release notes for cisco identity services engine, release 1.2 · 2 release notes for cisco identity...

Release Notes for Cisco Identity Services Engine, Release 1.2.x

Revised: February 22, 2017, OL-27043-01

ContentsThese release notes describe the features, limitations and restrictions (caveats), and related information for Cisco Identity Services Engine (ISE), Release 1.2.0 and 1.2.1. These release notes supplement the Cisco ISE documentation that is included with the product hardware and software release, and cover the following topics:

• Introduction, page 2

• Deployment Terminology, Node Types, and Personas, page 2

• System Requirements, page 4

• Installing Cisco ISE Software, page 8

• Upgrading Cisco ISE Software, page 9

• Cisco Secure ACS to Cisco ISE Migration, page 11

• Cisco ISE License Information, page 12

• Requirements for CA to Interoperate with Cisco ISE, page 12

• New Features in Cisco ISE, Release 1.2.1, page 13

• New Features in Cisco ISE, Release 1.2.0, page 15

• Known Issues in Cisco ISE, Release 1.2.x, page 22

• Cisco ISE Installation Files, Updates, and Client Resources, page 25

• Using the Bug Search Tool, page 29

• Cisco ISE, Release 1.2.0.899 Patch Updates, page 62

• Cisco ISE, Release 1.2.1.198 Patch Updates, page 30

• Cisco ISE, Release 1.2.x, Open Caveats, page 132

• Cisco ISE, Release 1.2.1, Resolved Caveats, page 158

Cisco Systems, Inc.www.cisco.com

Introduction

• Cisco ISE, Release 1.2.0, Resolved Caveats, page 168

• Documentation Updates, page 183

• Related Documentation, page 184

IntroductionThe Cisco ISE platform is a comprehensive, next-generation, contextually-based access control solution. It offers authenticated network access, profiling, posture, BYOD device onboarding (native supplicant and certificate provisioning), guest management, and security group access services along with monitoring, reporting, and troubleshooting capabilities on a single physical or virtual appliance. Cisco ISE is available on two physical appliances with different performance characterization, and also as a software that can be run on a VMware server. You can add more appliances to a deployment for performance, scale, and resiliency.

Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also allows for configuration and management of distinct personas and services. This feature gives you the ability to create and apply services where they are needed in the network, but still operate the Cisco ISE deployment as a complete and coordinated system.

Deployment Terminology, Node Types, and PersonasCisco ISE provides a scalable architecture that supports both standalone and distributed deployments

.

Types of Nodes and Personas

A Cisco ISE network has two types of nodes:

• Cisco ISE node, which can assume any of the following three personas:

– Administration—Allows you to perform all administrative operations for Cisco ISE. It handles all system-related configurations related to functionality such as authentication, authorization, auditing, and so on. In a distributed environment, you can have one or a maximum of two nodes

Table 1 Cisco ISE Deployment Terminology

Term Description

Service Specific feature that a persona provides such as network access, profiler, posture, security group access, and monitoring.

Node Individual instance that runs the Cisco ISE software. Cisco ISE is available as an appliance and also as software that can be run on a VMware server. Each instance (either running on a Cisco ISE appliance or on a VMware server) that runs the Cisco ISE software is called a node.

Persona Determines the services provided by a node. A Cisco ISE node can assume any or all of the following personas: Administration, Policy Service, Monitoring, and Inline Posture.

Deployment Model Determines if your deployment is a standalone, high availability in standalone (a basic two-node deployment), or distributed deployment.

2Release Notes for Cisco Identity Services Engine, Release 1.2.x

OL-27043-01

Deployment Terminology, Node Types, and Personas

running the Administration persona and configured as a primary and secondary pair. If the primary Administration node goes down, you have to manually promote the secondary Administration node. There is no automatic failover for the Administration persona.

– Policy Service—Provides network access, posturing, BYOD device onboarding (native supplicant and certificate provisioning), guest access, and profiling services. This persona evaluates the policies and makes all the decisions. You can have more than one node assuming this persona. Typically, there is more than one Policy Service persona in a distributed deployment. All Policy Service personas that reside behind a load balancer can be grouped together to form a node group. If one of the nodes in a node group fails, the other nodes in that group process the requests of the node that has failed, thereby providing high availability.

Note At least one node in your distributed setup should assume the Policy Service persona.

– Monitoring—Enables Cisco ISE to function as a log collector and store log messages from all the Administration and Policy Service personas on the Cisco ISE nodes in your network. This persona provides advanced monitoring and troubleshooting tools that you can use to effectively manage your network and resources.

A node with this persona aggregates and correlates the data that it collects to provide meaningful reports. Cisco ISE allows a maximum of two nodes with this persona that can assume primary or secondary roles for high availability. Both the primary and secondary Monitoring personas collect log messages. In case the primary Monitoring persona goes down, the secondary Monitoring persona automatically assumes the role of the primary Monitoring persona.

Note At least one node in your distributed setup should assume the Monitoring persona. It is recommended that the Monitoring persona be on a separate, designated node for higher performance in terms of data collection and reporting.

• Inline Posture node is a gatekeeping node that is positioned behind network access devices such as wireless LAN controllers (WLCs) and VPN concentrators on the network. An Inline Posture node enforces access policies after a user has been authenticated and granted access, and handles change of authorization (CoA) requests that a WLC or VPN is unable to accommodate. Cisco ISE allows up to 10,000 Inline Posture Nodes in a deployment. You can pair two Inline Posture nodes together as a failover pair for high availability.

Note An Inline Posture node is dedicated solely to that service and cannot operate concurrently with other Cisco ISE services. Likewise, due to the specialized nature of its service, an Inline Posture node cannot assume any persona. Inline Posture nodes are not supported on VMware server systems.

Note Each Cisco ISE node in a deployment can assume more than one persona (Administration, Policy Service, or Monitoring) at a time. By contrast, each Inline Posture node operates only in a dedicated gatekeeping role.


OL-27043-01

System Requirements

You can change the persona of a node. See the “Setting Up Cisco ISE in a Distributed Environment” chapter of the Cisco Identity Services Engine User Guide, Release 1.2 for information on how to configure personas on Cisco ISE nodes.

System Requirements• Supported Hardware, page 5

• Supported Virtual Environments, page 6

• Supported Browsers, page 6

• Supported Devices and Agents, page 7

• Supported Antivirus and Antispyware Products, page 7

Note For more details on Cisco ISE hardware platforms and installation, see the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2.

Table 2 Recommended Number of Nodes and Personas in a Distributed Deployment

Node / Persona

Minimum Number in a Deployment Maximum Number in a Deployment

Administration 1 2 (Configured as a high-availability pair)

Monitor 1 2 (Configured as a high-availability pair)

Policy Service 1 • 2—when the Administration/Monitoring/Policy Service personas are on the same primary/secondary appliances

• 5—when Administration and Monitoring personas are on same appliance

• 40—when each persona is on a dedicated appliance

Inline Posture 0 10000


OL-27043-01

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_user_guide.html

http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_ig.html


System Requirements

Supported Hardware

Cisco ISE software is packaged with your appliance or image for installation. Cisco ISE, Release 1.2.x is shipped on the following platforms. After installation, you can configure Cisco ISE with specified component personas (Administration, Policy Service, and Monitoring) or as an Inline Posture node on the platforms that are listed in Table 3.

