on the server and that it
has also been accepted and installed on the client.
Note
The additional certificate error message is primarily informational in nature
and can be closed without affecting designed behavior.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
81
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCtj25158
Exported admin should not be imported back as Network Access User
This problem occurs when Cisco ISE promote Network Access Users to
Administrators, and then export those users. When you re-import those users, they
appear as Network Access Users only. Cisco ISE does not import the promoted users
as Administrators.
Workaround There is no known workaround for this issue.
CSCtj31552
Pop-up Login windows option not used with 4.9 Agent and Cisco ISE
When right clicking on the Windows taskbar tray icon, the Login option is still
present, but is not used for Cisco ISE. The login option should be removed or greyed
out.
Workaround There is no known workaround for this issue.
CSCtj76835
Unable to retrieve a saved Authentication Trend report
Symptom Two steps are necessary to save an Authentication Trend report:
1.
Select the folder.
2.
Name the file.
If you do not select a folder from the list that is presented, the report should be saved
in the root folder and should appear in the Reports tab. You can observe that the files
are saved, but they do not appear in the left side pane and there is no option to
retrieve the files.
Conditions Saving an Authentication Trend report without selecting a folder.
Workaround Do not save the report under the root folder. Always choose a subfolder.
CSCtj81255
Two MAC addresses detected on neighboring switch of ACS 1121 Appliance.
Symptom Two MAC addresses are detected on the switch interface connected to an
ACS 1121 Appliance although only one interface is connected on the ACS 1121
Server eth0.
Conditions Only one Ethernet interface, eth0 is connected between ACS and Switch.
Workaround Disable BMC (Baseboard Management Controller) feature using BIOS
setup.
Caution
To help prevent a potential network security threat, Cisco strongly
recommends physically disconnecting from the Cisco ISE console
management port when you are not using it. For more details, see
http://seclists.org/fulldisclosure/2011/Apr/55, which applies to the Cisco
ISE, Cisco NAC Appliance, and Cisco Secure ACS hardware platforms.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
82
OL-26136-01
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCtj94813
Left side administrator user interface pane “Search Result” option is not working as
expected
1.
If you enter available data and click the search option, it does not display
properly.
2.
If the option displays some data and if you enter another value, it does not
refresh the data properly.
3.
The option does not display the layered/structured model as designed.
In addition, you are not able to go back to previous menu.
Workaround There is no known workaround for this issue.
CSCtk34851
XML parameters passed down from server are not using the mode capability
The Cisco ISE Agent Profile editor can set parameter modes to merge or overwrite.
Mac OS X agent is not processing the mode correctly. Instead, the complete file is
overwritten each time.
Workaround To use a unique entry, the administrator must set up a different user
group for test purposes, or set the file to read only on the client machine and
manually make the necessary changes to the local file.
CSCtk37360
Administrator is not able to customize report in Internet Explorer 8
Monitoring and troubleshooting reporting functions related to column selection and
entry deletion/aggregation, etc. are not working as designed.
This issue can come up using the following versions of Internet Explorer 8:
•
IE 8.0.6001.18702 on Windows XP
•
IE 8.0.6001.18702IC on Windows XP
Workaround There is no known workaround other than to avoid using the
problematic browser versions.
CSCtk46958
Cisco ISE does not display a warning when navigating away from a modified page
without saving
When a user changes configuration context, there is no warning indicating that the
information configured on the current page is not saved, nor is there a warning
indicating that all configuration changes will be lost when the user completes that
context change.
Workaround Save before navigating away from the page in question.
CSCtk82864
AAA Servers incorrectly filter with “Contains” option
When AAA servers are added to the AAA servers list (for example: a, ab) and a filter
is added which includes regular expressions, Cisco ISE generates an incorrect
filtered list.
Workaround Do not use regular expressions in filters.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
83
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCtl53966
Agent icon stuck on Windows taskbar
The taskbar icon should appear when the user is already logged in.
Workaround Right-click on the icon in the taskbar tray and choose Properties or
About. After you close the resulting Cisco NAC Agent dialog, the taskbar icon goes
away.
CSCtl70056
“Today” is not validated against the Cisco ISE Monitoring node End Date
Reports run with a custom time range (where “today” is the specified End Date) does
not work and the Monitoring node returns a validation error. This issue has been
observed where the time on the client machine (where a browser session is active) is
earlier than that of the Cisco ISE node (for example, where the client is on PST and
the Cisco ISE node is on UTC time zone).
Workaround Change the time zone or clock on the client machine so that the current
time on that server is the same or ahead of the Monitoring node.
CSCtl77592
Unable to create authorization policy with RadiusCallingStation ID condition
When the administrator uses a MAC address with a xx-xx-xx-xx-xx-xx format as the
right hand side (RHS) of a condition with RADIUS “Calling station ID” dictionary
attribute, it fails to match the policy decision.
Cisco ISE does not perform validation on the string value that is entreated on the
RHS when constructing a condition.
Workaround Use the MAC address format xx:xx:xx:xx:xx:xx when defining
conditions.
CSCtn44427
No progress indicator is displayed when importing collections of random or CSV
guests
Workaround There is no known workaround for this issue. The administrator must
simply wait for the process to complete.
CSCtn53084
Incorrect export of DER imported server and trusted certificate authority certificates
When exporting a local certificate using the Administration > System >
Certificates > Local Certificates > Export page, the administrator may find that the
certificate is in Distinguished Encoding Rules (DER) format when another format
like Privacy Enhanced Mail (PEM) is desired.
The certificate export function exports a certificate using the same format it had
when imported. In Cisco ISE, there is no format conversion option available.
Note
CSCtn65437
One way to avoid this is to simply import all certificates in PEM format. You
can convert DER to PEM using tools like openssl, and your certificate
authority may have an option for PEM output.
Report timestamp incorrect with Asia/Kolkata time zone
This behavior has been observed only using the Asia/Kolkata time zone. The result
is minus 5.30 hours when compared to the actual record in the Cisco ISE database.
Workaround There is no workaround for this issue at this time.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
84
OL-26136-01
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCtn76441
Custom conditions are not updated under Rules in profiling policies
If you rename a profiler condition used by a profiling policy, the new name is not
reflected in the rule summary display. It is, however, reflected in the associated
expanded rule expression.
Workaround If you expand and collapse the rule expression in the anchored overlay
and click Save, the correct description displayed in the rule summary repeater will
be displayed in the future. If you change the condition name a second time, however,
and expand/collapse the summary overlay on the policy page a second time and click
Save, the policy page will not reload until and unless you reload the server.
CSCtn78676
When a user name has a space between words and another similar name contains two
or more spaces, Cisco ISE displays the same user name for both users.
Workaround There is no known workaround for this issue. Even though the multiple
spaces are trimmed and shown as one space in the UI, the data is saved correctly in
the database.
CSCtn78899
When a user group name has a space between words and another similar user group
name contains two or more spaces, Cisco ISE displays the same user group name for
both groups.
Workaround Avoid giving spaces in the name field while creating Identity Group.
CSCtn92594
Quickpicker filters are not working correctly during Client Provisioning policy
configuration
This issue has been observed with the following three filter options:
•
Identity Groups
•
Operating Systems
•
Other conditions
Workaround There is no known workaround for this issue.
CSCtn95548
Filter behaving case sensitive for Network Device groups
The results for network device group filtering in the network device group (NDG)
page are incorrect. This is because the filtering in the network device group page is
case sensitive.
Workaround Enter network device groups values using lower-case letters.
CSCto05172
The Profiler detail log does not display some attributes.
“Certainty Metric,” “Matched Rule,” and “Endpoint Action” name values are not
updated in the Profiler endpoint detail log.
Workaround There is no known workaround for this issue.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
85
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCto09989
Cisco ISE browser session redirects to Monitoring login page using Internet
Explorer 8
As soon as you login to Cisco ISE via IE8 the page gets redirected to a Monitoring
node administrator login page (even before the initial page displays completely).
Note
This issue has also been observed using Mozilla Firefox, but the redirection
in Firefox only takes place after a couple of minutes of inactivity.
Workaround Immediately after entering your login credentials,. navigate from the
main Cisco ISE page to any configuration page (like Posture, Authorization, or
Client Provisioning, for example).
For more information, see Issue Accessing the Cisco ISE Administrator User
Interface, page 134.
CSCto32002
The Cisco ISE MAC address authentication summary report displays IP addresses
where MAC addresses should be
CSCto33933
Login Success display does not disappear when user clicks OK
This can occur if the network has not yet settled following a network change.
Workaround Wait a few seconds for the display to close.
CSCto41340
Authentication Policy replication failure from Primary to Secondary if the time zone
changes after installation
In release 1.0 time change is not supported after the deployment is setup because of
the dependencies on time synchronization.
Note
CSCto45199
Support for time change within an existing deployment will be postponed to
a later release.
“Failed to obtain a valid network IP” message does not go away after the user clicks
OK
This issue has been observed in a wired NAC network with IP address change that is
taking longer then normal. (So far, this issue has only been only seen on Windows
XP machines.)
Workaround None. The user needs to wait for the IP address refresh process to
complete and for the network to stabilize in the background.
CSCto48555
Mac OS X agent does not rediscover the network after switch from one SSID to
another in the same subnet
Agent does not rediscover until the temporary role (remediation timer) expires.
Workaround The user needs to click Complete or Cancel in the agent login dialog to
get the agent to appear again on the new network.
CSCto52210
Authorization and authentication policy rules pages load and save times are high
This issue has been observed with 50 or more authentication rules, where each rule
has at least conditions. The Load and save times approach one-and-a-half minutes.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
86
OL-26136-01
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCto54536
Local certificates disappear on the secondary node following “application
reset-config ise” command in CLI
When displaying the local certificates on the Administration > System >
Certificates > Local Certificates page of a deregistered node that is now in
Standalone mode.
The administrator should not reset the configuration of a node prior to de-registering
it. The correct process is as follows:
1.
Node A is registered.
2.
Node A is deregistered.
3.
Enter “application reset-config ise” in node A CLI.
Workaround If the node is reset before deregistration, you can make the local
certificates reappear by entering the following commands in the CLI:
CSCto60148
•
application stop ise
•
application start ise
Java crashes during high posture load
This issue has been observed under extreme load condition where Cisco ISE is hit
with large number of concurrent users for posture.
Workaround None. You must restart the Cisco ISE Policy Service.
CSCto63069
The nacagentui.exe application memory usage doubles when using “ad-aware”
This issue has been observed where the nacagentui.exe memory usage changes from
54 to 101MB and stays there.
Workaround Disable the Ad-Watch Live Real-time Protection function.
CSCto64028
“Fail to receive server response...” seen when deleting profiling policy
A “Fail to receive server response due to the network error (ex. HTTP timeout)” error
message may appear when deleting Profiling policies, and some of the policies may
not be deleted.
Workaround Log out from Cisco ISE, log back in, and try deleting the policies again.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
87
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCto72015
Authorization policy with condition as “Identity grp” does not work
Create an Identity Group with the following attributes:
User Identity Groups:
•
Employee
– Location1
– Location2
Create Authorization Policy containing the “IdentityGroup:Name Equals
Location1” condition and perform user authentication. Authentication fails because
the rule in the condition has not been satisfied.
This problem occurs only using the “IdentityGroup:Name” dictionary attribute in the
Authorization Policy.
Workaround To implement the workaround:
1.
Instead of using a Dictionary Attribute (IdentityGroup:Name) in the policy,
specify the Identity Group to be “Location1” in the Identity Group selection
rather than “Any.”
2.
Assign the “Location1” Identity Group to the Internal User.
3.
In the Authorization Policy condition, specify one of the following:
– “Internal Users.Identity Group Equals IdentityGroup:User Identity
Groups:Employee:Location1”
– “Internal Users.Identity Group Matches.*Location1”
CSCto82519
Saving your Active Directory configuration while the DNS is down takes a very long
time
Cisco ISE requires connectivity to Active Directory (including DNS) when saving
the configuration. If the DNS is not reachable, then the save function may time out
before it can complete.
Workaround Ensure that the DNS is available and reachable before saving your
Active Directory configuration.
CSCto84932
The Cisco NAC Agent takes too long to complete IP refresh following VLAN change
The Cisco NAC agent is taking longer than normal to refresh IP address due to
double IP refresh by supplicant and NAC agent.
Workaround Disable the Cisco NAC Agent IP address change function if there is a
supplicant present capable of doing the same task.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
88
OL-26136-01
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCto97486
The Mac OS X VLAN detect function runs between discovery, causing a delay
VLAN detect should refresh the client IP address after a VLAN detect interval (5) X
retry detect (3) which is ~ 30 sec, however it is taking an additional 30 sec.
This issue has been observed in both a wired and wireless deployment where the
Cisco NAC agent changes the client IP address in compliant or non-compliant state
since Mac OS X supplicant cannot.
An example scenario involves the user getting a “non-compliant” posture state where
the Cisco ISE authorization profile is set to Radius Reauthentication (default) and
session timer of 10 min (600 sec). After 10 min the session terminates and a new
session is created in the pre-posture VLAN. The result is that the client machine still
has post-posture VLAN IP assignment and requires VLAN detect to move user back
to the pre-posture IP address.
Workaround Disconnect and then reconnect the client machine to the network.
CSCtq02332
Windows agent does not display IP refresh during non-compliant posture status
The IP refresh is happening on the client machine as designed, but the Agent
interface does not display the change appropriately (for example, following a move
from preposture (non-compliant) to postposture (compliant) status).
Workaround There is no known workaround for this issue.
CSCtq02533
The Cisco NAC Agent takes too long to complete IP refresh following VLAN change
The Cisco NAC agent is taking longer than normal to refresh IP address due to
double IP refresh by supplicant and Cisco NAC agent.
Workaround Disable the Cisco NAC Agent IP address change function if there is a
supplicant present capable of doing the same task.
CSCtq06832
Time and Date conditions need to be updated correctly when changing time zones
Configure the Time Zone in Cisco ISE to be “IndianStandardTime,” for example, and
create a Time and Date condition (Ex: From Time 10:00 AM & To Time 8:00 PM).
Then update the Time Zone from IST to UTC. The existing Time and Date condition
does not get updated per the new specified Time Zone.
This issue comes up when changing the Time Zone after creating the Time and Date
condition in the Policy > Conditions > Common > Time and Date page.
Workaround There is no known workaround for this issue.
CSCtq07271
Cisco ISE returns a misleading message after Change of Authorization on an Inline
Posture node
When the administrator issues a Change of Authorization Session Termination,
Cisco ISE returns a “successful” message, but the Inline Posture node cannot find
the session and drops the request.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
89
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCtq07311
Change of Authorization shows “0” sessions on Policy Service node are down
This issue has been observed where when one or more Policy Service nodes are
behind an Inline Posture node, a client machine connected via a particular Policy
Service node has authenticated, but has not yet completed posture assessment, and
that Policy Service node then goes down (administratively or otherwise).
Note
As designed, another Policy Service node in the node group detects that the
peer node has gone down and issues a Change of Authorization to terminate
the pre-posture session on the client machine, but that measure does not
succeed.