Table 3 Supported Hardware and Personas

Hardware Platform Persona Configuration

Cisco SNS-3415-K9

(small)

Any • Cisco UCS 1C220 M3

• Single socket Intel E5-2609 2.4-GHz CPU, 4 total cores, 4 total threads

• 16-GB RAM

• 1 x 600-GB disk

• Embedded Software RAID 0

• 4 GE network interfaces

Cisco SNS-3495-K92

(large)

Administration

Policy Service

Monitor

• Cisco UCS C220 M3

• Dual socket Intel E5-2609 2.4-GHz CPU, 8 total cores, 8 total threads

• 32-GB RAM

• 2 x 600-GB disk

• RAID 0+1

• 4 GE network interfaces

Cisco ISE-3315-K9 (small)

Any • 1x Xeon 2.66-GHz quad-core processor

• 4 GB RAM

• 2 x 250 GB SATA3 HDD4

• 4x 1 GB NIC5

Cisco ISE-3355-K9 (medium)

Any • 1x Nehalem 2.0-GHz quad-core processor

• 4 GB RAM

• 2 x 300 GB 2.5 in. SATA HDD

• RAID6 (disabled)

• 4x 1 GB NIC

• Redundant AC power

Cisco ISE-3395-K9 (large)

Any • 2x Nehalem 2.0-GHz quad-core processor

• 4 GB RAM

• 4 x 300 GB 2.5 in. SAS II HDD

• RAID 1

• 4x 1 GB NIC

• Redundant AC power


OL-27043-01

System Requirements

If you are moving from Cisco Secure Access Control System (ACS) or Cisco NAC Appliance to Cisco ISE, the Cisco Secure ACS 1121 and Cisco NAC 3315 appliances support small deployments, Cisco NAC 3355 appliances support medium deployments, and Cisco NAC 3395 appliances support large deployments.

Supported Virtual Environments

Cisco ISE supports the following virtual environment platforms:

• VMware ESX 4.x

• VMware ESXi 4.x

• VMware ESXi 5.x

Supported Browsers

The Cisco ISE, Release 1.2.x administrative user interface supports a web interface using the following HTTPS-enabled browsers:

• Mozilla Firefox version 5.x to 38.05.

• Microsoft Internet Explorer 8.x and later.

Cisco ISE-VM-K9 (VMware)

Stand-alone Administration, Monitoring, and Policy Service (no Inline Posture)

• For CPU and memory recommendations, refer to the “VMware Appliance Sizing Recommendations” section in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2.7

• For hard disk size recommendations, refer to the “Disk Space Requirements” section in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2.

• NIC—1 GB NIC interface required (You can install up to 4 NICs.)

• Supported VMware versions include:

– ESX 4.x

– ESXi 4.x and 5.x

1. Cisco Unified Computing System (UCS)

2. Inline posture is a 32-bit system and is not capable of symmetric multiprocessing (SMP). Therefore, it is not available on the SNS-3495 platform.

3. SATA = Serial Advanced Technology Attachment

4. HDD = hard disk drive

5. NIC = network interface card

6. RAID = Redundant Array of Independent Disks

7. Memory allocation of less than 4GB is not supported for any VMware appliance configuration. In the event of a Cisco ISE behavior issue, all users will be required to change allocated memory to at least 4GB prior to opening a case with the Cisco Technical Assistance Center.

Table 3 Supported Hardware and Personas (continued)

Hardware Platform Persona Configuration


OL-27043-01



http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_vmware.html#pgfId-1165985



System Requirements

Note The Cisco ISE user interface does not support using the Microsoft IE8 browser in IE7 compatibility mode. The Microsoft IE8 is supported in its IE8-only mode.

Adobe Flash Player 11.2.0.0 or above must be installed on the system running the client browser. The minimum required screen resolution to view the Administration portal and for a better user experience is 1280 x 800 pixels.

Supported Devices and Agents

Refer to Cisco Identity Services Engine Network Component Compatibility, Release 1.2 for information on supported devices, browsers, and agents.

Cisco NAC Agent Interoperability

The Cisco NAC Agent versions 4.9.4.3 and later can be used on both Cisco NAC Appliance Releases 4.9(1),4.9(3), 4.9(4) and Cisco ISE Releases 1.1.3-patch 11, 1.1.4-patch 11, 1.2.0, and 1.2.1. This is the recommended model of deploying the NAC agent in an environment where users will be roaming between ISE and NAC deployments.

Support for Microsoft Active Directory

Cisco ISE, Release 1.2.x supports Microsoft Active Directory servers 2003, 2008, 2008 R2, 2012at all functional levels.

Microsoft Active Directory server 2012 R2 and all updates are supported by Cisco ISE, Release 1.2.1.

Microsoft Active Directory version 2000 or its functional level is not supported by Cisco ISE.

Supported Antivirus and Antispyware Products

See the following link for specific antivirus and antispyware support details for Cisco NAC Agent and Cisco NAC Web Agent:

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-release-notes-list.html

Cisco NAC Web Agents have static compliance modules which cannot be upgraded without upgrading the Web Agent.

The following table lists the Web Agent versions and the compatible Compliance Module versions.

Table 4 Web Agent and Compliance Module Versions

Cisco NAC Web Agent version Compliance Module Version

4.9.5.3 3.6.9845.2

4.9.5.2 3.6.9186.2

4.9.4.3 3.6.8194.2


OL-27043-01

http://www.cisco.com/en/US/docs/security/ise/1.2/compatibility/ise_sdt.html



Installing Cisco ISE Software

Installing Cisco ISE SoftwareTo install Cisco ISE, Release 1.2.x software on Cisco SNS-3415 and SNS-3495 hardware platforms, turn on the new appliance and configure the Cisco Integrated Management Controller (CIMC). You can then install Cisco ISE, Release 1.2.x over a network using CIMC or a bootable USB.

Note When using virtual machines (VMs), we recommend that the guest VM have the correct time set using an NTP server before installing the .ISO image on the VMs.

Perform Cisco ISE initial configuration according to the instructions in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2. Before you run the setup program, ensure that you know the configuration parameters listed in Table 5.

4.9.0.1007 3.5.5980.2

4.9.0.1005 3.5.5980.2

Table 4 Web Agent and Compliance Module Versions

Cisco NAC Web Agent version Compliance Module Version

Table 5 Cisco ISE Network Setup Configuration Parameters

Prompt Description Example

Hostname Must not exceed 19 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). The first character must be a letter.

isebeta1

(eth0) Ethernet interface address

Must be a valid IPv4 address for the Gigabit Ethernet 0 (eth0) interface.

10.12.13.14

Netmask Must be a valid IPv4 netmask. 255.255.255.0

Default gateway Must be a valid IPv4 address for the default gateway. 10.12.13.1

DNS domain name Cannot be an IP address. Valid characters include ASCII characters, any numerals, the hyphen (-), and the period (.).

mycompany.com

Primary name server

Must be a valid IPv4 address for the primary name server. 10.15.20.25

Add/Edit another name server

Must be a valid IPv4 address for an additional name server. (Optional) Allows you to configure multiple name servers. To do so, enter y to continue.

Primary NTP server

Must be a valid IPv4 address or hostname of a Network Time Protocol (NTP) server.

clock.nist.gov

Add/Edit another NTP server

Must be a valid NTP domain. (Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue.


OL-27043-01

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/release_notes/ise12_rn.html#pgfId-367537



Upgrading Cisco ISE Software

Note For additional information on configuring and managing Cisco ISE, see Release-Specific Documents, page 184 to access other documents in the Cisco ISE documentation suite.

Upgrading Cisco ISE SoftwareCisco Identity Services Engine (ISE) supports upgrades from the CLI only. Supported upgrade paths include:

• Cisco ISE, Release 1.1.0, with Patch 5 or later applied






Note Upgrade to Cisco ISE, Release 1.2.0.899 is not required before upgrading to Release 1.2.1.198.

System Time Zone Must be a valid time zone. For details, see Cisco Identity Services Engine CLI Reference Guide, Release 1.2, which provides a list of time zones that Cisco ISE supports. For example, for Pacific Standard Time (PST), the System Time Zone is PST8PDT (or UTC-8 hours).

The time zones referenced are the most frequently used time zones. You can run the show timezones command from the Cisco ISE CLI for a complete list of supported time zones.

Note We recommend that you set all Cisco ISE nodes to the UTC time zone. This setting ensures that the reports, logs, and posture agent log files from the various nodes in the deployment are always synchronized with the time stamps.

UTC (default)

Username Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default (admin), you must create a new username. The username must be three to eight characters in length and composed of valid alphanumeric characters (A–Z, a–z, or 0–9).

admin (default)

Password Identifies the administrative password that is used for CLI access to the Cisco ISE system. You must create this password (there is no default). The password must be a minimum of six characters in length and include at least one lowercase letter (a–z), one uppercase letter (A–Z), and one numeral (0–9).

MyIseYPass2

Table 5 Cisco ISE Network Setup Configuration Parameters (continued)

Prompt Description Example


OL-27043-01

http://www.cisco.com/en/US/products/ps11640/prod_command_reference_list.html


Upgrading Cisco ISE Software

Follow the upgrade instructions in the Cisco Identity Services Engine Upgrade Guide, Release 1.2 to upgrade to Cisco ISE, Release 1.2.x.

Note When you upgrade to Cisco ISE, Release 1.2.x, you may be required to open network ports that were not used in previous releases of Cisco ISE. For more information, see "Appendix C, Cisco SNS-3400 Series Appliance Ports Reference" in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2.

Upgrade Considerations and Requirements

Read the following sections before you upgrade to Cisco ISE, Release 1.2.x:

• iPEP Support on Cisco ISE 1.2.x, page 10

• iPEP Deployment Modes, page 10

• Network Interface Cards (NICs) for iPEP Deployment, page 10

• Firewall Ports That Must be Open for Communication, page 10

• VMware Operating System to be Changed to RHEL 5 (64-bit), page 11

• Guest Users Identity Source, page 11

• Other Known Upgrade Considerations and Issues, page 11

iPEP Support on Cisco ISE 1.2.x

Cisco ISE, Release 1.2 and 1.2.1 can be installed on an iPEP node by using the Cisco ISE 1.2.1 version of iPEP.

iPEP Deployment Modes

The Administration > System > Deployment > Deployment Modes page facilitates the editing of iPEP ISE 1.2 active and standby nodes. However, configuration changes will not be reflected while switching between the Routed Mode and the Maintenance Mode.

Network Interface Cards (NICs) for iPEP Deployment

In the iPEP deployment for Cisco UCS SNS 3400 appliances, eth0 and eth1 network cables should be plugged into the Broadcom NICs on PCI Riser Card. In the iPEP HA deployment, eth2 and eth3 network cables should be plugged into the Intel NICs.

Firewall Ports That Must be Open for Communication

The replication ports have changed in Cisco ISE, Release 1.2 and if you have deployed a firewall between the primary Administration node and any other node, the following ports must be open before you upgrade to Release 1.2:

• TCP 1528—For communication between the primary administration node and monitoring nodes.

• TCP 443—For communication between the primary administration node and all other secondary nodes.


OL-27043-01



http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide.html

Cisco Secure ACS to Cisco ISE Migration

• TCP 12001—For global cluster replication.

For a full list of ports that Cisco ISE, Release 1.2 uses, refer to the Cisco SNS-3400 Series Appliance Ports Reference.

VMware Operating System to be Changed to RHEL 5 (64-bit)

Cisco ISE, Release 1.2.x has a 64-bit architecture. If a Cisco ISE node is running on a virtual machine, ensure that the virtual machine's hardware is compatible with 64-bit systems:

Note You must power down the virtual machine before you make these changes and power it back on after the changes are done.

• Enable BIOS settings that are required for 64-bit systems. See the following resources for more information:

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=1003945

• Ensure that you choose Linux as the Guest Operating System and Red Hat Enterprise Linux 5 (64-bit) as the version. See http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1005870 for more information.

Guest Users Identity Source

In previous releases of Cisco ISE, guest-user records were available in the Internal Users database. Cisco ISE, Release 1.2.x introduces a Guest Users database, which is different than the Internal Users database. If you have added the Internal Users database to the identity-source sequence, the Guest Users database also becomes part of the identity-source sequence. If guest-user logins are not required, remove the Guest Users database from the identity-source sequence.

Other Known Upgrade Considerations and Issues

Refer to the Cisco Identity Services Engine Upgrade Guide, Release 1.2.x for other known upgrade considerations and issues:

• http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_01.html#ID50

• http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_01.html#ID244

Cisco Secure ACS to Cisco ISE MigrationCisco ISE, Release 1.2.x supports migration from Cisco Secure ACS, Release 5.3 only. You must upgrade the Cisco Secure ACS deployment to Release 5.3 before you attempt to perform the migration process to Cisco ISE, Release 1.2.


OL-27043-01

http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_01.html#ID244

http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_vmware.html#wp1133786

http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_01.html#ID50

http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_app_c-ports.html

http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_app_c-ports.html

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=1003945

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1005870

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1005870

Cisco ISE License Information

Cisco ISE does not provide full parity to all the features available in ACS 5.3, especially policies. After migration, you may notice some differences in the way existing data types and elements appear in the new Cisco ISE environment. It is recommended to use the migration tool for migrating specific objects like network devices, internal users, and identity store definitions from ACS. Once the migration is complete, you can manually define the policies for relevant features that are appropriate to Cisco ISE.

The migration tool only supports Mozilla Firefox, versions 3.6, 6, 7, 8, 9, and 10. Microsoft Windows Internet Explorer (IE8 and IE7) browsers are not currently supported in this release.

Complete instructions for moving a Cisco Secure ACS 5.3 database to Cisco ISE Release 1.2.x are available in the Cisco Identity Services Engine, Release 1.2 Migration Tool Guide.

Cisco ISE License InformationCisco ISE comes with a 90-day Base and Advanced Package Evaluation License already installed on the system. After you have installed the Cisco ISE software and initially configured the primary Administration persona, you must obtain and apply a Base, Plus, Advanced, or Wireless license.

Cisco ISE, Release 1.2 Patch 8 and 1.2.1 includes the new Plus license. The Plus license provides the following services:

• Bring Your Own Device (BYOD)

• Profiling

• Endpoint Protection Service (EPS)

• TrustSec SGT

The Advanced license provides access to the same features as the Plus license, as well as additional services. The Plus license does not include Base services.

Note Some of the validation messages and alarms may report in terms of Advanced license instead of the Plus license. For example, attempting to install a Plus license without a Base license results in ISE incorrectly report it as an attempt to install an Advanced license without a Base license. Similarly, ISE will report the expiration of a Plus license as the expiration of an Advanced license.

For more detailed information on license types and obtaining licenses for Cisco ISE, see Cisco Identity Service Engine Hardware Installation Guide, Release 1.2.

Cisco ISE, Release 1.2.x, supports licenses with two hardware IDs. You can obtain a license based on the hardware IDs of both the primary and secondary Administration nodes. For more information on Cisco ISE, Release 1.2.x licenses, see the Cisco Identity Services Engine Licensing Note.

Requirements for CA to Interoperate with Cisco ISEWhile using a CA server with Cisco ISE, make sure that the following requirements are met:

• Key size should be 1024, 2048, or higher. In CA server, the key size is defined using certificate template. You can define the key size on Cisco ISE using the supplicant profile.

• Key usage should allow signing and encryption in extension.

• While using GetCACapabilities through the SCEP protocol, cryptography algorithm and request hash should be supported. It is recommended to use RSA + SHA1.


OL-27043-01

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11640/sales_tool_c96-729045.html



http://www.cisco.com/en/US/docs/security/ise/1.2/migration_guide/ise_migration_guide.html

New Features in Cisco ISE, Release 1.2.1

• Online Certificate Status Protocol (OCSP) is supported. This is not directly used in BYOD, but a CA which can act as an OCSP server can be used for certificate revocation.

New Features in Cisco ISE, Release 1.2.1Cisco ISE, Release 1.2.1 offers the following features and services:

• New Plus License, page 13

• Certificate Renewal, page 13

• Upgrade Enhancements, page 14

New Plus License

Cisco ISE, Release 1.2.1 includes the new Plus license. The Plus license provides the following services:


• Profiling


• TrustSec SGT

The Advanced license provides access to the same features as the Plus license, as well as additional services. The Plus license does not include Base services.

For more information, refer to the “Cisco ISE Licenses” chapter in the Cisco Identity Services Engine User Guide, Release 1.2.

Certificate Renewal

This release of Cisco ISE allows users to renew certificates that have expired or are about to expire on their personal devices.

By default, Cisco ISE rejects a request that comes from a device whose certificate has expired. However, you can change this default behavior and configure ISE to process such requests and prompt the user to renew the certificate.

If you choose to allow the user to renew the certificate, Cisco recommends that you configure an authorization policy rule which checks if the certificate has been renewed before processing the request any further. Processing a request from a device whose certificate has expired may pose a potential security threat. Hence, you must configure appropriate authorization profiles and rules to ensure that your organization’s security is not compromised.