Workaround If the client machine re-initiates authentication, the new request goes to
another Policy Service nod (assuming that the Network Access Device is configured
with multiple RADIUS servers) and authentication and posture assessment should
work as designed.
CSCtq09004
Windows 7 guest access not successful from IE8 and Chrome 10
Guest access fails over a wireless LAN controller connection. The login session does
not appropriately redirect the user authentication request. This is likely due to IE8
and Chrome10 browsers on Windows 7 being unable to redirect the RADIUS
authentication request to the controller.
Note
This issue has not been observed using Mozilla Firefox.
Workaround Ensure that the certificates in the controller are accepted by the IE8
browser on the Windows 7 client correctly.
CSCtq12630
Guest page not redirecting to original URL after wireless login using Internet
Explorer 8 or 9
Workaround In Internet Explorer 8, end user should click No in the resulting login
dialog that pops up to be redirected to the correct page. In Internet Explorer 9, after
the login success message appears, re-enter the original URL in the browser address
bar.
CSCtq15859
IP address refresh does not work with 64-bit Internet Explorer
IP address refresh via ActiveX is not supported on 64-bit versions of the Internet
Explorer browser. Such functions are only available in 32-bit versions of Internet
Explorer.
CSCtq53690
Scheduled Monitoring and Troubleshooting incremental backup switches off
following failed backup attempt
Workaround If one of the scheduled Monitoring and Troubleshooting node backup
events fails, the administrator needs to enable the “Incremental Backup” option
again in the Administration > System > Operations > Monitoring Node >
Scheduled Backup page.
CSCtr09694
MAC address search at Reports > Query and Run should not be case sensitive
While launching reports, the MAC address search is case sensitive, but should not
be.
Note
There is no known workaround for this issue.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
90
OL-26136-01
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCtr32014
Three-hour Cisco ISE upgrade time on scale configuration
This problem occurs during upgrade from one Cisco ISE running release 1.0
software to release 1.1.x.
Note
CSCtr45402
There is no known workaround for this issue.
Server Authentication Summary Report takes more than 1 minute to launch
This issue has been observed when viewing more 30 days worth of data on a larger
(3395) Cisco ISE platform running Cisco ISE, Release 1.0.4.
CSCtr57280
IP-to-MAC address binding fails in wireless environment with RADIUS and HTTP
probe
RADIUS accounting messages from a WLC do not send the endpoint IP address.
This is different from the RADIUS accounting messages from wired infrastructure.
This makes the RADIUS method ineffective for IP-to-MAC address binding on
Cisco ISE.
Workaround Enable a DHCP probe and configure the setup for Cisco ISE to profile
endpoints with DHCP packets.
CSCtr58811
Need to log out and log back in to get Advanced License functionality
After installing an Advanced License on top of an existing Base license, the
administrator is not able to view advanced feature pages such as Posture, Profiler,
and Security Group Access.
Workaround Log out and log back in again to view Advanced feature pages.
CSCtr66929
Selected month and year while configuring file “Date” condition
If you specify either just the year or month in the “Date” field of the Policy > Policy
Element > Conditions > File Condition configuration window, the date does not
get saved along with the policy.
Workaround Always specify the correct date.
CSCtr68491
Windows Internet Explorer 8 Info button on compound condition format is empty
When you hover over the “Info” button in the Go to Policy > Policy Elements >
Conditions > Posture > Compound Condition page, the pop-up bubble remains
empty.
This issue has been observed using IE8, but the text appears as designed in Mozilla
Firefox.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
91
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCtr88091
You may experience slow response times for some user interface elements when
using Internet Explorer 8.
Symptom When using Internet Explorer 8, the check- boxes on pop-up dialogs for
selecting and deselecting groups and attributes may be slow to respond to clicks for
changing states.
Conditions The use of Internet Explorer 8.
Workaround Do any of the following:
CSCts10323
•
Consider using an alternative web browser. Firefox does not show the same
symptoms.
•
Be patient. The check-boxes in IE8 respond after clicking them several times.
•
Enter the group names manually, and avoid using the pop-up dialogs.
Internet Explorer running slow during client provisioning
Internet Explorer has an option where you can turn the “check for revocation lists”
function on or off.
When this option is enabled and the dACL simultaneously does not allow access to
CDP servers, Internet Explorer “freezes up” for about a minute while it tires to
access the requisite CDPs.
CSCts20529
Authorization profile getting saved with incomplete information
This issue occurs when using the “auto-smart-port,” “Filter_ID,” “wireless lan
controller,” or “Posture Discovery” fields in the configuration page.
Note
Because of this mismatch in attribute values, the resulting authorization
policy may not work properly.
Workaround Click anywhere in the window while creating an authorization profile
when using any of the above mentioned attributes. The authorization profile is then
saved properly.
CSCts36792
No “Cisco ISE Configuration Changes” alarms appearing on Conditions
Guest simple and compound conditions can be created, edited, and deleted on the
admin UI, but no logs are generated in Cisco ISE accounting.
This problem is limited to creating, modifying, and deleting guest simple and
compound conditions in the Policy > Policy Management > Conditions > Guest
page
Workaround There is no known workaround for this issue.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
92
OL-26136-01
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCts48857
Failed to send notification from UTF-8 Email address
An “Internal error encountered. Please see logs for more details.” error message
appears when attempting to notify a Guest user by email of their new account
information.
This problem occurs only for user IDs that contain UTF-8 characters outside the US
ACSCII range.
Workaround There is no actual workaround at this time, however, you could try
substituting a traditional ASCII Email address for the address containing UTF-8
characters.
CSCts80116
OPSWAT SDK 3.4.27.1 causes memory leak on some PCs
Client machines that have version 8.2.0 of Avira AntiVir Premium or Personal may
experience excessive memory usage.
Note
This has only been observed with version 8.2.0 of Avira AntiVir Premium or
Personal. Later versions of the application do not have this issue.
Workaround Install later version of Avira AntiVir Premium or Personal.
CSCts89508
Authorization fails when a UTF-8 username and password credentials are used
Microsoft native supplicants for Windows 7, Windows XP and Windows Vista
require the following hot fixes in order to support UFT-8 RADIUS user names:
•
For Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;957218
•
For Windows Vista, Windows 7, and Windows Server 2008
http://support.microsoft.com/kb/957424
Workaround Cisco AnyConnect 3.1 conducts EAP authentication with UTF-8
username successfully.
CSCtt17378
Cisco NAC Agent does not pop up if TLS 1.0 is not enabled in Internet Explorer
settings
The problem occurs when all the following conditions are met:
•
Cisco ISE is operating with a FIPS 140-2 module
•
The client machine “Local security settings > System cryptography: Use FIPS
algorithm” is enabled.
•
The client machine Internet Explorer Advanced settings, SSL3.0/TLS 1.0 is
option is disabled.
Workaround Ensure TLS 1.0 is enabled in Internet Explorer and restart the Cisco
NAC Agent.
CSCtt25262
Externally-authenticated administrator users cannot register nodes
Workaround Cisco ISE will not allow the external administrator to register nodes.
Create an internal user to perform the registration process.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
93
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCtt93787
Files without extensions are not downloaded correctly using Cisco NAC Web Agent
When the Cisco NAC Web Agent invokes file remediation, it does not download the
file as designed. Instead, the Agent attempts to open the file.
Workaround There is no known workaround for this issue.
CSCtu39612
Cisco ISE Inline Posture node is not accessible from the Admin ISE node user
interface after an upgrade to ISE 1.1.x
Workaround Follow the instructions provided in Upgrade from Cisco ISE, Release
1.0.4 to 1.1.1 with Inline Posture, page 16.
CSCuh75971
Issue running applet with latest Java 7 update 25 on Windows / Mac
If Java 7 update 25 or above is installed, launching of Agents or Network Setup
Assistants during client provisioning or onboarding process on Windows or Mac
clients would take about 3 minutes as this Java update has Perform revocation checks
enabled by default. This causes the applets signed certificates to be verified against
issuers CA server, which is currently blocked, and there is no way to open the traffic
to CA server on a switch because switch does not support host name based ACL.
Workaround If you are using Java 7 update 25, make sure to turn off Perform
certificate revocation checks in Java.
Open Java Control Panel, click the Advanced tab, go to Perform certificate
revocation checks on and select Do not check.
CSCuh81724
ISE - Authentication Flow Diagnostics log targets removed in 1.1.4 p2
While upgrading from Cisco ISE Release 1.1.4 patch 1 to patch 2, the log targets
configured for �Authentication Flow Diagnostics’ might get removed.
Workaround After upgrading to release 1.1.4 patch 2, navigate to Administration >
Logging > Logging Categories and re-configure the log targets.
CSCtv17606
Monitoring and Troubleshooting requires an appropriate error message if
backup/restore process fails
When you try and perform a Monitoring and Troubleshooting backup/restore from
the Cisco ISE administrator user interface, which is intended only to restore
Administrator ISE nodes, the message displayed reads, “% Error: Cannot find
ise_backup_instance.log in the backup file % Application restore failed.” Instead, a
message like “% Error: Cannot ISE M&T backup can only be restored web interface
% Application restore failed” would better advise users of the issue.
CSCtv21758
You are unable to Unquarantine an endpoint (with Endpoint Protection Services)
using the IP address of the endpoint.
Workaround Use the MAC address to unquarantine the endpoint.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
94
OL-26136-01
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCtw79431
Exiting the Cisco Mac Agent while in “pending” state displays the wrong user
message
When exiting a Cisco Mac Agent that has not successfully logged in yet, reveals a
“successfully logged out from network” message to the user, when in fact there is no
log-in status change.
Workaround There is no known workaround for this issue.
CSCtw98454
Guest accounting report filter not working
If you specify a particular username in the Guest user filter in the guest accounting
report, Cisco ISE still shows results from other users, as well.
CSCtx03427
Create Alarm Schedule returning XSS error messages
This issue has been observed when the configured alarm name contains “onChange”.
Workaround Rename the alert name to something that does not contain “onChange”.
CSCtx31601
Cannot add Network Access user, but able to import users
When the string “alert” appears in the Network Access user name, the Cisco ISE user
interface prevents it from being created.
Workaround If you import a user with that name, it will work.
CSCtx59957
A warning/pop-up appears while creating a Guest Time profile
A pop-up with the message “Warning: Unresponsive script” can appear when adding
a time profile in Guest settings under Administration.
Workaround Dismiss the pop-up message and try again.
CSCtx60819
Database restoration runs out of space on VMware systems with only 60 GB disk
size
This issue only occurs on unsupported (EVAL) VMware disk installations where the
restoration server has a single disk of only about 60-70 GB of disk space.
Workaround Use a VMware server installation with a larger disk size (like 100 GB)
if possible.
CSCtx62403
Admin can control sessions on a node on which replication has been disabled
When a Cisco ISE certificate has expired, replication is disabled on that node. When
replication is disabled on a node, active sessions affecting that node can be
controlled from the Administrator ISE node. Therefore, the Cisco ISE administrator
can see active sessions on nodes where replication has been disabled and can issue
Change of Authentication for associated endpoints.
Note
Certificate validity is validated every 24 hours in a deployment for each
node.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
95
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCtx62657
Cannot deregister an Inline Posture node
On the Deployment List Page, when you attempt to deregister a node by clicking the
appropriate button, the administrator user interface is grayed out until a message
reading “Deregister is done. Node will be re-started.” appears.
Workaround Log out and log in to the administrator user interface again. The
deregistered node is no longer visible in the user interface.
CSCtx68334
Promotion for Secondary Monitoring and Troubleshooting fails if the Primary node
is down
While promoting the secondary Monitoring and Troubleshooting node while the
primary node is down, then Cisco ISE returns a transition failure and the database
rolls back.
Workaround Try to perform the operation again to overcome this issue.
CSCtx69191
Mozilla Firefox does not function with OpenSC middleware software
If you create certificate an authentication profile using the Cisco ISE Active
Directory > Groups page, install the OpenSC middleware software, then go to the
management station connected to a CAC authentication device and insert the CAC
card while attempting to log in via Mozilla Firefox, authentication does not take
place as designed.
The key issue is that the e-mail certificate that Cisco ISE normally uses to
authenticate the administrator does not appear for selection by the browser, and any
other certificate fails during connection.
Note
CSCtx79725
This issue has been observed using OpenSC middleware on Mac OS X
(Safari and Chrome both work as designed). CACkey middleware works as
designed with Safari, Chrome, and Firefox.
Cisco ISE freezes during startup if first DNS does not respond
This issue has been observed if/when primary DNS is misconfigured or down.
Workaround Specify a different (operational) DNS server.
CSCtx80886
When switching to FIPS mode, there is no way to delete the self-signed certificate
on an Inline Posture node
This issue occurs when the original self-signed certificates still installed on the
Inline Posture node, even though it is not actually used by Cisco ISE.
Note
Do not remove the default self signed certificate and join the Inline Posture
node to the deployment using FIPS compliant CA certificates.
Workaround Deregister the Inline Posture node, remove the self-signed certificate,
and re-register the Inline Posture node.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
96
OL-26136-01
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCtx90696
Cisco ISE does not work after updating the IP address
This issue may be that the primary DNS server used by Cisco ISE has not yet been
updated with the new IP address.
Note
Do not use the no ip address command when you change the Cisco ISE
appliance IP address. Instead, simply set the new IP address with the ip
address command.
Workaround Use the “ip address” command in the CLI to specify a new IP address.
(Make sure the primary DNS server is also updated with new records.)
CSCtx92251
Using the Cisco ISE “Replace” function on a secondary node does not assign
protocols or replace the certificate
Using the “Replace” button when replacing a certificate on a secondary node (such
as a Monitoring and Troubleshooting or Policy Service node) does not move the
protocols to the new certificate or remove the old certificate.
This issue has been observed when you install the certificate on a Monitoring and
Troubleshooting node, take the same Certificate Signing Request and have it signed
by a different Certificate Authority, then install the certificate on the Monitoring and
Troubleshooting node with the “Replace” option enabled.
Note
Both certificates are still present on the node and EAP and MGMT protocols
are not part of the new certificate from the second Certificate Authority.
Workaround Create a new certificate from the second Certificate Authority, edit
protocols, and then delete the old certificate from the original Certificate Authority.
CSCtx93416
Database restoration fails when upgrading from software release 1.0.4 to release
1.1.x
The restore process fails the Cisco ISE Release 1.1.x deployment has been installed
via upgrade and the hostnames in the topology have different assigned roles, but
hostname of the original primary node name (when the release 1.0.4 backup image
was created) is still a node name appearing in the new deployment, but is no longer
the primary node in your deployment.
Workaround There are two possible workarounds for this issue:
CSCtx94533
•
Change hostname on the new release 1.1.x primary node to match what it was
during the backup, and try to restore the database again.
•
Change hostname on new release 1.1.x primary node to be something
completely new (a name that was not used at all in the original release 1.0.4
deployment).