Some devices allow you to renew the certificates before and after their expiry. But on Windows devices, you can renew the certificates only before it expires. Apple iOS, Mac OSX, and Android devices allow you to renew the certificates before or after their expiry.

Newly Added Dictionary Attributes

The following attributes are added to the Cisco ISE certificate dictionary and are used in policy conditions to allow a user to renew the certificate:


OL-27043-01




• Days to Expiry: This attribute provides the number of days for which the certificate is valid. You can use this attribute to create a condition that can be used in authorization policy. This attribute can take a value from 0 to 15. A value of 0 indicates that the certificate has already expired. A value of 1 indicates that the certificate has less than 1 day before it expires.

• Is Expired: This Boolean attribute indicates whether a certificate has expired or not.

Newly Added Authorization Policy Simple Condition

A new simple condition is now added that should be used in authorization policy to ensure that a certificate (expired or about to expire) is renewed before Cisco ISE processes the request further. This simple condition is called CertRenewalRequired.

CWA Redirect To Renew Certificates

If a user certificate is revoked before its expiry, Cisco ISE checks the CRL published by the CA and rejects the authentication request. In case, if a revoked certificate has expired, the CA may not publish this certificate in its CRL. In this scenario, it is possible for Cisco ISE to renew a certificate that has been revoked. To avoid this, before you renew a certificate, ensure that the request gets redirected to Central Web Authentication (CWA) for a full authentication. You must create an authorization profile to redirect the user for CWA.

Upgrade Enhancements

Cisco ISE, Release 1.2.1 includes the following upgrade enhancements for a seamless upgrade experience.

Virtual Machine Resource Checks

The upgrade software now checks if the virtual machine’s hardware (such as hard disk size, CPU speed, etc.) meets the recommended specifications before it begins the upgrade. If the VM resources do not meet the recommended specification, the upgrade will fail without making any changes to the existing ISE installation. The console will display a message stating the minimum resource requirements and that the upgrade can be retried after the virtual machine’s hardware has been updated to meet those requirements.

Upgrade Bundle SHA-256 Checksum Verification

The upgrade software verifies the SHA-256 checksum of the upgrade bundle before starting the upgrade process. This check ensures that upgrade does not fail because of corrupt upgrade software leaving the system in a corrupt state. If the upgrade bundle is corrupted, the console displays a message asking the administrator to re-download the upgrade bundle and try the upgrade again.

Monitoring Database Object Checks

In earlier releases, Cisco ISE upgrade has failed because of missing Monitoring database objects. In this release, the upgrade software checks for the Monitoring database objects to ensure that they are present before the upgrade begins. In the rare cases where the database objects are still missing, the administrator must restore from a backup taken before the upgrade.


OL-27043-01


Enhanced Show Tech Support Command Output

The show tech-support command is enhanced and now includes the database health report, alert log errors, processes that consume resources, database memory usage, and so on. This output is readable and is also available in the Support Bundle. You can run the show tech-support command on demand to look for the health of the database. The output can help the administrator with troubleshooting, if needed..

Database Enhancements

This release includes several database enhancements that improve Cisco ISE performance. Index entries and corrupt data blocks are identified before the upgrade begins. This release also includes several database enhancements that improve Cisco ISE performance.

New Features in Cisco ISE, Release 1.2.0Cisco ISE, Release 1.2 offers the following features and services:

• Support for UCS Hardware, page 16

• Improved Performance and Scalability, page 16

• Mobile Device Management Interoperability with Cisco ISE, page 16

• MAB from Non-Cisco Switches, page 16

• Support for Universal Certificates, page 17

• Policy Sets, page 17

• Profiler Feed Service, page 17

• Logical Profiles, page 17

• Enhanced Guest and Sponsor Pages, page 18

• RADIUS Authentication Suppression, page 18

• Collection Filters, page 18

• Support for Secure Syslogs, page 18

• Support for Windows 2012 Active Directory, page 18

• Global Search, page 18

• Session Trace, page 19

• Enhancement to Client Provisioning, page 19

• Enhanced Reports and Alarms, page 19

• Enhancements to Live Authentications Page, page 21

• Enhancements to Cisco NAC Agent, page 21

• External RESTful Services, page 21

For more information on key features of Cisco ISE, see the “Overview” chapter in the Cisco Identity Services Engine User Guide, Release 1.2.


OL-27043-01




Support for UCS Hardware

Cisco ISE, Release 1.2.0, supports Cisco Unified Computing System (UCS) C220 hardware, which is shipped on the following platforms:

• SNS-3415 (small)

• SNS-3495 (large)

Refer to Table 3 for other platforms supported by Cisco ISE.

For more information, refer to the Cisco Identity Service Engine Hardware Installation Guide, Release 1.2.

Improved Performance and Scalability

Cisco ISE, Release 1.2.0 offers better performance and scale compared to previous versions. Cisco ISE 1.2 has moved from a 32-bit architecture to a 64-bit architecture, improving the overall performance from 100,000 concurrent endpoints per ISE deployment in ISE 1.1.x to 250,000 concurrent endpoints in ISE 1.2

Mobile Device Management Interoperability with Cisco ISE

This release of Cisco ISE can interoperate with Mobile Device Management (MDM) servers to secure, monitor, and support mobile devices that are deployed across mobile operators, service providers, and enterprises.

Cisco ISE, Release 1.2.0 supports MDM servers from the following vendors:

• Airwatch, Inc.

• Good Technology

• MobileIron, Inc.

• Zenprise, Inc.

• SAP Afaria

• FiberLink Maas360

• Cisco Mobile Collaboration Management Services (MCMS)

For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2.

MAB from Non-Cisco Switches

Cisco ISE, Release 1.2.0 supports Machine Authentication Bypass (MAB) from non-Cisco switches using the Cisco ISE endpoints database.



OL-27043-01

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_network_devices.html#pgfId-1209564

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_auth_pol.html#pgfId-1319380

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig.html

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig.html


Support for Universal Certificates

Cisco ISE, Release 1.2.0 supports the use of wildcard server certificates for HTTPS (web-based services) and EAP protocols that use SSL/TLS tunneling. With the use of universal certificates, you no longer have to generate a unique certificate for each Cisco ISE node. Also, you no longer have to populate the SAN field with multiple FQDN values to prevent certificate warnings. Using an asterisk (*) in the SAN field allows you to share a single certificate across multiple nodes in a deployment and helps prevent certificate-name mismatch warnings.


Note The universal certificates are referred as wildcard certificates in the user guide.

Policy Sets

This release of Cisco ISE allows you to create a set of authentication and authorization policy for various use cases. Policy sets are similar to access services in Cisco Secure ACS 5.x releases.


Profiler Feed Service

Cisco ISE, Release 1.2.x provides a profiler feed service for publishing new profile definitions, updated profile definitions, and new OUI databases posted from IEEE.

With the introduction of the profiler feed service, the profiler conditions, exception actions, and Network Mapper (NMAP) scan actions are classified as Cisco provided or administrator created (see the System Type attribute) in Cisco ISE. Also, endpoint profiling policies are classified as Cisco provided, administrator created, or administrator modified (see the System Type attribute). You can perform different operations on the profiler conditions, exception actions, NMAP scan actions, and endpoint profiling policies depending on the System Type attribute.

You can retrieve new and updated endpoint profiling policies and the updated OUI database as a feed from a designated Cisco feed server through a subscription in Cisco ISE. You can also receive email notifications at an administrator email address that is configured for applied, success, and failure messages. You can also provide additional subscriber information to receive notifications. You can send the subscriber information back to Cisco to maintain the records and they are treated as privileged and confidential.

Note To ensure that the most up-to-date OUI database is installed, run the feed service after any Cisco ISE patch or maintenance installation.


Logical Profiles

Cisco ISE profiles can be grouped in logical profiles. A logical profile is a container for a category of profiles or associated profiles, irrespective of Cisco-provided or administrator-created endpoint profiling policies. An endpoint-profiling policy can be associated with multiple logical profiles.


OL-27043-01

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_cert.html#pgfId-1171325

http://http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_auth_pol.html#pgfId-1327860

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html#pgfId-2013877



You can use the logical profile in an authorization-policy condition to help create an overall network-access policy for a category of profiles.


Enhanced Guest and Sponsor Pages

This release of Cisco ISE provides new default themes for the Guest and Sponsor portal pages. You can customize the pages by uploading logos and editing the color schemes.

When guests access the Guest portal using a mobile device, they are routed automatically to a mobile-optimized version of the Guest portal.


RADIUS Authentication Suppression

This release of Cisco ISE allows you to configure RADIUS settings to detect the clients that fail to authenticate and to suppress the repeated reporting of successful authentications.


Collection Filters

You can configure collection filters to suppress syslog messages being sent to the monitoring and external servers. The suppression can be performed at the Policy Service Node level based on different attribute types.


Support for Secure Syslogs

Cisco ISE, Release 1.2.0 can be configured to send secure syslogs to Monitoring nodes and between Cisco ISE nodes, by enabling TLS-protected syslog collectors.


Support for Windows 2012 Active Directory

Cisco ISE, Release 1.2.0 supports Microsoft Windows 2012 Active Directory.

Global Search

Cisco ISE, Release 1.2.0 provides a system-wide endpoint search box that you can use to quickly find and filter endpoints and users on a network. The search result includes detailed session information about each of the matching results, such as the type of access, location, endpoint MAC and IP address, and authorization profile. You can also export these results for further analysis.



OL-27043-01



http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_webportals.html#pgfId-1000904


http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_logging.html#pgfId-1072940

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_admin.html#pgfId-1274185


Session Trace

Cisco ISE, Release 1.2.0 provides a more efficient troubleshooting functionality. After search results are displayed, you can click the “play” button for more details. A new detailed screen with full session information for the endpoint is displayed.


Enhancement to Client Provisioning

Starting from Cisco ISE Release 1.2.0, it is mandatory to include the client provisioning URL in authorization policy, to enable the NAC Agent to popup in the client machines. This prevents request from any random clients and ensures that only clients with proper redirect URL can request for posture assessment.


Enhanced Reports and Alarms

Cisco ISE, Release 1.2.0 reports are enhanced to have a new look and feel that is more simple and easy to use. The reports are grouped into logical categories for information related to authentication, session traffic, device administration, configuration and administration, and troubleshooting. A new scheduling service that allows you to queue reports and receive notification when they are available.

Table 6 Changes to Reports in Cisco ISE, Release 1.2

Report Name Change

Endpoint Time to Profiler Removed

Authentication Failure Code Lookup Removed

Network Device Log Message Removed

PAC Provisioning Removed

Policy CoA Removed

Posture Trend Removed

Endpoint Operations History Removed

AAA Down Summary Removed. If a AAA server is down, you can see it on the dashboard and in the Health Summary report.

TOP N AAA Down by Network Device Removed. If a AAA server is down, you can see it on the dashboard and in the Health Summary report.

Authentication Trend Renamed as Authentication Summary report.

TOP N Authentication by Allowed Protocol Moved to the Authentication Summary report. You can filter the report by Allowed Protocols.

Server Authentication Summary Moved to the Authentication Summary report. You can filter the report by Server.

TOP N Authentication by Server Moved to the Top N Authentication report. You can filter the report by Server.

TOP N Authentication by Machine Renamed as Top N Authentication by Endpoint.


OL-27043-01

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_mnt.html#pgfId-1543496

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_client_prov.html


In Cisco ISE, Release 1.2.0, a new dashlet is on the dashboard that allows you to enable and disable alarms and make minor configuration changes. The following is a list of alarms that are removed in Cisco ISE, Release 1.2:

• Administrator Account Disabled

• Max Administrator Sessions Exceeded

• Restore Successful

• Purge Backup Success

• Replication Syn Failure

• High CPU Utilization

• Purge Failure

• Purge Success

• Application Exceeded Maximum Disk space

• Base License count

• Advanced License count

• Admin Account Lockout

• NTP Server not Reachable

• Disk Cleanup

• Successful Node Registration

• Successful Patch Install

• Successful Patch RollBack

• Successful Node Deregistration

• Successful Update Node

• UnSuccessful Add Node

• UnSuccessful Patch Install

• UnSuccessful Patch Roll Back

• UnSuccessful Remove Node

• UnSuccessful Update Node

Failure Reason Authentication Summary Moved to the Authentication Summary report. You can filter the report by Failure Reason.

TOP N Authentication by Network Device Moved to the Authentication Summary report. You can filter the report by Network Device.

Session Status Summary Renamed as Network Device Session Status report.

User Authentication Summary Moved to the Authentication Summary report. You can filter the report by User.

Radius Terminated Sessions Moved to the Session View report. You can filter the report by Terminated Sessions.

Table 6 Changes to Reports in Cisco ISE, Release 1.2

Report Name Change


OL-27043-01



Enhancements to Live Authentications Page

The Live Authentications page on the Cisco ISE dashboard shows the details corresponding to authentication entries. In addition to these live authentication entries, the Live Authentications page is enhanced to show the live-session entries. You can also get a detailed report on a session.

For more information on the enhancements to the Authentications page, see Cisco Identity Services Engine User Guide, Release 1.2.

Enhancements to Cisco NAC Agent

The following enhancements have been added to Cisco NAC Agent in Cisco ISE, Release 1.2.0.

Cisco NAC Agent for Windows

• Support for the Polish Language.

• Support for the Microsoft Windows 8 Operating System. In Windows 8, Internet Explorer 10 has two modes: Desktop and Metro. In Metro mode, the ActiveX plugins are restricted. You cannot download the Cisco NAC Agent in Metro mode. You must switch to Desktop mode, ensure ActiveX controls are enabled, and then launch Internet Explorer to download the Cisco NAC Agent. If users are still not able to download Cisco NAC agent, check and enable “compatibility mode.”

• Support for the Log Packager option in the Agent Icon to collect support logs.

• New for Cisco ISE 1.2.0 patch 3: support for Microsoft Windows 8.1.

Cisco NAC Agent for Mac OS X

• Support for the Collect Support Logs option in the Agent Icon to collect Agent logs and support information.

• Notification screen appears automatically when the Agent window is buried by other windows.

• Support for the Acceptable Use Policy (AUP).

• New for Cisco ISE 1.2.0 patch 3: support for Mac OS X 10.9.

External RESTful Services

External RESTful Services (ERS) is a new Cisco ISE component that allows you to perform Create, Read, Update, and Delete (CRUD) operations on Cisco ISE resources. ERS also allows you to run advanced queries against the Cisco ISE database and perform bulk operations such as mass updates or deletions.

ERS is based on HTTPS and REST methodology. These APIs provide an interface to the ISE configuration data by enabling internal user identities, endpoints, endpoint groups, identity groups, SGTs, and profiler policies to perform CRUD operations on the ISE data.

Refer to the Cisco Identity Services Engine API Reference Guide, Release 1.2 for more information.


OL-27043-01


http://www.cisco.com/en/US/docs/security/ise/1.2/api_ref_guide/api_ref_book.html

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mnt.html#wp1524371

Known Issues in Cisco ISE, Release 1.2.x

Supplicant Provisioning Wizard

This section lists the SPW versions that were introduced during the patch releases. See Also Resolved SPW Caveats, page 180.

• Cisco ISE Release 1.2, patch 11 introduced SPW version 1.0.0.41 for Windows.

• Cisco ISE Release 1.2, patch 12 introduced SPW version 1.0.0.43 for Windows and 1.0.0.30 for Mac OS X.

Cisco NAC Agent

This section lists new Agent versions that were posted during the patch releases. See Also Resolved Agent Caveats, page 179.

• Cisco ISE Release 1.2, patch 12 introduced Mac OS X Agent 4.9.5.3 that supports Mac OS X 10.10 clients.