Some endpoints appear as “pending” following posture assessment
It can take up to 10-15 minutes to get the endpoint status updated to reflect a
“Registered” state, where the endpoint goes through posture assessment and gains
full access to the network.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
97
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCtx95251
Deployment page load exceeds six minutes when two or more nodes are unreachable
This problem may occur only if the nodes are not reachable, there are lots of pending
messages in the secondary node, and if there is possibly a firewall issue.
Workaround Make sure all the nodes are reachable, there are no pending messages,
and there are no firewall issues.
CSCty00899
LiveLog Reports cannot be opened
When you drill down on LiveLog details to launch a detail report, Cisco ISE returns
an error message.
Note
This issue is seen only if you leave your browser idle for more than one day.
Workaround Users can logout and log in again to drill down to report details from
live logs.
CSCty02167
IP refresh fails intermittently for Mac OS 10.7 guest users
This problem stems from the way Mac OS 10.7 handles certificates. Marking the
certificate as “trusted” in the CWA flow is not good enough to download the java
applet required to perform the DHCP refresh function.
Workaround The Cisco ISE certificate must be marked as “Always Trust” in the
Mac OS 10.7 Keychain.
CSCty05129
“Monitor All” function does not take effect after policy refresh
When the administrator enables or disables the Monitor All function, devices do not
get policy updates as designed. This has been observed in cases where the cells are
not updated manually.
Workaround Cisco recommends using the Monitor Mode function on a per cell basis,
rather than Monitor All. If you have enabled the Monitor All function, edit at least
one cell per column in which a value exists. You can also manually remove the
policies from the network device and update them again from Cisco ISE.
CSCty05157
The Cisco ISE dashboard is not working for administrator user names with more
than 15 non-English characters contained in the username
This issue has only been observed for user names created using a language other than
English.
Workaround Update the administrator user names so that they are less than 15
characters in length.
CSCty08194
The administrator password character list is restricted during the reset-config
function
When the administrator tries to perform a “reset-config” function from the Cisco ISE
CLI, the password character list for the administrator password is more restricted
than at the time of installation. For example, during installation “!” is valid special
character accepted for the administrator password. During the “reset-config”
operation, however, “!” is not accepted as a valid password character.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
98
OL-26136-01
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCty10369
Management functions operate slowly on VM with UCS SATA-2 storage
The following issues have been cited:
•
Importing 1,000 users in a deployment setup takes 8 more minutes than a
dedicated hardware appliance (or VM SCSI HDD 10K rpm).
•
Full synchronization functions take up to 12 hours on a VM UCS with SATA2
HDD.
•
Disk latency is up to 50% greater on SATA-2 7200 rpm storage devices.
Workaround Ensure external storage units connected to UCS feature SCSI/SAS 10K
or 15K RPM technology.
CSCty10692
Requirement is used by Policy - Need tooltip on OS
When a requirement is used by a policy in Cisco ISE, the operating system of the
policy and the requirement need to match. Currently, the requirement operating
system field is disabled in the requirement page and the administrator is not able to
tell with which operating systems this requirement is associated.
Workaround There is no known workaround for this issue.
CSCty19010
Editing Cisco ISE failure reason information returns error message
If user edit some of the failure reason codes in the Administration > System >
Settings > Monitoring > Failure Reason Editor page, Cisco ISE may display an
error 500 message.
“12818 Expected TLS acknowledge for last alert but received another message
24466 ISE Active Directory agent is down”
Note
CSCty19774
This issue can occur when failure reason information includes data that can
indicate a cross site scripting attack; such as the string “alert” and “<” and
“>” characters.
Client Provisioning is not working when an Inline Posture node is connected to a
VPN
This can happen when the client machine successfully passes authentication and
ACLs are downloaded to the Inline Posture node and there is connectivity to Policy
Service node, but the URL redirect function is not working correctly.
Note
This issue has been observed on a on non-Windows 7 client machine. (XP
clients do not update automatically because the root certificate list is not up
to date.)
Workaround One way to get around this problem is to do update your root
certificates.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
99
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCty28274
System and RBAC administrator data access permission issue
When an administrator other than the Cisco ISE administrator user created during
installation logs into the Administrator ISE node user interface and navigates to
Administration > System > Admin Access, they should be able view and update
the administrator information when clicking on their own username. Instead,
Cisco ISE displays a “Permission Denied” message.
Workaround Administrators facing this issue can click on the logged-in username in
the top right corner of the on user interface and edit their details from the pop-up
dialog that appears.
CSCty39209
IPsec and SSL VPNs do not work if FIPS function is enabled or the PAP protocol is
disabled
If you enable FIPS 140-2 functionality you must also turn off PAP authentication in
the Allowed Protocols page.
Once you turn off PAP, then any VPN client that uses group authentication, which
always requires PAP, becomes incompatible with Cisco ISE.
CSCty42816
Wireless Guest login fails using Google Chrome browser
Self-service guest users are unable to get on to the network from Chrome Browser
during Wireless Local Web Authentication. Cisco ISE displays an error page with
user credentials after the self service guest user changes the password and tries to get
onto the network.
Workaround Cisco recommends using another browser for this operation.
CSCtw50782
Agent hangs awaiting posture report response from server
Workaround
The issue occurs with Mac OS X 10.7.2 clients.
Kill the CCAAgent Process and then start CCAAgent.app.
Perform the following:
CSCty51216
1.
Go to Keychain Access.
2.
Inspect the login Keychain for corrupted certificates, like certificates with the
name “Unknown” or without any data
3.
Delete any corrupted Certificates
4.
From the pull-down menu, select Preferences and click the Certificates tab
5.
Set OCSP and CRL to off.
Upgrading Mac OS X Agent version 4.9.0.638 to later versions fails.
Workaround
1.
Remove the "CCAAgent" folder from temporary directory
2.
Reboot the client
3.
Connect to Web login page and install the Agent from there
Release Notes for Cisco Identity Services Engine, Release 1.1.x
100
OL-26136-01
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCty52694
Mac OS X Agent needs to be installed from Client Provisioning Portal for VPN
When a Mac OS X user connects through VPN, the Mac OS X Agent does not pop
up as designed.
This can happen if the Mac OS X Agent has been installed directly from Cisco
Connection Online (CCO) or via application installation from an IT department
instead of through The Cisco ISE client provisioning portal.
Workaround Uninstall the agent from the system in question and reinstall the agent
from the Cisco ISE client provisioning portal.
CSCty61980
Cannot get Out-of-Band Security Gateway Access PAC for network devices after
upgrade
This issue can occur on a system that has been upgraded from Cisco ISE, Release
1.0.4 where device definitions were also updated as part of this upgrade. (The PAC
file that is downloaded is invalid and Cisco ISE returns an error message.)
Workaround Delete and recreate the network device definition for any device where
you need to generate an Out-of-Band PAC. You can do this by creating the necessary
entry in the administrator user interface or exporting the device definition, deleting
the entry, and adding the device definition again.
CSCty91514
Custom Guest Portal does not enforce Details Policy during Self Service
When creating a custom Guest Portal under Multi-Portal Configurations, which
allows Self Service in Cisco ISE 1.1.x, the Details Policy is not enforced when a user
creates their Guest Account.
CSCtz01339
Getting directed to Windows client provisioning flow on Android 2.3.3
Following user authentication via the Guest Portal and device registration, the device
is going through the Windows client provisioning flow instead of being redirected to
the Android Market place.
CSCtz01754
The certificate and Cisco ISE CA names are missing in Android 2.3.3. EAP-TLS
After a user authenticates via the Guest Portal and registers their device, they are
then able to download and run the Supplicant Provisioning Wizard from the Android
market place. After running the wizard, however, the “name” field is blank in the
user certificate and the Cisco ISE certificate is blank as well.
CSCtz21155
Assigned profile is missing under Network > 802.1X on Mac OS 10.6.3 machines
Once the TLS profile gets configured, the end user is presented the following
message:
“Device configured. Go to System Preferences, choose Network, choose the wired
(Ethernet) network, select <profile name> from the 802.1X menu, and click
connect.”
However, the profile is missing under System Preferences > Network > 802.1X, and
the user is stranded in that step of the login process.
Workaround Close the Network window and open it again. You should be able to see
the appropriate profile under Network > 802.1X. (This is applicable only for wireless
deployment scenarios.)
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
101
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCtz25101
Asset Registration Portal login event not shown in Live log
Sponsor Portal login events are showing up as designed, however.
CSCtz28932
Client Provisioning for Supplicant Provisioning flows is broken after upgrade
Policies that were previously working now result in the “register” tab not appearing
to users logging in via the Self-Provisioning page for Windows devices.
This issue has been observed using Apple iPhone/iPad over a dual- SSID
environment.
CSCtz31672
NullPointer Exception when user redirects to CPP evaluate page from mobile
Cisco ISE returns a “Cisco ISE is unable to determine access privileges in order to
access the network. Please contact your system administrator.” message, and
exceptions also appear in the ise-psc.log file. This issue is likely because the login
session is trying to use an old session for the same device MAC address, which is not
found in session directory.
Workaround:
The user logging in via their endpoint must open a new browser instance or clear the
existing URL, and type enter the destination URL again to be redirected to the CCP
evaluate page with expected device information.
CSCtz36060
ARP authentication should show up in AAA diagnostics even with default log level
MyDevices portal login audit can be seen in the AAA Diagnostics log as long as
ARP logging is set to INFO or DEBUG.
CSCtz37988
Two primary Administrative ISE nodes appear in deployment
This issue can occur after the primary Administrative ISE node becomes
disconnected and the secondary Administrative ISE node gets promoted to the
primary role after 20 minutes or so. Then much (a day or so) later, the original
primary is brought back online, two primary and secondary Administrative ISE
nodes appear in the deployment setup.
CSCtz40127
Certificate issue after SCEP failover where servers reside in different domains
(This issue has been observed in a Windows 7 environment.)
CSCtz41262
Authorization policy does not match when the MAC address uses the colon delimiter
(00:00:00:00:00:00)
When configuring policies using the Calling-Station-ID as a component, the
authorization attempt does not match the rule if you use the value in the Cisco ISE
report. When configuring this type of policy in Cisco ISE, Release 1.0.4 or 1.1, you
will have to rely on the RADIUS packet information and not the ISE report.
Workaround Use the TCPDump function in Cisco ISE to see the correct value that is
being sent from the network access device and configure the Calling-Station-Id
(MAC address in this case) using the hyphen-delimited format (00-00-00-00-00-00).
Release Notes for Cisco Identity Services Engine, Release 1.1.x
102
OL-26136-01
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCtz42775
Java “unknown host” exceptions appear when downloading Client Provisioning
resources
Cisco ISE still reflects that the “Resources downloaded successfully” in the bottom
right corner of the Cisco ISE administrator user interface.
Workaround Please make sure the DNS server is up and running and the client
provisioning Feed Server is reachable from ISE.
Note
CSCtz49846
This issue may occur more commonly where the DNS server has gone down.
Cisco ISE does not contain the ASA attribute 146 Tunnel Group Name which is sent
on the Access Request
This issue can appear when the name of the attribute added in Cisco ISE includes a
“.” character.
Workaround Ensure that the attribute name does not include a “.” character. This also
applies to some of the existing attributes in the Cisco-VPN300 dictionary. The
attribute names should also be modified so that they do not include a “.” character.
CSCtz55815
Default Gateway is not changed if the new value is a part of old value
If the administrator specifies a new default gateway on the Cisco ISE that is too
similar to the old default gateway (like a different address on the same 24-bit subnet
for example), the gateway address does not change.
Note
CSCtz56547
This issue was observed on a VMware ESX 4.1 environment.
Cisco ISE does not display alarms or notifications on “OutofSync” issues
This has been observed when there is a time-shift event on an Administrative ISE or
Policy Service node. Cisco ISE should notify admin user on all arising issues due to
NTP dependency, as this issue can consume considerable time to troubleshoot.
CSCtz61792
Administrator Username column in EPS Report shows incorrect data
The Cisco ISE EPS operation history report displays the user as “internal” instead of
the actual administrator user ID.
Workaround Cisco recommends using the REST API, instead.
CSCtz63899
Previously registered device is not able to re-connect
Once a device has been registered with Cisco ISE and attempts to connect to the
network again (as if a new device), the device should automatically attempt to
connect to the secure network. However, the device is able to connect to secure
network on second or third attempt. This issue can occur if the device is unable to
complete the full EAP handshake with the NAD or WLC.
Workaround Device can connect to closed network automatically in second or third
attempts. or user can try flapping the interface to be connected to closed network.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
103
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCtz67158
IP address is not refreshed after reinstating the device
Reinstating a blacklisted device in the My Devices portal does not refresh the IP
address. This can happen when the administrator modifies the default blacklist
authorization profile so that it includes ACCESS-ACCEPT and different sets of
ACLs and VLANs.
Since reinstating the device issues a CoA and triggers reauthentication, the IP
address is not refreshed by the blacklisted device.
Workaround The user can perform an IP address release/renew or turn off Wi-Fi on
the device.
CSCtz67372
External Admin Groups are not available until authentication password is changed
This issue can come up when you configures external identity source (LDAP or
Active Directory), import groups from the source, and then try to create an
“external” RBAC Admin Group that refers to one or more groups imported from the
external ID source. (That is, the Identity Source in the Authentication Method'
page under 'Administration > System > Admin Access page has not yet been set
to the external ID source containing the groups.) As a result, the groups from the
external ID source are not shown in the Admin Group page in Cisco ISE.
Per the current design, you can configure multiple identity sources, but only one may
be enabled at a time.
Note
CSCtz74022
The External Group section in the Admin Group create/edit page in Cisco
ISE only shows groups from the external identity source that are currently
enabled.
The device registration page is blank on a Windows 7 phone on which a language
locale other than English is specified
This issue has been observed when running performing device registration in a single
SSID environment.
Workaround Set the client browser locale to English.
CSCtz80240
Secondary node never becomes standalone after de-registration
The secondary node is de-registered successfully but a “The following deregistered
nodes are not currently reachable: <name>. Be sure to reset the configuration on
these nodes manually, as they may not revert to Standalone on their own.” message
appears to the administrator.
Workaround Log in to the administrator user interface with internal Cisco ISE
administrator credentials when de-registering a node.
CSCtz81107
Android registration fails if the user modifies the certificate while installing
Android users are able to modify certificate names when installing the Cisco
Supplicant Provisioning Wizard. If the user does in fact modify the certificate name,
then the device is not able to connect to the secure network.
Note
This issue applied to both single- and dual-SSID deployments.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
104
OL-26136-01
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCtz83096
Cisco ISE ignores authorization exceptions when working with an option that
matches multiple policy rules
If you add a standard rule within an authorization policy, for example, “if Network
Access: Username STARTS_WITH letters �te’ then DenyAccess,” add an additional
Exception Rule like, “Network Access:Username EQUALS �testUser’ then
PermitAccess,” specify that the policy should operate using the “Multi-Matched”
option, and authenticate a user called “testUser,” the result is that Cisco ISE denies
access to that user when it should permit access.