Known Issues in Cisco ISE, Release 1.2.x• Mobile Devices Without VLAN, page 23

• Web Portal Customization for the Russian Language, page 23

• Device Registration Portal, page 23

• Cisco ISE Hostname Character Length Limitation with Active Directory, page 23

• Windows Internet Explorer 8 Known Issues, page 23

– Issue Accessing the Cisco ISE Administrator User Interface

– User Identity Groups Issue

• Known Supplicant Compatibility Issue Involving VLAN Change Operation on Windows Client Machines, page 24

• Issues with Message Size in Monitoring and Troubleshooting, page 24

• Issues with Accessing Monitoring and Troubleshooting, page 24

• Inline Posture Restrictions, page 24

• Custom Language Templates, page 24

• Issues with Monitoring and Troubleshooting Restores, page 25

• Issue with Network Device Session Status Report, page 25

• BYOD Connectivity Issue with Devices running Windows 7, page 25

• Issue with Converged Access Switches, page 25

• Issue with Cisco ISE Mapping to OUI, page 25


OL-27043-01


Mobile Devices Without VLAN

When a mobile device completes the guest flow without VLAN/IP refresh enabled in the Guest Portal, it matches the permit access authorization policy, followed by a CoA termination that deletes the session. The device then goes through the guest flow again and forms a loop.

Web Portal Customization for the Russian Language

When you want to customize a web portal to use the Russian language template, the Browser Locale Mapping for the Russian template is “ru-ru.” However, this default mapping does not work on iPhones. If you encounter this issue, you can create a duplicate template with the Browser Locale Mapping set to “ru.”

Device Registration Portal

When a guest user registers a device using its MAC address, the device does not appear in the Device Registration Portal under the list of Registered Devices. This issue is seen in secondary Policy Service nodes in a distributed deployment and occurs because of replication latency issues.

As a workaround click the Refresh button to view the newly registered device.

Cisco ISE Hostname Character Length Limitation with Active Directory

It is important that Cisco ISE hostnames be limited to 15 characters or less, if you use Microsoft Active Directory on the network. Active Directory does not validate hostnames larger than 15 characters. This can cause a problem if you have multiple Cisco ISE hosts in your deployment that have hostnames longer than 15 characters. If the first 15 characters are identical, Active Directory will not be able to distinguish them.

Windows Internet Explorer 8 Known Issues

• Issue Accessing the Cisco ISE Administrator User Interface

• User Identity Groups Issue

Issue Accessing the Cisco ISE Administrator User Interface

When you access the Cisco ISE administrator user interface using the host IP address as the destination in the Internet Explorer 8 address bar, the browser automatically redirects the session to a different location. This situation occurs when you install a real SSL certificate issued by a certificate authority like VeriSign.

If possible, we recommend using the Cisco ISE hostname or fully qualified domain name (FQDN) that was used to create the trusted SSL certificate to access the administrator user interface via Internet Explorer 8.


OL-27043-01


User Identity Groups Issue

If you create and operate 100 or more User Identity Groups, a script in the Cisco ISE administrator user interface can cause Internet Explorer 8 to run slowly, looping until a pop-up appears asking you if you want to cancel the running script. (If the script continues to run, your computer might become unresponsive.)

Known Supplicant Compatibility Issue Involving VLAN Change Operation on Windows Client Machines

There is a known issue with the Intel Supplicant version 12.4.x for Windows client machines with regard to a VLAN change for wireless deployments. The client machine has no connectivity because the NIC IP address is in the compliant/non compliant VLAN when it should be in the pre posture/pending VLAN.

Note This issue affects any supplicant that cannot perform an IP address refresh on a VLAN change in a wireless environment. This issue is related to the VLAN detect (Access VLAN to Authentication VLAN change) functionality, where the Cisco NAC Agent is not working correctly with wireless adapters.

Issues with Message Size in Monitoring and Troubleshooting

Cisco ISE monitoring and troubleshooting functions are designed to optimize data collection performance messages of 8k in size. As a result, you may notice a slightly different message performance rate when compiling 2 k message sizes regularly.

Issues with Accessing Monitoring and Troubleshooting

Although more than three concurrent users can log into Cisco ISE and view monitoring and troubleshooting statistics and reports, more than three concurrent users accessing Cisco ISE can result in unexpected behavior like (but not limited to) monitoring and troubleshooting reports and other pages taking excessive amounts of time to launch, and the application sever restarting on its own.

Inline Posture Restrictions

• Inline Posture is not supported in a virtual environment, such as VMware.

• The Simple Network Management Protocol (SNMP) Agent is not supported by Inline Posture.

• The Cisco Discovery Protocol (formerly known as CDP) is not supported by Inline Posture.

Custom Language Templates

If you create a custom-language template with a name that conflicts with a default template name, the template is automatically renamed after an upgrade and restore. After an upgrade and restore, default templates revert back to their default settings, and any templates with names that conflict with the default names are renamed as follows: user_{LANG_TEMP_NAME}.


OL-27043-01

Cisco ISE Installation Files, Updates, and Client Resources

Issues with Monitoring and Troubleshooting Restores

During a Monitoring and Troubleshooting restore, the Cisco ISE application on the Monitoring node restarts and the GUI is unavailable until the restore completes.

Issue with Network Device Session Status Report

Network Device Session Status report hangs during report generation. If the Network device is not configured with SNMP and SNMP community string is not provided, then the report generation hangs and never completes.

Workaround for this issue is to enter the SNMP credentials while launching the Network Device Session Status report. If there is a large number of network devices configured in ISE, then it is recommended to provide snmpCommunity value along with the networkDeviceIP.

BYOD Connectivity Issue with Devices running Windows 7

Devices running Windows 7 operating system do not connect by default if "invalid" security certificate is presented from the server side. This issue is seen if self-signed certificates are in use, or if the certificate is signed by a root CA, which is not in the trusted list of the client.

Workaround for this issue is to create a PEAP network profile before connecting to the Single SSID BYOD network. After a PEAP network profile is created, Windows 7 displays a user prompt.

Issue with Converged Access Switches

The current available IOS releases for converged access switches, such as 3850 or 3650, may not send Calling-Station-ID in the RADIUS accounting requests, which may result in incorrect session states and endpoint profiles in ISE. Enter the following commands in the switch to ensure that the ISE data is updated appropriately.

radius-server attribute 31 mac format ietf upper-caseradius-server attribute 31 send nas-port-detail

See Also CSCuo46999.

Issue with Cisco ISE Mapping to OUI

After installing or upgrading to Cisco ISE 1.2.1, the OUI entries may be missing in the database, which might result in the endpoints matching incorrect authorization policies. You need to run the feed service to update the OUI. It is recommended to run the feed service after the patch installation to ensure that the latest OUIs are installed.

Cisco ISE Installation Files, Updates, and Client ResourcesThere are three resources you can use to download to provision and provide policy service updates:

• Cisco ISE Downloads from the Download Software Center, page 26


OL-27043-01

https://tools.cisco.com/bugsearch/bug/CSCuo46999


• Cisco ISE Live Updates, page 26

• Cisco ISE Offline Updates, page 27

Cisco ISE Downloads from the Download Software Center

In addition to the .ISO installation package required to perform a fresh installation of Cisco ISE as described in Installing Cisco ISE Software, page 8, you can use the Download software web page to retrieve other Cisco ISE software elements, like Windows and Mac OS X agent installers and AV/AS compliance modules.

Downloaded agent files may be used for manual installation on a supported endpoint or used with third-party software distribution packages for mass deployment.

To access the Cisco Download Software center and download the necessary software:

Step 1 Go to the Download Software web page at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You may need to provide login credentials.

Step 2 Navigate to Products > Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software.

Choose from the following Cisco ISE installers and software packages available for download:

• Cisco ISE installer .ISO image

• Supplicant Provisioning Wizards for Windows and Mac OS X Native Supplicants

• Windows client machine agent installation files (including MST and MSI versions for manual provisioning)

• Mac OS X client machine agent installation files

• AV/AS compliance modules

Step 3 Click Download or Add to Cart.

Cisco ISE Live Updates

Cisco ISE Live Update locations allow you to automatically download Supplicant Provisioning Wizard, Cisco NAC Agent for Windows and Mac OS X, AV/AS support (Compliance Module), and agent installer packages that support client provisioning and posture policy services. These live update portals should be configured in Cisco ISE upon initial deployment to retrieve the latest client provisioning and posture software directly from Cisco.com to the Cisco ISE appliance.

Prerequisite:

If the default Update Feed URL is not reachable and your network requires a proxy server, you may need to configure the proxy settings in Administration > System > Settings > Proxy before you are able to access the Live Update locations. If proxy settings are enabled to allow access to the profiler and posture/client provisioning feeds, then it will break access to the internal MDM server as Cisco ISE cannot bypass proxy services for MDM communication. To resolve this, you can configure the proxy service to allow internal communication to the MDM servers.


OL-27043-01

http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm


For more information on proxy settings, see the “Specifying Proxy Settings in Cisco ISE” section in the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2.

Client Provisioning and Posture Live Update portals:

• Client Provisioning portal—https://www.cisco.com/web/secure/pmbu/provisioning-update.xml

The following software elements are available at this URL:

– Supplicant Provisioning Wizards for Windows and Mac OS X Native Supplicants

– Windows versions of the latest Cisco ISE persistent and temporal agents

– Mac OS X versions of the latest Cisco ISE persistent agents

– ActiveX and Java Applet installer helpers

– AV/AS compliance module files

For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the “Downloading Client Provisioning Resources Automatically” section of the “Configuring Client Provisioning” chapter in the Cisco Identity Services Engine User Guide, Release 1.2.

• Posture portal—https://www.cisco.com/web/secure/pmbu/posture-update.xml

The following software elements are available at this URL:

– Cisco predefined checks and rules

– Windows and Mac OS X AV/AS support charts

– Cisco ISE operating system support

For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the “Downloading Posture Updates Automatically ” section of the “Configuring Client Posture Policies” chapter in the Cisco Identity Services Engine User Guide, Release 1.2.

If you do not enable the automatic download capabilities described above, you can choose to download updates offline. See Cisco ISE Offline Updates, page 27.

Cisco ISE Offline Updates

Cisco ISE offline updates allow you to manually download Supplicant Provisioning Wizard, agent, AV/AS support, compliance modules, and agent installer packages that support client provisioning and posture policy services. This option allows you to upload client provisioning and posture updates when direct Internet access to Cisco.com from a Cisco ISE appliance is not available or not permitted by a security policy.

Offline updates are not available for Profiler Feed Service.

To upload offline client provisioning resources, complete the following steps:

Step 1 Go to the Download Software web page at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You may need to provide login credentials.

Step 2 Navigate to Products > Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software.

Choose from the following Off-Line Installation Packages available for download:


OL-27043-01


https://www.cisco.com/web/secure/pmbu/provisioning-update.xml

https://www.cisco.com/web/secure/pmbu/posture-update.xml







• win_spw-<version>-isebundle.zip— Off-Line SPW Installation Package for Windows

• mac-spw-<version>.zip — Off-Line SPW Installation Package for Mac OS X

• compliancemodule-<version>-isebundle.zip — Off-Line Compliance Module Installation Package

• macagent-<version>-isebundle.zip — Off-Line Mac Agent Installation Package

• nacagent-<version>-isebundle.zip — Off-Line NAC Agent Installation Package

• webagent-<version>-isebundle.zip — Off-Line Web Agent Installation Package

Step 3 Click Download or Add to Cart.

For more information on adding the downloaded installation packages to Cisco ISE, refer to the “Adding Client-Provisioning Resources from a Local Machine” section of the “Configuring Client Provisioning” chapter in the Cisco Identity Services Engine User Guide, Release 1.2.

You can update the checks, operating system information, and antivirus and antispyware support charts for Windows and Macintosh operating systems offline from an archive on your local system using posture updates.

For offline updates, you need to ensure that the versions of the archive files match the version in the configuration file. Use offline posture updates when you have configured Cisco ISE and want to enable dynamic updates for the posture policy service.

To upload offline posture updates, complete the following steps:

Step 1 Go to https://www.cisco.com/web/secure/pmbu/posture-offline.html.

Save the posture-offline.zip file to your local system. This file is used to update the operating system information, checks, rules, and antivirus and antispyware support charts for Windows and Macintosh operating systems.

Step 2 Access the Cisco ISE administrator user interface and choose Administration > System > Settings > Posture.

Step 3 Click the arrow to view the settings for posture.

Step 4 Choose Updates. The Posture Updates page appears.

Step 5 From the Posture Updates page, choose the Offline option.

Step 6 From the File to update field, click Browse to locate the single archive file (posture-offline.zip) from the local folder on your system.

Note The File to update field is a required field. You can only select a single archive file (.zip) that contains the appropriate files. Archive files other than .zip (like .tar, and .gz) are not allowed.

Step 7 Click the Update Now button.

Once updated, the Posture Updates page displays the current Cisco updates version information under Update Information.


OL-27043-01

https://www.cisco.com/web/secure/pmbu/posture-offline.html


Using the Bug Search Tool

Using the Bug Search ToolThis section explains how to use the Bug Search Tool to search for a specific bug or to search for all bugs in a release.

• Search Bugs Using the Bug Search Tool

• Export to Spreadsheet

Search Bugs Using the Bug Search Tool

In Cisco ISE, use the Bug Search Tool to view the list of outstanding and resolved bugs in a release. This section explains how to use the Bug Search Tool to search for a specific bug or to search for all the bugs in a specified release.

Step 1 Go to https://tools.cisco.com/bugsearch/search.

Step 2 At the Log In screen, enter your registered Cisco.com username and password; then, click Log In. The Bug Toolkit page opens.

Note If you do not have a Cisco.com username and password, you can register for them at http://tools.cisco.com/RPF/register/register.do.

Step 3 To search for a specific bug, enter the bug ID in the Search For field and press Enter.

Step 4 To search for bugs in the current release:

a. Click Select from list link. The Select Product page is displayed.

b. Choose Security > Access Control and Policy > Cisco Identity Services Engine.

c. Click OK.

d. When the search results are displayed, use the filter tools to find the types of bugs you are looking for. You can search for bugs based on different criteria such as status, severity, and modified date.

Export to Spreadsheet

The Bug Search Tool provides the following option to export bugs to an Excel spreadsheet:

• Click Export Results to Excel link in the Search Results page under the Search Bugs tab to export all the bug details from your search to the Excel spreadsheet. Presently, up to 10000 bugs can be exported at a time to an Excel spreadsheet.

If you are unable to export the spreadsheet, log into the Technical Support Website athttp://www.cisco.com/cisco/web/support/index.html for more information or call Cisco TAC (1-800-553-2447).


OL-27043-01

https://tools.cisco.com/bugsearch/search

http://www.cisco.com/cisco/web/support/index.html

Cisco ISE, Release 1.2.1.198 Patch Updates

Cisco ISE, Release 1.2.1.198 Patch UpdatesThe following patch releases apply to Cisco ISE release 1.2.1:

• Resolved Issues in Cisco ISE Version 1.2.1.198—Cumulative Patch 1, page 59




• Open Issues in Cisco ISE Version 1.2.1.198—Cumulative Patch 5, page 38





Resolved Issues in Cisco ISE Version 1.2.1.198—Cumulative Patch 8

Table 7 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.1.198 cumulative patch 8. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Starting from Release 1.2.0 Patch 12, Cisco ISE supports MAC OSX Yosemite release 10.10.

Patch 8 will not work with older versions of SPW and users need to upgrade their SPW.

Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2. for instructions on how to apply the patch to your system.


Table 8 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.1.198 cumulative patch 7. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Starting from Release 1.2.0 patch 12, Cisco ISE supports MAC OSX Yosemite release 10.10.


Table 7 Cisco ISE Patch Version 1.2.1.198-Patch 8 Resolved Caveats

Caveat Description

CSCuw34253 Cisco Identity Services Engine Unauthorized Access Vulnerability


OL-27043-01



http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_admin.html#wp1259408




Caveat Description

CSCul40767 Profiled endpoints cannot be deleted from PSN Oracle database.

This fix addresses an issue when deleting the profiled endpoints from a three-node ISE deployment [PAN, MnT (Primary/Secondary), and PSN or PAN (Primary/Secondary), MnT, and PSN]. The endpoints are not removed from the PSN Oracle DB but removes the endpoints attributes such as group associates are removed, allowing guest access without accepting the AUP.

CSCuo58396 The Guest Accounting Report display issues.

This fix addresses an issue where the Guest Accounting Report displays the following incomplete information:

• Time Spent must be displayed in an hh:mm:ss format, but the time is displayed in seconds.

• The Logged out column is blank.

• Entries are not added to this report until ISE receives an accounting stop for the session.