CSCtz83530
Android devices must manually connect to the secure network if the user reboots the
device
This is due to the fact that users be required to enter storage credentials again to
connect to the secure network using certificates that were installed during initial
device registration.
CSCtz84351
Cisco ISE stops responding to authentication requests
Cisco ISE intermittently stops authenticating and returns “WARN RADIUS:
RADIUS request dropped due to system overload” messages. This issue has been
observed even when CPU usage is low and there is plenty of free memory.
Workaround Disable and then re-enable Cisco ISE services.
CSCtz90726
An error appears when attempting to create an inline “Allow Protocols” definition
after having previously canceled the operation
This issue can appear when you select the option to create an Allowed Protocols
definition, click Cancel during the process, and then attempt to create the definition
again.
Workaround Clear the browser cache and attempt to create the definition again.
CSCtz91998
New client provisioning ports need accommodated during upgrade
After upgrade to Cisco ISE, Release 1.1.1, users are unable to download Cisco NAC
Agent or NAC Web Agent after clicking the install button if the appropriate client
provisioning port (8909) has not been opened across the network.
Workaround Open up ACL for port 8909 to allow client access to ISE server. This
ACL can be statically defined on the NAD or dynamically downloaded through ISE
authorization policy
CSCtz93520
Exceptions noted in logs while registering a node
In a split domain upgrade older certificate is not working when older secondary is
made as primary.
Workaround After upgrade Export the secondary certificate into primary before
registration.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
105
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCtz97075
Device registration session directed to wrong location when Administrative ISE
node and Policy Service node become disconnected
As a result, users are not able to complete device registration, account for lost
devices, or remove old devices from Cisco ISE.
Users are supposed to be redirected to the self-provisioning portal during both
single- and dual-SSID sessions. This function requires an active connection between
the Administrative ISE node and Policy Service node. If the two become
disconnected, device registration fails. (This also applies to users trying to account
for lost devices, or remove old devices from Cisco ISE.)
CSCtz97833
HTTP time out error received during user session quarantine period
Certificates used in Cisco ISE can be PEM- or DER-formatted. Cisco ISE also
accepts certificate chains of multiple certificates. Cisco ISE does not, however,
accept certificate chains which have a mix of both PEM- and DER- formatted
certificates. This error is not reported as precisely in EPS REST calls, it just shows
up as generic failed request.
Workaround Check to see whether you are inadvertently mixing both PEM and DER
formatted certificates.
CSCtz98295
Opera browser “Back” button displays My Devices portal after user has logged out
After logging out of the My Devices portal, the user can click the back button and
the previous page appears.
Workaround Recommend not using Opera if concerned.
CSCtz99443
Policy Service nodes on the other side of WAN links display “IN-PROGRESS”
status continuously
This issue can occur on secondary nodes that are deployed over WAN links where
there are a large number of replication events generated on the Administrator ISE
node.
Note
CSCua00821
This issue is sometimes due to latency issues impacting WAN links. If there
are a significant number of replication events generated by the Administrator
ISE node, these events take longer time to be replicated and applied to the
Policy Service nodes that are deployed over a WAN link. As a result,
replication events accumulate on the node and the replication status appears
as though replication is continuously in progress.
Error messages appear when you configure Active Directory via the CLI
When performing Active Directory configuration via the Cisco ISE CLI, selecting
option number 5 (Clear Active Directory Trusts Cache and restart/apply Active
Directory settings), the following errors may appear:
•
log4j:WARN No appenders could be found for logger
(com.cisco.cpm.acs.nsf.config.handlers.ad.cli.ADAgentRestart).
•
log4j:WARN Please initialize the log4j system properly.
Workaround From the Cisco ISE CLI, enter the “application configure ise” command
and select option number 5 again.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
106
OL-26136-01
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCua03362
Need to enable automatic connection polling on Mac OS 10.7.x wired connection
The Cisco ISE profile selection dialog does not appear if the “Enable automatic
connection” option is not enabled (under System Preferences > Network > Ethernet
> Advanced > 802.1X) on the Mac OS X client machine after the supplicant
provisioning wizard is downloaded and installed.
Workaround Be sure Mac OS 10.7.x wired device users know to choose the profile
manually (like Mac OS 10.6.8, for example).
CSCua03889
Guest users are asked to accept the Acceptable Use Policy twice when first logging
into Cisco ISE with password change
When the administrator sets up a multi-portal configuration, sets the Acceptable Use
Policy to be accepted on “First Login,” and enables the “Requires guest users to
change password at expiration and first option” option, the guest user needs to accept
the Acceptable Use Policy twice.
CSCua05003
Service status is not correct if the ARP port number changes
This issue has been observed when an end-user attempts to access the My Devices
portal via the configured port, but is not able to.
Note
Accessing the My Devices portal via the last configured network port works
as designed (although and error message appears).
Workaround If you have changed the port used for the My Devices portal, restart the
Administrator ISE node and My Devices portal should restart on the correct port.
CSCua05261
Windows XP 32-bit OS cannot connect to closed network if not broadcasting
This issue can occur when the open network connection mode is set to
“Automatically connect to network” (which is a default option on Windows XP.
Note
This issue has not been observed in a Windows 7 environment.
Workaround Set the connection mode for Windows XP open networks to “manual”
or “on demand”:
CSCua08884
1.
Select the open network profile.
2.
Uncheck the “Connect when this network is in range” option.
Restore failed in release 1.1.1 with customer backup of 1.0 version
This issue is most likely due to a corrupted backup file resulting from an unknown
operating system issue
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
107
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCua12479
HTTP profiling in Cisco ISE, Release 1.1 is performed after Guest Authentication
Cisco ISE, Release 1.1 does not call upon user-to-agent information until the Guest
user authenticates via the Guest portal.
Note
This behavior is different then what is seen in ISE 1.0.4 where profiling kicks
off as soon as the user hits the guest portal.
Workaround You can redirect users to the client provisioning portal. Even if no client
provisioning rules exist, the user-to-agent information is called upon when the Guest
user reaches that page.
CSCua12479
Profiling via HTTP probes in Cisco ISE, Release 1.1 done after Guest authentication
Cisco ISE, Release 1.1 does not use user-agent information until the Guest user
authenticates to the Guest Portal. This behavior is different then what was seen in
Cisco ISE, Release 1.0.4 where profiling would initiate as soon as the user hit the
Guest Portal.
Workaround Direct users to the Client Provisioning Portal. Even if no Client
Provisioning rules exist, the user-agent information will be picked up when the user
hits that page.
CSCua18804
Authorization RADIUS packets fail due to incorrect delimiter
Wireless LAN Controllers can send endpoint MAC addresses in RADIUS packets in
various formats, including a series of colons, hyphens, or no delimiter at all. Cisco
ISE authorization policies look for hyphen-formatted MAC addresses.
Workaround Set the MAC address delimiter on the Wireless LAN Controller for the
calling station-id to specify hyphens.
CSCua19003
“hostname” and “ip domain-name” warnings are hard to understand
Cisco ISE returns warnings when you attempt to change the Cisco ISE hostname or
domain name after initial setup.
Because the warnings are ambiguous and the affect on the system unknown, Cisco
recommends that you do not change the hostname or domain name on any deployed
Cisco ISE appliances. If it becomes necessary to change these parameters, the only
reliable way to accomplish such a change is to re-image and specify different values
for these parameters during initial configuration.
Note
CSCua25187
There is no known workaround for this issue.
Employees whose user names are 41 digits long will not see their devices
If the employee name is 41 digits long, then the devices added through the My
Devices portal do not show up in the list of employee devices.
Note
Using a 40-digit user ID works as designed, as does a 48-alphanumeric
character ID and a 40-digit alphanumeric character ID with one leading
alphabetical character.
Workaround Use less than 41 digits in the user name policy.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
108
OL-26136-01
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCua25333
Unable to login to the administration user interface using the username and password
credentials set during the initial setup wizard
After running the initial setup wizard with some specific set of username and
password values, this problem will occur. The administrator is, however, able to log
in to the Command Line Interface with the same username and password.
Workaround Run the CLI “application reset-passwd” command to reset the
administration user interface password to the value specified during the initial setup
wizard or another value if desired.
CSCua32575
Firefox browser is not working on Android devices for registration
When the Mozilla Firefox browser is used for registering an Android device, it
receives an “unsupported OS device” response From Cisco ISE.
Note
CSCua38966
When users register the device via the native Android browser, registration
completes correctly.
Policy Service node replication is disabled
Policy service nodes in which large numbers of (bulk) users have been imported
display signs of decreased performance. (The performance level of the three (of 40)
Policy Service nodes were below that of other appliances.)
Note
This issue has been observed on a “large” deployment of 40 nodes.
Workaround Manually synchronize node information.
CSCua40773
IP refresh function is not working in Mac OS X after the session terminates
The VLAN switching function does not take place on Macintosh client machines
after Cisco ISE issues the requisite “change of authorization” during login. When
Cisco ISE issues the “change of authorization,” and open/authenticated networks are
in different VLANs, the Macintosh client does not refresh the IP/switch network
(VLAN) automatically following re-authentication.
Workaround The user must manually refresh the IP address:
1.
Launch System preferences.
2.
In the TCP/IP tab, go to Network > Advanced.
3.
Click Renew DHCP Lease button.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
109
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCua55531
“Anonymous” user authentication fails when operating with CSSC
CSSC expects both “Session Resume” and “Fast Reconnect” PEAP functions. When
Cisco ISE transmits a valid TLS Session ID, but either or both of these PEAP
functions are disabled or the session time out has elapsed, then CSSC drops the
conversation before running the PEAP inner method. The result is that the PEAP
outer identity is protected (e.g., “Anonymous”) but the conversation is dropped
before revealing the unprotected user US, which then compromises the posture
validation process because the user name has been “changed.”
Workaround Enabling both of the “Session Resume” and “Fast Reconnect” options
in “PEAP Settings” can reduce the frequency, but this issue will still likely occur
when Cisco ISE terminates an expired session. To fully resolve the issue, Cisco
recommends upgrading from CSSC to AnyConnect version 3.x.
CSCua60073
Changing the log level for system statistics yields incorrect results
After the log level for “System Statistics” is set to “ERROR,” the “System
Summary” area on the Cisco ISE dashboard is empty.
Workaround Do not change the log level for the “System Statistics” logging category.
(Continue to use the default “INFO” value.)
CSCua71361
Android 2.3.6 devices are not getting a new IP address following the change of
authentication session terminate event
Android devices such as Android RAZR are not refreshing their IP address after
moving to a new subnet. This issue has been observed on certain Android O/S such
as 2.3.6 and ISE issuing CoA session terminate
Workaround Manually disconnect and reconnect to the network by turning Wi-Fi off
and back on again.
CSCua72137
Cisco ISE does not delete old files when the preset localStore size limit is reached
CSCua97013
Apple iOS devices are prompted to accept “Not Verified” certificates
Apple iOS devices (iPhone & iPad) are asked to accept the certificate, appearing to
them as “Not Verified,” when connecting to WLAN (802.1X).
By design, Apple iOS devices are prompted to accept a proprietary certificate, but
Apple OS X and Android devices work without being prompted to accept a
certificate.
This happens even when the certificate is signed by a known CA, as there is an
intermediate certificate in the server certificate chain.
Workaround Click Accept to acknowledge the certificate. While browsing any URL,
the user is redirected to provision the device. After provisioning, the intermediate
certificate is installed on the iDevice.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
110
OL-26136-01
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCub01822
Cannot roll back patch when administrator is authenticated using an Active
Directory identity store
When the administrator, who is authenticated via an external identity store, applies
a patch to Cisco ISE, the patch application process reboots Cisco ISE and the
administrator is automatically logged out. After patch application, however, the
same administrator cannot them log back into the system and roll back the installed
patch.
CSCub16453
Android Self-Provisioning Certificate installation and application erroneously
informs the user of a Factory Reset event
This issue has been observed on a device running Android OS version 4.0.3. A
pattern lock factory reset message appears when installing the certificate in a device
registration flow from the Cisco ISE self-provisioning page. No actual factory reset
event actually takes place after the user clicks OK, and the device connects to the
network without issues.
Workaround Set a pin lock and then configure back to pattern lock. This time there
are no reset messages. This was tested after removing the cert and supplicant config
to start fresh
CSCub17140
Upgrade to Cisco ISE 1.1 and 1.1.x fails when policies use the Blacklist_Access
authorization profile.
This issue has been observed when you upgrade the following Cisco ISE releases:
•
Upgrade from Cisco ISE, Release 1.1.3 to release 1.1.4
•
Upgrade from Cisco ISE, Release 1.1.2 to release 1.1.3
•
Upgrade from Cisco ISE, Release 1.1.1 to release 1.1.3
•
Upgrade from Cisco ISE, Release 1.1.1 to release 1.1.2
•
Upgrade from Cisco ISE, Release 1.1 to release 1.1.1
•
Upgrade from Cisco ISE, Release 1.0.3.377
Workaround Before you upgrade, ensure that you delete all policies that use the
“Blacklist_Access” authorization profile.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
111
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCub17522
IP Phone 802.1X authentication reverts to PAC-based authentication when the
“Accept client on authenticated provisioning” option is not enabled
When the “Accept client on authenticated provisioning” option is off then Cisco IP
Phone EAP-FAST authentication sessions always end with an Access-Reject event.
This requires the IP phone to perform PAC-based authentication to pass
authentication. Since Cisco IP Phones perform authentication via authenticated
provisioning and not via PAC-based authentication, it is not possible for the phone
to authenticate when this option is off.
Workaround Try one of the following:
CSCub18575
•
Turn on the Cisco IP Phone “Accept client on authenticated provisioning”
option.
•
Switch from EAP-FAST protocol to PAC-less mode.
•
Authenticate Cisco IP Phones via EAP-TLS rather than EAP-FAST.
Issue with Cisco ISE sponsor-initiated accounts starting with a “0”
If you create a Guest user starting with a “0,” then log out and log back in, you are
not able to see the Guest user entry as expected.
Note
CSCub26470
There is no known workaround for this issue.
Wireless license shows Advanced and Base license as “Eval”
Cisco ISE may display Base and Advanced license as “Eval” after installing a
purchased Wireless license. This is a cosmetic issue, the license is functional and
expires in the expected date.
This issue has been observed in Cisco ISE, Release 1.1.1.
CSCub44915
Activated Guest fails RADIUS authentication where the applicable role uses
“FromFirstLogin”
Workaround Use time profile “FromCreation,” or log in first via the Web Portal.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
112
OL-26136-01
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCub45799
Wired Mac OS X 10.8 clients fail to auto re-connect to the Cisco ISE network using
a new profile
After successfully provisioning the Mac OS X 10.8 client machine with an 802.1X
profile for wired a network, the client machine may not provide the user an option
to select the specified 802.1X network profile.
When the user is not able to select the “Enable automatic connection” checkbox in
System Preference > Network > 802.1X for a wired interface, or if the user manually
disconnects from the 802.1X network, the client machine may not present the pop
up that would enable the user to select the 802.1X network profile.
Workaround The user must manually connect to the 802.1X network:
CSCub45895
1.
If the System Preference pane is already open, close it.
2.
Navigate to System Preference > Network and select “Wired Network” from the
left pane.
3.
Select the appropriate user profile from the right-hand pane and click Connect
under 802.1X.
Unable to save external LDAP/AD groups
Cisco ISE returns a “UTFDataFormatException” message upon saving LDAP
groups with multiple Organizational Units and/or Domain Controllers.
Workaround If possible, reduce the number of Organizational Units and/or Domain
Controllers in the deployment.
CSCub56607
Cisco ISE applies a wireless access session against the Advanced license allowable
user count when it should not
The wireless session in question should be applied against the Base license count.
This issue has been observed in Cisco ISE, Release 1.1.1 where the following
functions are set:
•
MAC Filtering is enabled on the SSID and the Central Web Authentication
authorization policy is applied
•
Profiling is disabled
•
Posture is disabled
•
The device in question has not been registered via the My Devices Portal
Note
CSCub56607
There is no known workaround for this issue.
Cisco ISE, Release 1.1.1 uses Advanced license for web authentication when it
should not consume one
This issue has been observed when a wireless user consumes an Advanced license
instead of just a Base license slot, MAC Filtering is enabled on the SSID, and the
Cisco ISE authorization policy is designed to support Central Web Authentication.
Note
There is no known workaround for this issue.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
113
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCub56814
Unable to provision Android 4.1.x device
When registering a new Android 4.1 (Nexus 7) via the Cisco ISE Network Setup
Assistant, Cisco ISE is unable to register the device and the user receives an “Unable
to apply the Wi-Fi profile” message.
Note
CSCub57456
There is no known workaround for this issue.
Cisco ISE is not sending RADIUS Request messages to external RADIUS server
This issue has been observed in Cisco ISE, Release 1.1 with a wireless-only license.
Cisco ISE is not sending the appropriate RADIUS request message to the external
RADIUS server, which has been configured as a RADIUS proxy.
Workaround Uninstall Wireless Only license and Install an Advance License.
CSCub70759
Guest Email IDs greater than 24 characters in length are truncated
When Cisco ISE handles Email IDs, the last characters are getting truncated such
that all Email IDs are a maximum of 24 characters in length.
Workaround Delete the user entry and create a new user again with correct email ID.
CSCub73901
Cisco AV-pair is not accepted if it contains the term “Alert”
Cisco ISE rejects the AV-pair configuration and returns a “Bad Request Parameters”
error message. (Scripts in input fields are not processed.)
Note
CSCub77801
There is no known workaround for this issue.
Cisco ISE returns a “Can't create new service” message when adding new allowed
protocols
When attempting to add a new Allowed Protocols Service in Cisco ISE, Release
1.1.1, saving a policy without the “Allow EAP-FAST or EAP-TLS” option enabled
may result in a “Can't create new service” error.
Workaround Add the Allowed Protocols service with the default protocols first. After
saving, go back into the policy and deselect the protocols that you want, and save the
service again.
CSCub82418
Dual SSID registration fails when profiled endpoint’s MAC address changes to the
Policy Service node MAC address
On reaching the Device registration page, the device MAC addresses is populated
using the Policy Service node MAC address. This issue occurs on user devices
during registration if there is no MAC address in the Cisco ISE session cache.
Workaround There are two possible workarounds for this issue:
1.
The user can contact the system administrator so that the session can be cleared
from the Wireless LAN Controller (WLC). (The user must be able to supply the
Wi-Fi MAC address from the device to do so.)
2.
The user can turn off Wi-Fi for a period of time (equal to slightly more than the
session timeout period set on the WLC) and then reactivate Wi-Fi so that the
device negotiates a new session with the WLC.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
114
OL-26136-01
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCub87687
Acceptable Use policy text character limit in Guest Language Templates
When you attempt to modify the Acceptable Use Policy text under Administration
> Web Portal Management > Settings > Guest > Language Template >
German_Deutsch, it works as expected if fewer than 4000 characters. If attempting
to input larger text content, then upon saving, Cisco ISE returns a “Server Response
Language Template successfully saved” message. However, upon refresh, the
changes have not been applied to the Acceptable Use Policy text.
Workaround Use fewer than 4000 characters in the Acceptable Use Policy text field
on the Language template, or employ a customized portal with its own logos and
HTML pages.
CSCub89895
SNMP process stops randomly due to an issue in netsnmp
The netsnmp daemon on Cisco ISE can halt, causing any SNMP monitoring of the
Cisco ISE node to fail until the daemon is restarted. This issue has been observed in
Cisco ISE, Release 1.1.1.
Workaround Remove all SNMP commands and re-add them to start the daemon again
or restart the ISE node.
For more information, see:
http://sourceforge.net/tracker/index.php?func=detail&aid=3400106&group_id=126
94&atid=112694
CSCuc13075
Endpoints are saved with “EndpointPolicy” as “Unknown”
Change of Authorization is continuously sent for an endpoint, causing the CPU
usage on the Administration ISE node to run extremely high. (The endpoint may or
may no longer be connected to the device the CoA is being sent to.)
This issue can occur in Cisco ISE, Release 1.1.1 where Profiling is enabled as well
as CoA.
Note
There is no known workaround for this issue.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
115
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCuc18502
Cisco ISE upgrade from release 1.1 to 1.1.1 fails because of Blacklist authorization
The Cisco ISE support bundle log returns an error message inside the latest
isedbupgrade-data-global-date-time.log file:
UpgradeServiceRegistrar terminated with exception
java.lang.RuntimeException:
com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed:
com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed:
java.lang.NullPointerException
Workaround If the ISE upgrade fails once, then you need to restart everything from
scratch.
CSCuc21037
1.
Access the primary appliance that has not been configured yet and create a
compound condition called “Wireless_802.1X” manually under Policy > Policy
Elements > Conditions > Authorization > Compound Conditions.
2.
Configure the rule to include “Radius:Service-Type Equals Framed AND
Radius:NAS-Port-Type Equals Wireless - IEEE 802.11.”
3.
Re-image the secondary appliance that you were trying to upgrade, add the
Secondary to the Primary, and wait until the Secondary node gets its
configuration from the Primary.
4.
Restart the upgrade progress by breaking the pri/sec relation and doing the
upgrade on the secondary again.
Cisco ISE uses PEAP for outer identity when performing authorization
Traditionally, authorization was accomplished in Cisco ISE, Release 1.1 using PEAP
as the inner identity. In release 1.1.1, however, PEAP is used as the outer identity
when performing authorization.
Note
It seems that the “Network Access:UserName” value is mapping to the
“RADIUS Username,” and only applies to PEAP-EAP-TLS authentications.
Workaround If you would like to match on the certificate fields (for example, the
Subject field), change the authorization rule to use the “Certificate:Subject” attribute
and match on CN\... (rather than using the “Network Access:UserName” attribute).
Cisco recommends using the attributes from the Certificate dictionary when
matching certificate fields.
CSCuc22732
Cisco ISE drops RADIUS requests with no “calling-station-id” attribute
When using MAB and sending a RADIUS request to Cisco ISE, the packet is
dropped if the “calling-station-id” attribute is not included.
Workaround Configure the remote access device to send the “calling-station-id”
attribute if possible.
CSCuc44766
My Devices Portal descriptions missing
Periodically, after onboarding devices using the self provisioning flow (NSP) SPW,
descriptions of endpoint devices may be missing form the My Devices Portal.
Note
There is no known workaround for this issue.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
116
OL-26136-01
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCuc50247
Cisco ISE does not recognize the certificate if the Certificate Authority name
contains a space
This issue can occur when the SubCA name contains a space. Cisco ISE records
“Unknown CA” during processing and adds “%20” to the string, causing EAP-TLS
authenticating to fail.
Workaround Since the “Subject” is part of the FQDN or vice versa, do not use spaces
in CN.
CSCuc52368
Authenticating users using an alternative UPN fails
In Cisco ISE, Release 1.1.1 with Centrify version 4.5, authenticating users against
Active Directory with an alternative UPN fails.
For example:
*. considering a domain name sec.lab and an alternative UPN of sec.alt
*. a user defined in AD as user@sec.alt
Authentication using user@sec.alt fails. The domain name is not stripped from the
username prior to authentication and Cisco ISE interprets the username as
user@sec.alt@sec.lab (user@2nd_UPN@domain-name).
Workaround Modify all users to use the primary UPN.
CSCuc61143
Cisco ISE redirects to default login portal (instead of custom) when cookies are
disabled
Workaround Enable cookies on client browser.
CSCuc62197
Unable to add or edit authorization compound conditions
Adding or editing authorization compound conditions under Policy > Policy
Elements > Conditions > Authorization > Compound Condition takes several
minutes.
When editing and saving a Condition Expression, the entry is duplicated. If you
attempt to delete a Condition Expression, Cisco ISE returns a “Please enter a valid
expression for the condition” error, and when adding and saving a Condition
Expression, a Condition Expression entry is removed from the Authorization
Compound condition expression list.
CSCuc62197
Unable to add or edit authorization compound conditions
The following issues have been observed when attempting to add or edit
authorization compound conditions:
•
When editing and saving a Condition Expression, the entry is duplicated.
•
When adding and saving a Condition Expression, a Condition Expression entry
gets removed from the Authorization Compound condition expression list.
•
If attempting to delete a Condition Expression, Cisco ISE returns a “Please enter
a valid expression for the condition” error.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
117
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCuc71950
Network device .csv import function fails if Protocol field is “radius”
When importing a .csv file of network devices to Cisco ISE running release 1.1.1
where the Protocol field is “radius,” the import function may fail and leave the
network devices user interface page in loading state—not displaying any devices.
Workaround Replace “radius” with “RADIUS,” and try the import operation again.
CSCuc72034
Combined Base and Advanced license generated in incorrect order
This issue has been observed where the administrator is unable to add combination
Base-Advanced license file to Cisco ISE via the administrator user interface, and the
appliance returns a message indicating that a Base license is required.
Workaround Request individual Base and Advanced license files. If that does not
address the issue, contact Cisco Technical Assistance Center (TAC).
CSCuc76477
First-time Guest login fails when using the “DefaultFirstLogin” attribute
This issue has been observed with an activated Group even though the user appears
as “Active” on the portal.
Workaround Use other time profiles like “DefaultOneHour” or “DefaultStartEnd.”
CSCuc81940
Cisco ISE database process stops due to internal errors
As a result, you can view “ORA-00600” errors seen in the Cisco ISE database trace
logs.
Workaround Restart Cisco ISE services.
CSCuc82135
Guest accounts need to be removed from the network on suspend/delete
When a guest user is deleted from the system, the RADIUS sessions associated with
that guest user still exist.
Workaround Re-issue the CoA from the Monitoring and Troubleshooting reports
page for the sessions associated with that guest user.
CSCuc82135
Guests need to be removed from the network on Suspend/Delete/Expiration
When a guest user is deleted from the system, the RADIUS sessions associated with
that guest user still exists.
Workaround Reissue the Change of Authorization using the session information
from Monitoring reports for the sessions associated with that guest user.
CSCuc91726
My Devices Portal friendly name is not working
Unable to access My Devices Portal using the URL specified in the “Default My
Devices Portal URL” field on the Web Portal Management > Settings > General
> Ports page after upgrade to release 1.1.1.
Workaround Go to the Web Portal Management > Settings > General > Ports page
and click Save. This will update Cisco ISE tomcat configuration files with the
changes necessary for the redirect to work. (Note that this will restart the Cisco ISE
appliances.)
Release Notes for Cisco Identity Services Engine, Release 1.1.x
118
OL-26136-01
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCuc95915
Cisco ISE, Release 1.1.1 system database becomes full
This issue may be addressed by obtaining the updated Oracle version 11.2.0.2
(Server Patch Set) and applying it to Cisco ISE, which will be available in an
upcoming release of Cisco ISE.
CSCud02566
Administration ISE node not able to join non-Administration ISE nodes to Active
Directory
When Cisco ISE nodes are deployed in different domains or sub-domains and you
attempt to join any Cisco ISE node (except another Administration ISE node) to
Active Directory, the operation fails and returns a “No Response from ISE Node”
error message.
To ensure the Active Directory join operation is successful, ensure that:
•
The Cisco ISE nodes in your deployment are not in different domains (e.g.,
Administration ISE node as pap1.sj.cisco.com Policy Service node1:
pdp1.hyd.cisco.com, Policy Service node2: pdp2.webex.com would cause this
issue)
•
The Cisco ISE node you are trying to join to Active Directory is NOT another
Administration ISE node
•
You are not trying to join Active Directory from the Administrator web portal
on the Administration ISE node
Workaround Go to the respective Administrator web portal on the
non-Administration ISE node and join that node to Active Directory, instead of
trying to join using the Administrator web portal on the Administration ISE node.
CSCud08618
Profiler is not recording all of the expected DHCP probe attributes
This issue may come up if padding <0's> appear between fields.
Workaround Use an IOS sensor on the network access device or a combination of
other probes to achieve similar results.
CSCud31796
External RBAC fails if user member of group containing apostrophe
When the RBAC function utilizes an external identity store (AD, LDAP), group
mapping fails for a user with the correct group(s) to gain access to the administrator
user interface, and a “Authentication failure for user: username: No admin groups”
message is displayed:
Cisco recommends renaming all groups in the external identity store so that they do
not contain apostrophes, and removing any users participating in Cisco ISE
administration from any external groups that contain apostrophes.
Note
CSCud36451
There is no known workaround for this issue.
Swapped NICs seen on Cisco ISE 3315s
Some Cisco ISE 3315 appliances running Cisco ISE, Release 1.x appear as though
NICs have been “swapped” with other NICs. (GigabitEthernet0 maybe end up being
eth3, for example.)
Workaround You can try to reimage the machine, but results have been mixed.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
119
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCue05861
Cisco ISE imports duplicate attributes which corrupt the system
Cisco ISE discarding RADIUS packets and returns a “Network Device Not found”
message when duplicate RADIUS attributes are imported in the dictionary.
Workaround Remove any duplicate RADIUS attributes and restart Cisco ISE
services.
CSCue11380
Mozilla Firefox18 is not compatible for viewing reports
System administrators running Firefox 18 may not be able to view pie charts in the
Operations > Catalog > User > Guest Sponsor Summary Report page. This is
likely due to the fact that the current ACCUTE version used in Cisco ISE is not
supported by the latest versions of Firefox.
CSCue16801
Cisco ISE Reports do not show all data when the report period crosses years
The Cisco ISE report does not display any entries later than 31 December when the
report period spans multiple years.
Workaround You may use a time period falling within a single calendar year.
CSCue38038
Users are unable to log in when cookies are disabled
Users who are not accessing the Cisco ISE network via client provisioning or native
supplicant provisioning are unable to log in using the Guest Portal and receive a
“Cookies are disabled, please enable cookies” error message on the page.
Note
For Android devices (Samsung Galaxy, Motorola Tab) using default
browsers, no warning message is displayed if cookies are disabled, and the
end user is redirected to the login page without any warning.
Workaround End users may resolve this issue by enabling cookies in their browser.
CSCug66959
Cisco ISE displays Certification Expiration alarms for all nodes in the deployment.
You might receive Certification Expiration warning messages in Cisco ISE, Release
1.1.x deployment. This alarm gets triggered because of an issue in Cisco ISE 1.1.x
and can be ignored.
Workaround Delete and import the certificates again.
CSCug79657
Catalyst 3850 fails to profile an endpoint coming from Wireless
MAB/MAC-Filtering-ISE
While connecting to wireless MAB from Windows 7 client using Catalyst 3850
switch, the client is not able to connect to MAB SSID due to missing attributed in
the RADIUS packet sent by the switch. The endpoints do not get profiled and the
MAB request fails.
Workaround Add the additional configuration 'radius-server attribute 31 send
nas-port-detail mac-only' in the switch.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
120
OL-26136-01
Cisco ISE Release 1.1.x Open Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCug79736
Redirection is unsuccessful intermittently at client from Catalyst 3850 Switch
While authenticating clients with wireless MAB/Dot1x using Catalyst 3850, the
redirection to pages like Client Provisioning, Native Supplicant Provisioning, or
Guest Portal does not happen automatically.
Workaround Clear the existing session in the switch, and then try again.
CSCug83908
Getting Blank Page for Client Provisioning Redirect if JavaScript is disabled
A blank page is displayed when a Client Provisioning redirect occurs and JavaScript
is disabled. This issued occurs on IE, Firefox, or Chrome when a normal dot1X flow
is configured and a device connects to a dot1X SSID. It also occurs if a Guest user
comes through MAC Address Bypass (MAB) and Client Provisioning is configured
for Guest users.
Workaround There is no known workaround for this issue.
CSCug85725
Cisco ISE patch may not work as expected if you run the application reset-config ise
command from the CLI after patch installation.
Some of the bug fixes resolved in the patch are uninstalled when you run the
application reset-config command after patch installation.
Workaround We recommend that you to uninstall the applied patch(es) first before
running the application reset-config command and then install the patch(es) as
necessary once the Cisco ISE application configuration is reset.
CSCug85972
Sometimes, the Authorization Policy page is not listing authorization policies in the
Mozilla Firefox 20.0.0 browser
The Mozilla Firefox 20.0.0 browser displays authorization policies intermittently
while editing endpoint identity groups when they are used in authorization policies.
It displays all authorization policies properly, if you navigate away from the
Authorization Policy page and return back to the Authorization Policy page.
CSCuh05898
Message should say “Enable JavaScript” instead of “Enable Java” in MAC OSX
This issue occurs on the Mac OSX and the Safari browser when JavaScript is
disabled on the client and a single SSID flow is configured. The wrong message is
displayed when the Safari browser is redirected to the NSP portal.
Workaround There is no known workaround for this issue.
CSCuh09116
Inconsistent message when JavaScript is disabled in Android browser
When JavaScript is disabled and an Authorization policy is configured for either as
single or dual SSID BYOD flows, a message displayed saying that “JavaScript is
disabled.” but the instructions for enabling JavaScript are for either the Chrome
browser or the Safari browser.
Workaround There is no known workaround for this issue.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
121
Cisco ISE Release 1.1.x Resolved SPW Caveats
Table 45
Cisco ISE Release 1.1.x Open Caveats (continued)
Caveat
Description
CSCuh29820
Windows surface tablets are being detected as Microsoft Workstations EP
Windows surface tablets hit the wrong authentication policy, which leads to issues
in the BYOD/Guest Flow.
Workaround There is no known workaround for this issue.
CSCuh37511
Unexpected Acct-Status-Type: [Stop] for method MAB after URL redirect
While trying wired MAB to Dot1x with PEAP flow in a Windows 7 client using
WS-C3780-48P-S, it is not redirected to the Client Provisioning page. The issue
happens as the switch sends Accounting Stop request before being directed to the
Client Provisioning page.
Workaround Disconnect and connect the network adaptor after NSP is finished to get
the Client Provisioning page.
CSCuo81045
Changes in Agent Profile not Reflecting in Agent Configuration File
Agent changes are not automatically updated in the agent configuration file.
Workaround Re-map the agent profile using the Client Provisioning page.
Cisco ISE Release 1.1.x Resolved SPW Caveats
The following tables list the resolved SPW caveats in Cisco ISE Release 1.1.x.
Table 46
Resolved SPW Caveats for Windows
Caveat
Description
SPW Version
CSCug95980
ISE NSP does not support SDIO based Wireless Adapters
1.0.0.31
CSCug66885
Windows SPW - Trusted Root CA not set in network profile
1.0.0.30
CSCud65260
DualSSID_Win7_PEAP_AutoLogin NSP not connecting to Closed
SSID
1.0.0.29
CSCud01247
BYOD: Messages are not localized
1.0.0.28
CSCud56448
PEAP Supplicant Provisioning does not set Validate Server
Certificate
1.0.0.28
CSCue38943
BYOD: Characters corrupted. A vertical line appears at the end of
the Applying Configuration screen
1.0.0.28
CSCue43405
Windows 8 - Dual SSID is broken (MAB + PEAP), if wrong
networking password is entered in SPW”
1.0.0.28
CSCue43413
Login failure message displayed in dual SSID (MAB + PEAP)
1.0.0.28
CSCue47503
Win SPW v1.0.0.27 fails with Wired dual SSID (MAB > PEAP)
1.0.0.28
CSCud05296
NSP installation on Windows 8 failed
1.0.0.26
Release Notes for Cisco Identity Services Engine, Release 1.1.x
122
OL-26136-01
Cisco ISE Release 1.1.4 Resolved Caveats
Table 47
Resolved SPW Caveats for Mac OS X
Caveat
Description
SPW Version
CSCuf61159
Wired MAC10.8.3-Fails to auto re-connect to network using new
profile
1.0.0.21
CSCug16632
BYOD CR: SPW configures the profile and succeeds even when
PDP is down
1.0.0.20
CSCug18081
NSP page does not show status of Mac SPW consistently
1.0.0.20
CSCuf03318
Network Setup Assistant fails, if user clicks �Cancel’ in the Config 1.0.0.19
profile Tool
CSCue53450
Cisco Network Setup Assistant copy right year should be changed
1.0.0.19
CSCue62005
Mac SPW 1.0.0.17 is not able to configure wired adapters
1.0.0.18
CSCud00349
Translation property file has new line character in the JA translation 1.0.0.17
property file
CSCud64592
MAC OSX 10.6.8: Fails to connect to Closed SSID using the TSL
Profile
CSCub29212
In MAC 10.8, modify Sys network config needs confirmation from 1.0.0.15
sys admin
CSCuc42511
Localization for nsp wizards - support for additional languages
CSCub27769
ISE does not block both wired and wireless interface MAC for lost 1.0.0.13
devices
CSCub65963
Certificate Enrollment is vulnerable to session Hija
CSCub29185
MAC 10.8: Agent and SPW fails to install, when "MAC App Store 1.0.0.11
and identified developers" is selected in the Security & Privacy
Preference Pane.
1.0.0.16
1.0.0.14
1.0.0.12
Cisco ISE Release 1.1.4 Resolved Caveats
The following table lists the resolved server-side caveats in Cisco ISE, Release 1.1.4.
Table 48
Resolved Caveats in Cisco ISE Release 1.1.4 Patches
Caveat
Description
CSCth95432
All OUIs in IEEE need to be resolved to names by profiler
CSCtx35984
Profiler unable to save into DB - SSL Handshake exception error
CSCuc07816
Must be able to purge MnT data from CLI
CSCuc29014
Profiling conditions edit throws null error with NullPointerException
CSCuc48613
Google Chrome can cause reordering of Authorization Policy rules
CSCuc58992
IP address of the endpoints is not getting updated correctly
CSCuc74270
Authorization policy match fails following Active Directory password change
CSCud65479
Device registration Change of Authorization loop with posturing enabled
CSCud83514
ISE session database growing too large, causing homepage blank
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
123
Cisco ISE Release 1.1.4 Resolved Caveats
Table 48
Resolved Caveats in Cisco ISE Release 1.1.4 Patches (continued)
Caveat
Description
CSCue14864
Endpoint statically assigned to ID group may appear in different group
CSCue16774
Profiler purge process is not running, EndPoint Cache grows past memory limits
CSCue25407
Wrong Authentication Policy match: Cisco ISE initiates MAB instead of 802.1x
CSCue28066
IP address field missing during editing/duplicating NADs
CSCue31190
Sponsor users editing guest accounts may cause internal server errors
CSCue41912
NAC agent is not triggered on Windows 8 client
CSCue49305
Device registration is disabled if JavaScript is disabled for Safari or Chrome
browsers on iOS and Android platforms
CSCue49317
SCEP enrolment failure if the user name is prefixed with AD domain name
CSCue50838
An arrayOutOfBoundException occurs during Certificate provisioning
CSCue53508
Limit SNMP Query based of RADIUS Acct Start Event
CSCue58842
Valid email refused in Cisco ISE Guest Portal
CSCue59806
'NAC Server not available' error is thrown - EAP failure error (No response)
CSCue60442
Authorization policies disappear after modifying the name of the parent endpoint
identity group in Cisco ISE
CSCue62940
Incremental Backup without Full Backup gets Stuck in Running
CSCue67900
Termination-Action returns RADIUS-Request
CSCue71407
Guest and Sponsor language templates disappear from database
CSCue71478
Remove ACS-Session-ID from attribute suppression white-list
CSCue71874
Re-profiling process check continuously running
CSCue73865
Cisco ISE is unable to authenticate users against Active Directory with
SmbServerNameHardeningLevel=1
CSCue83454
In CWA, ISE is not able to learn guest user IP address
CSCue84050
Enhancements to support CARS UDI validation for recognizing incorrect UDI
format.
It is observed that PID section of the UDI is not burned properly for NAC 33x5
devices. As a result, ISE installation on those devices fails. These enhancements
enable support for ISE Release 1.1.4 installation on certain NAC-33XX units that
have a variable length UDI PID
CSCue86661
Cisco ISE does not match a compound condition with multiple conditions in a policy
rule
CSCue90444
When an active IPEP node fails, the VPN traffic drops
CSCue96100
Enhancements to support the installation of Cisco SNS-3400 Series (SNS-3415 and
SNS-3495) appliances in Cisco ISE Release 1.1.4
CSCue96626
Address purging issues
CSCuf05267
BYOD usability - Provide API to poll BYOD status
CSCuf08298
Collect only the attributes that are used in profiling policies
CSCuf17123
Shell script to create bootable USB is missing
CSCuf20919
Guests can view accounts from each other through self-service
Release Notes for Cisco Identity Services Engine, Release 1.1.x
124
OL-26136-01
Cisco ISE Release 1.1.4 Resolved Caveats
Table 48
Resolved Caveats in Cisco ISE Release 1.1.4 Patches (continued)
Caveat
Description
CSCuf47857
BYOD enhancements
CSCuf56635
HP Jetdirect Printer is incorrectly profiled as HP-Device using DHCP probe
CSCuf59973
Swapped NIC problem observed on ISE Release 1.1.4 with CIMC version 1.4.6c and
BIOS 1.4.6a.0 during installation of 1.1.4.207 on 3495
CSCuf66747
Guest user notification substitution uses system timezone instead of user timezone
CSCuf71124
PAP admin login failed for consecutive purge operations
CSCuf73365
The show tech-support command shows wrong RAID information
CSCuf90492
ISE cannot process large SGT matrices or send radius messages larger than 4k
CSCuf90513
Multiple Policy Service node’s attempt to write the same profile data to the database
that causes high CPU usage
CSCug04743
The order of policies change on Authentication, Posture and CP Policy pages when
using Google Chrome
CSCug06716
Cisco ISE Centrify AD domain whitelisting breaks machine authentication
CSCug15615
BYOD CR: Error message needs to be modified for a disabled NSP policy
(NSPMsg.FAIL_NSP_DISABLE)
CSCug20065
Unable to enforce RBAC as desired to a custom admin
CSCug34981
Incorrect authorization policy match for Self Service Guests when the profiler CoA
is set to ReAuth
CSCug35133
The attribute Service-Type is changing often with the radius probe and causing high
CPU usage
CSCug37245
SCEP enrolment fails when using certificates from different CAs
CSCug44228
BYOD success message is shown before CoA and can cause a loop and a network
connection error message on the browser
CSCug68792
Incomplete Backup Process Status in UI
CSCug69605
BYOD: Fingerprint exception on Cisco ISE when CA certificate is retrieved via
SCEP
CSCug72958
Profiling functionality is broken while editing policies
CSCug74166
Identity groups are corrupted after changing the parent identity group name
CSCug76995
Unable to add user after changing the parent user identity group name
CSCug77406
Increase retention of ASA VPN sessions to 120 hours (5 days)
CSCug78350
To install the NAC Agent on IE 10, you must enable compatible mode
CSCug78636
Disable Diagnostics Issue
CSCug79123
Messages are displaying in vertical format in IE
CSCug79181
Secure SSID is visible with a PEAP profile, but not with an EAP-TLS profile, when
the secure SSID was not broadcasted
CSCug80970
Wrong button is displayed when the session is lost during NSPWizard installation
process
CSCug95429
Profiler: IP attribute unnecessarily being updated
CSCug98513
Integrate components to support AD 2012 or mixed mode (2008)
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
125
Cisco ISE Release 1.1.3 Resolved Caveats
Table 48
Resolved Caveats in Cisco ISE Release 1.1.4 Patches (continued)
Caveat
Description
CSCug99304
ISE replication gets disabled due to expired certificates even though they are valid
CSCuh12487
Null value associated with SNMP GET after call from NMAP fails
CSCuh17560
Suppress Accounting update packets in Cisco ISE 1.1.x
CSCuh23189
ISE: Using Internal Identity User can gain access to Admin Dashboard
CSCuh29915
ID group add button window shrinks
CSCuh36595
Custom Guest Self Registration Result should not write to file system
CSCuh43440
ISE needs to improve logging mechanism to keep track of backup failures
CSCuh43470
Cisco ISE Authentication failures alarm threshold definition
CSCuh43528
Cisco ISE Alarm Authentication failures count incorrectly shows "%" in details
CSCuh54747
Search is not working in object selector if we change the views
CSCuh56861
Cisco ISE Active Endpoints count on dashboard home page does not decrement
CSCuh67300
ISE redirects to default guest pages when configured for custom pages
CSCuh70984
Database purging alarms on ISE due to open cursors exceeded
CSCui22841
Apache Struts2 command execution vulnerability
CSCui41569
BYOD Supplicant Provisioning Status query should be optimized
CSCui56071
ISE: Ignore 0.0.0.0 in Framed-IP-Address Profiler Updates
CSCui75669
Endpoint update calls from guest-portal causing replication issues
CSCuj35109
LWA is broken in iOS 7 devices with ISE 1.1.3 patch 6
CSCuj45431
ISE Support for Mac OS X 10.9 NAC Agent
CSCuj51094
Captured TCPDump file is not working
CSCuj60796
ISE Support for IE 11
Cisco ISE Release 1.1.3 Resolved Caveats
The following table lists the resolved server-side caveats in Cisco ISE, Release 1.1.3.
Table 49
Resolved Caveats in Cisco ISE, Release 1.1.3 Patches
Caveat
Description
CSCte69572
NAC Web Agent fails when more than one browser is trying to install
CSCth95432
All OUIs in IEEE need to be resolved to names by profiler
CSCto03644
Tray icon flickers click focus if user changes apps from login OK
CSCto49390
NAC Agent 4.8.1.5 takes long time to login
CSCtr28855
Web Agent logs does not show the OPSWAT SDK Version
CSCtw62033
Mac OS X Agent log time should use UTC if not configurable
CSCtw98454
Cisco ISE Guest accounting report filter not working
CSCtx35984
Profiler unable to save into DB - SSL Handshake exception error
Release Notes for Cisco Identity Services Engine, Release 1.1.x
126
OL-26136-01
Cisco ISE Release 1.1.3 Resolved Caveats
Table 49
Resolved Caveats in Cisco ISE, Release 1.1.3 Patches (continued)
Caveat
Description
CSCty04128
AV Remediation success while def update is blocked, full access granted
CSCua05433
Import of identity groups and identities does not maintain membership
CSCua12479
HTTP profiling in ISE 1.1 is done after Guest Authentication
CSCub05899
ISE cannot import CA cert with non-standard field
CSCub18575
Problem with sponsor accounts starting with a "0"
CSCub26470
Wireless license shows Advanced and Base license as “Eval”
CSCub29212
Mac OS 10.8 clients require confirmation from a system administrator to modify the
System network configuration
CSCub32594
ISE: Inline posture node is not accepting policy from PDP
CSCub35046
ISE custom guest portal results page includes unused fields
CSCub62481
CSCub44915
ActivatedGuest fails radius authentication with FromFirstLogin time prof
CSCub45895
UTFDataFormatException upon saving LDAP groups with multiple OUs/DCs
CSCub54464
Unable to delete SSH keys with "ssh delete host" command
CSCub61252
Need to disable list of services through the AXIS configuration file
CSCub70759
Email id of guest users more than 24 chars getting truncated
CSCub74879
NAC posture check fails for IE8 KB2544521
CSCub82418
Dual SSID failing as Profiled endpoints mac is changed to PDP's MAC
CSCub99507
Remediation not working correctly with nacagent / ISE
CSCuc07816
Must be able to purge MnT data from CLI
CSCuc08926
NAC WebAgent posture check fails for IE8 KB2544521
CSCuc13075
Endpoints are being saved with EndpointPolicy as Unknown
CSCuc18502
Cisco ISE upgrade from release 1.1 to 1.1.1 fails because of Blacklist authorization
CSCuc29014
Profiling conditions edit throws null error with NullPointerException
CSCuc31098
Backup should not be triggered when there is no sufficient disk space
CSCuc46719
High CPU usage in ISE if profiling data cannot be written to database
CSCuc48613
Google Chrome can cause reordering of Authorization Policy rules
CSCuc61143
Cisco ISE redirects to default login portal (instead of custom) when cookies are
disabled
CSCuc74270
Authorization policy match fails following Active Directory password change
CSCuc84467
When retrieved group with ' AD page indicate problem
CSCud00831
EAP-TLS authentications failing with x509 decrypt error
CSCud04633
Java causing ISE Out of Memory Error
CSCud05296
NSP on Window 8 is broken
CSCud08580
Authentication does not have UserInfo object set in the thread local var
CSCud11139
XSS Vulnerability in ISE Guest portal
CSCud12095
Purge job fails to complete in ISE 1.1.1
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
127
Cisco ISE Release 1.1.3 Resolved Caveats
Table 49
Resolved Caveats in Cisco ISE, Release 1.1.3 Patches (continued)
Caveat
Description
CSCud20033
IP phone and workstation profiled as cisco access point
CSCud20871
ISE- 86107-Session cache entry missing during guest authentication.
CSCud21349
Mac CCAAgent Posture Process will not start for non-English languages
CSCud33787
Edit and saving a Guest user fails with internal error
CSCud65479
Device registration Change of Authorization loop with posturing enabled
CSCud83514
ISE session database growing too large, causing homepage blank
CSCud85806
Purge Operation Fails Intermittently
CSCue00010
Configuration backup command need to exclude mnt tablespace
CSCue00631
Add CNA wispr to list of ignored user agents
CSCue16774
Profiler purge process not running. EP Cache growing past memory limits
CSCue25407
Wrong Authentication Policy match: Cisco ISE initiates MAB instead of 802.1x
CSCue28066
IP address field missing during editing/duplicating NADs
CSCue29044
Timesten configuration setting change
CSCue30368
Parsing of subject field of certificate fails
CSCue31190
Sponsor users editing guest accounts may cause internal server errors
CSCue33406
Default enable the "Number of authentications exceed threshold" alarm
CSCue41912
NAC agent is not triggered on Windows 8 client
CSCue49305
Device registration is disabled if JavaScript is disabled for Safari or Chrome
browsers on iOS and Android platforms.
CSCue49317
SCEP enrolment failure if the user name is prefixed with AD domain name
CSCue50838
An arrayOutOfBoundException occurs during Certificate provisioning.
CSCue58842
Valid email refused in ISE Guest Portal
CSCue59806
'NAC Server not available' error thrown - EAP failure error (No response)
CSCue60442
Authorization policies disappear after modifying the name of the parent endpoint
identity group in Cisco ISE
CSCue62940
Incremental Backup without Full Backup gets Stuck in Running
CSCue67900
Termination-Action returns RADIUS-Request
CSCue71407
Guest and Sponsor language templates disappear from database.
CSCue73865
Cisco ISE is unable to authenticate users against Active Directory with
SmbServerHardening=1
CSCue83454
In CWA, ISE is not able to learn guest user IP address
CSCue86661
ISE may not match compound condition with multiple conditions
CSCue90444
When an active IPEP node fails, the VPN traffic drops.
CSCue96626
Address purging issues
CSCue98661
ISE NAC Agent on Windows 8 checks for AV that is not selected
CSCuf05267
BYOD usability - Provide API to poll BYOD status.
CSCuf08298
Collect only the attributes that are used in profiling policies
Release Notes for Cisco Identity Services Engine, Release 1.1.x
128
OL-26136-01
Cisco ISE Release 1.1.3 Resolved Caveats
Table 49
Resolved Caveats in Cisco ISE, Release 1.1.3 Patches (continued)
Caveat
Description
CSCuf20919
Guests can view accounts from each other through self-service
CSCuf47857
BYOD enhancements
CSCuf56635
HP Jetdirect Printer incorrectly profiled as HP-Device using DHCP probe
CSCuf66747
Guest user notification substitution uses system timezone instead of user timezone
CSCuf71124
PAP admin login failed for consecutive purge operations
CSCuf90492
ISE cannot process large SGT matrices or send radius messages larger than 4k
CSCuf90513
Multiple Policy Service node’s attempt to write the same profile data to the database
that causes high CPU usage.
CSCug04743
The order of policies change on Authentication, Posture and CP Policy pages when
using Google Chrome
CSCug06716
Cisco ISE Centrify AD domain whitelisting breaks machine authentication
CSCug15615
BYOD CR: Error message needs to be modified for
NSPMsg.FAIL_NSP_DISABLE a disabled NSP policy
CSCug20065
Unable to enforce RBAC as desired to a custom admin
CSCug34981
Incorrect authorization policy match for Self Service Guests when the profiler CoA
is set to ReAuth
CSCug35133
The attribute Service-Type is changing often with the radius probe and causing high
CPU usage
CSCug37245
SCEP enrolment fails when using certificates from different CAs
CSCug44228
BYOD success message is shown before CoA and can cause a loop and a network
connection error message on the browser
CSCug68792
Incomplete Backup Process Status in UI
CSCug69605
BYOD: Fingerprint exception on Cisco ISE when CA cert is retrieved via SCEP
CSCug72958
1.1.2 Patch 7 - Profiling functionality is broken while editing policies
CSCug74166
Identity groups are corrupted after changing the parent identity group name
CSCug76995
Unable to add user after changing the parent user identity group name
CSCug77406
Increase retention of ASA VPN sessions to 120 hours (5 days)
CSCug78350
To install the NAC Agent on IE 10, you must enable compatible mode
CSCug78636
Disable Diagnostic Issue
CSCug79123
Messages are displaying in vertical format in IE
CSCug79181
IOS: not able to see closed SSID if it isn't broadcasted if profile is TLS
CSCug80970
Wrong button is displayed when the session is lost during NSPWizard installation
process
CSCug90502
ISE Blind SQL Injection Vulnerability
CSCug95429
Profiler: IP attribute unnecessarily being updated
CSCug98513
Integrate components to support AD 2012 or mixed mode (2008)
CSCug99304
ISE replication gets disabled due to expired certificates even though they are valid
CSCuh12487
Null value associated with SNMP GET after call from NMAP fails
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
129
Cisco ISE Release 1.1.2 Resolved Caveats
Table 49
Resolved Caveats in Cisco ISE, Release 1.1.3 Patches (continued)
Caveat
Description
CSCuh17560
Suppress Accounting update packets in ISE 1.1.x
CSCuh23189
ISE: Using Internal Identity User can gain access to Admin Dashboard
CSCuh29915
ID group add button window shrinks
CSCuh36595
Custom Guest Self Registration Result should not write to file system
CSCuh43440
ISE needs to improve logging mechanism to keep track of backup failures
CSCuh43470
ISE Authentication failures alarm threshold definition
CSCuh43528
ISE Alarm Authentication failures count incorrectly shows "%" in details
CSCuh54747
Search is not working in object selector if we change the views
CSCuh56861
ISE Active Endpoints count on dashboard home page does not decrement
CSCuh67300
ISE redirects to default guest pages when configured for custom pages
CSCuh70984
Database purging alarms on ISE due to open cursors exceeded
CSCui22841
Apache Struts2 command execution vulnerability
CSCui41569
BYOD Supplicant Provisioning Status query should be optimized
CSCui56071
ISE: Ignore 0.0.0.0 in Framed-IP-Address Profiler Updates
CSCui57374
ISE IPEP Invalid RADIUS Authenticator error during high load
CSCui67495
Uploaded Filenames/Content Not Properly Sanitized
CSCui67511
Certain File Types are not Filtered and are Executable
CSCui75669
Endpoint update calls from guest-portal causing replication issues
CSCuj35109
LWA is broken in iOS 7 devices with ISE 1.1.3 patch 6
CSCuj45431
ISE Support for Mac OS X 10.9 NAC Agent
CSCuj51094
Captured TCPDump file is not working
CSCuj60796
ISE Support for IE 11
CSCul02860
Struts Action Mapper Vulnerability
CSCul03127
Struts 2 Dynamic Method Invocation Vulnerability
CSCun25178
Fetching Group Information Takes a Long Time Because of SIDHistory
Cisco ISE Release 1.1.2 Resolved Caveats
The following table lists the resolved server-side caveats in Cisco ISE, Release 1.1.2.
Table 50
Resolved Caveats in Cisco ISE, Release 1.1.2 Patches
Caveat
Description
CSCtx81905
Cisco ISE returns an error message while registering one node to another
CSCty51260
Active Directory “dn” attribute does not work for authorization policies
CSCty98551
Race condition between CoA event and persistence event during initial endpoint
login
Release Notes for Cisco Identity Services Engine, Release 1.1.x
130
OL-26136-01
Cisco ISE Release 1.1.2 Resolved Caveats
Table 50
Resolved Caveats in Cisco ISE, Release 1.1.2 Patches (continued)
Caveat
Description
CSCtz13306
Monitoring and Troubleshooting collector cannot collect posture audit logs to
generate report
CSCtz41452
Evaluation license counter incrementing when wireless license installed
CSCtz67814
Replication disabled for secondary node
CSCtz99077
ISE refuses valid email address as user email field
CSCua05433
The endpoint identity import function does not maintain correct identity group
membership
CSCua50327
Cisco ISE Deployment page takes 40 to 50 seconds to render
CSCua50627
Base license removes SGA attributes in device configuration
CSCua55485
ISE distributed deployment does not work with split-domain configuration
CSCua56980
Primary Administration ISE node is non-responsive over a period of time because of
frozen database
CSCua64378
Rate limit profiler endpoint updates to reduce the number of messages
CSCua65587
Alarms For Authorization Profile Matches
CSCua79768
EAP Chaining + Posture lost Compliant Session:PostureStatus in reauth
CSCua89503
Collect only the attributes that are used in profiling policies
CSCua92153
Cisco ISE does not validate Certificate Signing Requests correctly
CSCub03210
Alpha- DB Connection leakage when the rollback fails
CSCub19485
RADIUS Dictionary Export does not export “Direction” or “Description”
CSCub28834
Inline Posture node not displaying logs
CSCub71617
IP Phones 7942 with MAC address prefix 5C:50:15 are not profiled on ISE
CSCub85511
IE Protected mode - provisioning without adding site to trusted list
CSCub95755
Backup and cleanup scripts causing failures
CSCuc06431
End point import not working with policy names included in CSV file
CSCuc19682
Cisco ISE purge operation corrupts indexes in some database tables
CSCuc34292
Mac OS 10.8: Both NAC Agents and Supplicant Provisioning Wizards fail to register
with Cisco ISE if the “MACAppStore&iden. developer” string is missing
CSCuc44535
EAP Chaining + Posture fails for inner methods other than EAP-MSCHAP
CSCuc51338
Sessions leak when rule based policy performed with proxy result
CSCuc58992
IP address of the endpoints is not getting updated correctly
CSCuc64732
Detecting a name change behaves case-sensitive
CSCud43467
Periodic Reassessment check functionality not working
CSCud65479
ISE DRW COA loop with posturing enabled
CSCue14864
Endpoint statically assigned to ID group may appear in different group
CSCue53508
Limit SNMP Query based of RADIUS Acct Start Event
CSCue59806
'NAC Server not available' error thrown - EAP failure error
CSCue60442
Authorization Policy disappears after modifying Identity Group
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
131
Cisco ISE Release 1.1.1 Resolved Caveats
Table 50
Resolved Caveats in Cisco ISE, Release 1.1.2 Patches (continued)
Caveat
Description
CSCue71478
Remove ACS-Session-ID from attribute suppression white-list
CSCue71874
Re-profiling process check continuously running
CSCuf08298
Collect only the attributes that are used in profiling policies
CSCuf56635
HP Jetdirect Printer incorrectly profiled as HP-Device using DHCP probe
CSCuf66747
Guest user notification substitution uses system timezone instead of user timezone
CSCuf90513
Multiple PSN's attempt to write same profile data to db causes high CPU
CSCui22841
Apache Struts2 command execution vulnerability
Cisco ISE Release 1.1.1 Resolved Caveats
The following table lists the resolved server-side caveats in Cisco ISE, Release 1.1.1.
Table 51
Resolved Caveats in Cisco ISE, Release 1.1.1 Patches
Caveat
Description
CSCto03644
Tray icon flickers click focus if user changes applications from login OK
CSCto19507
Mac OS X agent does not prompt for upgrade when coming out of sleep mode
CSCto87799
Guest authentication fails, if the web browser is using old session information
CSCto97422
Auto Popup does not happen after clicking Cancel during remediation failure
CSCts45441
Weird behavior with creating guest account using start-end time profile
CSCtu05540
Monitoring and Troubleshooting node does not show Active Directory External
Groups following authentication failure
CSCtx01136
Cisco NAC Agent is not performing posture assessment
CSCtx07670
Profiler conditions that are edited wind up corrupting Profiler policies
CSCtx25213
IP table entry needs cleanup after deregistering a secondary node
CSCtx33747
RBAC admin cannot access deployment page and perform deployment-related
functions
CSCtx51454
Unable to retrieve administrator users list
CSCtx74574
Device Configure Deployment option selected after upgrade from software release
1.0 to release 1.1
CSCtx77149
Disk space issue
CSCtx94839
Clicking on logout link on the AUP page of Device Registration Webauth flow
appears to do nothing
CSCtx97190
Cisco 3750 switch is profiled as “Generic Cisco Router”
CSCty02379
Cisco ISE runs out of space due to a backlog of pending messages in the replication
queue
CSCty10461
Cannot register a Cisco ISE node with UTF-8 characters in administrator name
CSCty15646
Monitoring and Troubleshooting debug log alert settings get reset to WARN
Release Notes for Cisco Identity Services Engine, Release 1.1.x
132
OL-26136-01
Known Issues
Table 51
Resolved Caveats in Cisco ISE, Release 1.1.1 Patches (continued)
Caveat
Description
CSCty16603
Administrator ISE node promotion fails, resulting in disabled replication status
CSCty23790
Internet Explorer 8 is unable to import endpoints from LDAP
CSCty40077
Shared Secret Key for Inline Posture node Network Access Device is not created or
updated
CSCty54756
Indexes corrupted in Monitoring and Troubleshooting node database
CSCty59165
SNMPQuery Probe events queue runs out of memory
CSCty80451
Failed to authenticate external admin (AD user) when configured user to change
password at the next log in
CSCtz28057
After upgrade to release 1.1, Cisco ISE is still in “initializing” state
CSCtz45714
Incorrect authentication and authorization match on client machine
CSCub29185
Mac Agent not getting installed when the “MAC App Store” and “identified
developers” options are enabled on the client
CSCub32594
Inline posture node does not accept a policy from the associated Policy Service node
CSCub82071
Unable to Install/Upgrade Mac agent 4.9.0.654 on Mac OS X 10.7.4 Client
CSCui22841
Apache Struts2 command execution vulnerability
Known Issues
•
Cisco ISE Release 1.1.3 and Earlier Does Not Support Google Chrome For the Administrative User
Interface, page 134
•
Cisco ISE Hostname Character Length Limitation with Active Directory, page 134
•
Windows Internet Explorer 8 Known Issues, page 134
– Issue Accessing the Cisco ISE Administrator User Interface
– Cisco Secure ACS-to-Cisco ISE Migration User Interface Issue Using IE8
– User Identity Groups User Interface Issue With IE 8
•
Issues With 2k Message Size in Monitoring and Troubleshooting, page 135
•
Issues With More Than Three Users Accessing Monitoring and Troubleshooting Concurrently,
page 135
•
Inline Posture Restrictions, page 135
•
Cisco IP phones using EAP-FAST, page 135
•
Internationalization and Localization, page 135
•
Issues with Monitoring and Troubleshooting Restore, page 136
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
133
Known Issues
Cisco ISE Release 1.1.3 and Earlier Does Not Support Google Chrome For the
Administrative User Interface
Google Chrome is not a supported browser for use with the Administrative User Interface of the Cisco
Identity Service Engine (ISE), Release 1.1.3 and earlier versions.
If you use Google Chrome to edit the authorization policy rules, the policy ranking order might change,
which impacts authorization of end users.
This issue is limited to authenticated admin users with permissions to manage Cisco ISE authorization
polices. This issue does not apply to end users who use Google Chrome for web authentication for
network access.
Cisco ISE Hostname Character Length Limitation with Active Directory
It is important that Cisco ISE hostnames be limited to 15 characters or less in length, if you use Active
Directory on your network. Active Directory does not validate hostnames larger than 15 characters. This
can cause a problem if you have multiple ISE hosts in your deployment whose hostnames are identical
through the first 15 characters, and are only distinguishable by the characters that follow (the first 15).
Windows Internet Explorer 8 Known Issues
•
Issue Accessing the Cisco ISE Administrator User Interface
•
Cisco Secure ACS-to-Cisco ISE Migration User Interface Issue Using IE8
•
User Identity Groups User Interface Issue With IE 8
Issue Accessing the Cisco ISE Administrator User Interface
When you access the Cisco ISE administrator user interface using the host IP address as the destination
in the Internet Explorer 8 address bar, the browser automatically redirects your session to a different
location. This situation occurs when you install a real SSL certificate issued by a Certificate Authority
like VeriSign.
If possible, Cisco recommends using the Cisco ISE hostname or fully qualified domain name (FQDN)
you used to create the trusted SSL certificate to access the administrator user interface via Internet
Explorer 8.
Cisco Secure ACS-to-Cisco ISE Migration User Interface Issue Using IE8
There is a known migration consideration that affects successful migration of Cisco Secure ACS 5.1/5.2
data to the Cisco ISE appliance using the Cisco Secure ACS 5.1/5.2-ISE 1.0 Migration Tool.
The only currently supported browser for downloading the migration tool files is Firefox version 3.6.x.
Microsoft Windows Internet Explorer (IE8 and IE7) browsers are not currently supported for this
function.
For more information, see the Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1
and 5.2, Release 1.1.x.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
134
OL-26136-01
Known Issues
User Identity Groups User Interface Issue With IE 8
If you create and operate 100 User Identity Groups or more, a script in the Cisco ISE administrator user
interface Administration > Identity Management > User Identity Groups page can cause Internet
Explorer 8 to run slowly, looping until a pop-up appears asking you if you want to cancel the running
script. (If the script continues to run, your computer might become unresponsive.)
Issues With 2k Message Size in Monitoring and Troubleshooting
Cisco ISE monitoring and troubleshooting functions are designed to optimize data collection
performance messages of 8k in size. As a result, you may notice a slightly different message
performance rate when compiling 2k message sizes regularly.
Issues With More Than Three Users Accessing Monitoring and
Troubleshooting Concurrently
Although more than three concurrent users can log into Cisco ISE and view monitoring and
troubleshooting statistics and reports, more than three concurrent users accessing Cisco ISE can result
in unexpected behavior like (but not limited to) monitoring and troubleshooting reports and other pages
taking excessive amounts of time to launch, and the application sever restarting on its own.
Inline Posture Restrictions
•
Inline Posture is not supported in a virtual environment, such as VMware.
•
The Simple Network Management Protocol (SNMP) Agent is not supported by Inline Posture.
•
The Cisco Discovery Protocol (CDP) is not supported by Inline Posture.
Cisco IP phones using EAP-FAST
Cisco ISE, Release 1.0 does not support Cisco IP phones that are using EAP-FAST with certificates.
Cisco recommends using EAP-TLS with IP phones in your network.
Internationalization and Localization
This section covers the known issues relating to internationalization and localization.
Custom Language Templates
If you create a custom language template with a name that conflicts with a default template name, your
template is automatically renamed after an upgrade and restore. After an upgrade and restore, default
templates revert back to their default settings, and any templates with names that conflict with defaults
are renamed as follows: user_{LANG_TEMP_NAME}.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
135
Documentation Updates
Issues with Monitoring and Troubleshooting Restore
During the Monitoring and Troubleshooting restore, Cisco ISE application on the Monitoring node
restarts and the GUI is unavailable until the restore completes.
Documentation Updates
Table 52
Updates to Release Notes for Cisco Identity Services Engine, Release 1.1.x
Date
Description
5/15/14
Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 11,
page 26
5/15/14
Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 11,
page 46
4/14/14
Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 10,
page 27
3/19/14
Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 10,
page 47
2/18/14
Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 9,
page 47
2/18/14
Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 9,
page 27
11/11/13
Added Support for Windows 8.1 and Mac OS X 10.9, page 25
11/11/13
Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 8,
page 30
11/11/13
Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 8,
page 50
10/21/13
Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 10,
page 65
10/21/13
Added Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 7,
page 74
10/11/13
Added FIPS Compliance, page 8
10/11/13
Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 7,
page 31
10/11/13
Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 7,
page 51
8/30/13
Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 6,
page 33
8/30/13
Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 6,
page 53
8/27/13
Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 5,
page 33
Release Notes for Cisco Identity Services Engine, Release 1.1.x
136
OL-26136-01
Documentation Updates
Table 52
Updates to Release Notes for Cisco Identity Services Engine, Release 1.1.x
Date
Description
8/23/13
Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 5,
page 53
8/8/13
Added Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 6,
page 74
8/7/13
Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 9,
page 65
8/2/13
Added Resolved issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 4,
page 34
8/2/13
Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 4,
page 54
7/15/13
Added Resolved issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 3,
page 34
7/15/13
Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 3,
page 54
6/5/13
Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 2,
page 38
6/5/13
Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 2,
page 58
5/21/13
Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 8,
page 66
5/13/13
Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 7,
page 66
5/6/13
Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 1,
page 42
4/26/13
Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 6,
page 67
4/25/13
Cisco Identity Services Engine, Release 1.1.4
4/5/13
Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 1,
page 62
4/5/13
Added Integration with Cisco Prime Network Control System, page 80
4/2/13
•
Added CSCub17140 to Cisco ISE Release 1.1.x Open Caveats, page 80
•
Added CSCuc48613 to Known Issues, page 133
3/15/13
Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 5,
page 68
2/28/13
Cisco Identity Services Engine, Release 1.1.3
2/25/13
Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 4,
page 70
2/1/13
Added CSCud02566 to Cisco ISE Release 1.1.x Open Caveats, page 80
1/11/13
Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 3,
page 70
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
137
Documentation Updates
Table 52
Updates to Release Notes for Cisco Identity Services Engine, Release 1.1.x
Date
Description
12/21/12
Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 2,
page 71
11/16/12
Added Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 5,
page 75
11/2/12
Added Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 4,
page 76
10/31/12
Cisco Identity Services Engine, Release 1.1.2
10/12/12
9/5/12
7/27/12
•
Added Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 3,
page 77
•
Added caveats CSCub82418 and CSCuc34292 to Cisco ISE Release 1.1.x Open
Caveats, page 80
•
Added CSCub82071 to Cisco ISE Release 1.1.1 Resolved Caveats, page 132
•
Added Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 2,
page 78
•
Added CSCua32575, CSCua71361, CSCub16453, CSCub17522, and
CSCub45799 to Cisco ISE Release 1.1.x Open Caveats, page 80
•
Added CSCtz45714 to Cisco ISE Release 1.1.1 Resolved Caveats, page 132
Added CSCub29185 and CSCub29212 to Cisco ISE Release 1.1.x Open Caveats,
page 80
7/20/12
•
Added Creating Activated Guests, page 22 to New Features in Cisco ISE,
Release 1.1.1, page 19
7/17/12
•
Added Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 1,
page 79
•
Added CSCub01822 to Cisco ISE Release 1.1.x Open Caveats, page 80
7/10/12
Cisco Identity Services Engine, Release 1.1.1
Release Notes for Cisco Identity Services Engine, Release 1.1.x
138
OL-26136-01
Related Documentation
Related Documentation
This section provides lists of related release-specific and platform-specific documentation.
Release-Specific Documents
Table 53 lists the product documentation available for the Cisco ISE Release. General product
information for Cisco ISE is available at http://www.cisco.com/go/ise. End-user documentation is
available on Cisco.com at
http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html.
Table 53
Product Documentation for Cisco Identity Services Engine
Document Title
Location
Release Notes for the Cisco Identity Services
Engine, Release 1.1.x
http://www.cisco.com/en/US/products/ps11640/
prod_release_notes_list.html
Cisco Identity Services Engine Network Component http://www.cisco.com/en/US/products/ps11640/
Compatibility, Release 1.1.x
products_device_support_tables_list.html
Cisco Identity Services Engine User Guide, Release http://www.cisco.com/en/US/products/ps11640/
1.1.x
products_user_guide_list.html
Cisco Identity Services Engine Hardware
Installation Guide, Release 1.1.x
http://www.cisco.com/en/US/products/ps11640/
prod_installation_guides_list.html
Cisco Identity Services Engine Upgrade Guide,
Release 1.1.x
http://www.cisco.com/en/US/products/ps11640/
prod_installation_guides_list.html
Cisco Identity Services Engine Migration Guide for http://www.cisco.com/en/US/products/ps11640/
Cisco Secure ACS 5.1 and 5.2, Release 1.1.x
prod_installation_guides_list.html
Cisco Identity Services Engine Sponsor Portal User http://www.cisco.com/en/US/products/ps11640/
Guide, Release 1.1.x
products_user_guide_list.html
Cisco Identity Services Engine CLI Reference
Guide, Release 1.1.x
http://www.cisco.com/en/US/products/ps11640/
prod_command_reference_list.html
Cisco Identity Services Engine API Reference
Guide, Release 1.1.x
http://www.cisco.com/en/US/products/ps11640/
prod_command_reference_list.html
Cisco Identity Services Engine Troubleshooting
Guide, Release 1.1.x
http://www.cisco.com/en/US/products/ps11640/
prod_troubleshooting_guides_list.html
Regulatory Compliance and Safety Information for http://www.cisco.com/en/US/products/ps11640/
Cisco Identity Services Engine, Cisco 1121 Secure prod_installation_guides_list.html
Access Control System, Cisco NAC Appliance,
Cisco NAC Guest Server, and Cisco NAC Profiler
Cisco Identity Services Engine In-Box
Documentation and China RoHS Pointer Card
http://www.cisco.com/en/US/products/ps11640/
products_documentation_roadmaps_list.html
Release Notes for Cisco Identity Services Engine, Release 1.1.x
OL-26136-01
139
Related Documentation
Platform-Specific Documents
Links to other platform-specific documentation are available at the following locations:
•
Cisco ISE
http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html
•
Cisco NAC Appliance
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html
•
Cisco NAC Profiler
http://www.cisco.com/en/US/products/ps8464/tsd_products_support_series_home.html
•
Cisco NAC Guest Server
http://www.cisco.com/en/US/products/ps10160/tsd_products_support_series_home.html
•
Cisco Secure ACS
http://www.cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html
This document is to be used in conjunction with the documents listed in the “Related Documentation” section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of
Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The
use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any
examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only.
Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
В© 2014 Cisco Systems, Inc. All rights reserved.
Release Notes for Cisco Identity Services Engine, Release 1.1.x
140
OL-26136-01