CSCur11083 ISE Monitoring (MnT) node generates incorrect results while querying live logs.

This fix addresses an issue when the MNT node generates incorrect results for filtering based on a specific user name.

CSCur13627 Monitoring Node (MnT) live logs are incorrectly displayed when the time zone offset is set for last 60 minutes by the time stamp.

This fix addresses an issue where the MnT live logs are incorrect due to the Daylight Saving Time (DST) for the years, 2013, 2014, and 2015 at the following time zones:

• Pacific/Fiji, from 26 October 2014 to 25 January 2015.

• Countries where DST will change in 2015.

Workaround Choose the Coordinated Universal Time (UTC) for the mentioned time zones.

CSCur31652 Remove NCClient-1.0.jar from ISE packaging, it cannot be distributed.

This fix addresses an issue when NCClient-1.0.jar is found in ISE packaging. NCClient-1.0.jar is a commercial component with License text that states it must be purchased for use.

CSCur88138 In Cisco ISE 1.2.1 patch 2, replication status is incorrectly shown as disabled.

This fix addresses an issue in the deployment list page. The status of all the secondary nodes is displayed as “Replication Stopped”. However, a comparison of the replication logs of the PAN and secondary nodes show that it is correct.

Workaround Reboot the Admin node.


OL-27043-01



CSCur90991 Exporting ISE reports or scheduling a backup fails if the admin logs in with Active Directory (AD) domain prefix.

This fix addresses an issue with failure in exporting an ISE report because \"%5c" that is automatically allocated in the report name is not supported.

CSCur95329 Simple Network Management Protocol (SNMP) polling continues after the Network Access Device (NAD) SNMP settings are disabled.

This fix addresses an issue when disabling the NAD SNMP settings continued to trigger the periodic polling.

Workaround Delete NAD and recreate with SNMP settings disabled.

CSCus16050 The admin-NSF page of the ISE is vulnerable to a cross-site scripting (XSS) attack.

CSCus54517 ISE drops RADIUS server requests.

This fix addresses an issue when multiple accounting requests are sent by the same endpoint and the RADIUS Framed-IP-Address attribute in access requests resulted in multi-threading and ISE dropping the RADIUS requests.

Workaround Restart the server.

CSCus71483 Incorrect Daylight Saving Time (DST) time zone offset is displayed until ISE is restarted.

This fix addresses an issue when DST is entered as the time zone. The Coordinated Universal Time (UTC) time zone offset in the local store syslog messages is not in synchronization with the time-stamp.

Workaround Restart ISE services.

CSCus89119 The NAC agent does not pop-up after an Extensible Authentication Protocol (EAP) chaining.

This fix addresses an issue when logging into the ISE network along with the EAP chaining and Cisco AnyConnect Network Access Manager (NAM) supplicant does not pop-up the NAC agent for posture assessment.

Workaround

• Clear the authentication session on the switch interface or reconnect to the network through AC NAM.

• If possible, upgrade the switch to 15.2(2)E or 3.6.1E.

CSCut05350 Configuration changed message appears after login to the Router/Switch.

This fix addresses an issue when the customer encounters configuration changed alarm without changing the ISE configuration.

CSCut58710 The guest account fails to authenticate intermittently.

This fix addresses an issue when the guest user fails authentication intermittently with "Invalid Username/Password" error. The failure is usually seen only on mobile devices.


Caveat Description


OL-27043-01


CSCuu04227 MAB/802.1x Session mixing still an issue.

Workaround Change the authentication order on switches to 802.1x, then MAB reduces the number of occurrences seen.

CSCuu60864 Profiler cannot save the new endpoint.

Workaround Reboot ISE may help.

CSCuu72216 ISE 1.2.1 does not accept bulk OCSP responses.

This fix addresses an issue when an OCSP server is configured to generate bulk canned responses. When ISE sends a request to the OCSP server, it receives a response which is pre-generated with multiple serial numbers which causes OCSP failure messages in ISE.

CSCuu99002 Client Provisioning (CP) or Posture fails when the OS is selected as Windows 10.

Workaround Select the OS as Windows All.


Caveat Description


OL-27043-01


CSCuv01575 In Cisco ISE 1.2.1 patch 6 and later releases, profiler policies that have double quotes in the description field cannot be edited.

Workaround Export the affected policies, delete all entries of “”. From the exported XML, delete the broken policies, and re-import the fixed policies. Note that this might send a Profiler CoA which can be disabled from the Systems -> Settings menu.

CSCuv21820 ISE 1.2/1.2.1 ssl_error_weak_server_ephemeral_dh_key Firefox 39.0.

This fix addresses an issue when Firefox attempts to make an HTTPS connection to ISE, the following error message is reported: “Secure Connection Failed

An error occurred during a connection to 10.62.145.24:8443. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Please contact the website owners to inform them of this problem.”

Opera reports a similar error: “Server has a weak ephemeral Diffie-Hellman public key”

Workaround

• Use a different browser; the following (current as of July, 2015) browsers do not show this problem:

– Firefox 38.05

– SeaMonkey 2.33.1

– Chrome 43.0.2357.132 m

– Internet Explorer 11.0.9600.17843CO

or

• Update FF about:config per https://bugzilla.mozilla.org/show_bug.cgi?id=587407#c100

– Type "about:config" into the FireFox URL bar.

– Accept any warnings that are displayed.

– Search for the property "security.ssl3.dhe_rsa_aes_128_sha" and set it to false.


– This should allow the user to login to the admin portal.


Caveat Description


OL-27043-01







Caveat Description

CSCuj17272 Improved diagnostics for failed Certificate Revocation List (CRL) download attempts.

This fix addresses an issue in the Operations > Reports > ISE Reports > Operations Audit page. The log displaying the failed CRL download attempts did not show the appropriate reason for failure.

CSCul08673 Export of custom report for a date range failed.

This fix addresses an issue while exporting a report, based on a specified custom date range, to a target repository fails.

Workaround Use pre-configured time ranges.

CSCuo78457 An SNMP probe that is configured to match a profile using the "CONTAINS" operator fails.

This fix addresses an issue when an SNMP probe is configured and ISE polls with Cisco Device Protocol (CDP) and Link Layer Discovery Protocol (LLDP) attributes. If the matching profiling condition uses the “CONTAINS” operator, it fails.

Workaround Use a different operator such as “STARTS WITH”.

CSCup05013 Cisco switches are profiled as an unknown endpoint.

This fix addresses an issue when SNMP profiling using Cisco switch C4507R+E, running cat4500es8-universalk9.SPA.03.03.00.XO.151-1.XO.bin is profiled as an unknown endpoint.

CSCup15453 Running the Guest Sponsor Mapping Report increases CPU utilization on the primary Monitoring node.

This fix addresses an issue where generating the Guest Sponsor Mapping report for greater than 7 days resulted in increased CPU utilization of the primary Monitoring node warranting reboot.

Workaround Reboot the primary Monitoring node and generate reports for less than 7 days.


OL-27043-01




CSCup45530 Identity Services Engine (ISE) External RESTful Services (ERS): Unable to set modify staticProfileAssignment without profileId.

This fix addresses an issue in the ERS where ISE is unable to modify the staticProfileAssignment field without specifying the endpoint's current profileID.

CSCuq43889 Domain Name Server (DNS) probe is not triggered after Simple Network Management Protocol (SNMP) Query probe updates IP address.

This fix addresses an issue when ISE is configured with the SNMP query and DNS probes. IP addresses were not mapped by the RADIUS, Dynamic Host Configuration Protocol (DHCP), or Cisco Device Protocol (CDP) probes.

Workaround

1. Use RADIUS authorization and IP device tracking to collect information via RADIUS Accounting. It may require RADIUS interim accounting to be enabled if Framed IP address is not populated on initial RADIUS Account Start.

2. Use DHCP probe for clients that support DHCP.

3. Use SNMP Query (triggered via RADIUS/SNMP Traps) for devices that support CDP.

CSCuq50447 Incorrect Security Group Tag (SGT) is displayed in the active sessions report if multiple SGTs are assigned.

This fix addresses an issue when multiple SGTs are assigned. ISE reports two SGTs but the active sessions report does not display them.

CSCuq95245 Change of Authorization (CoA) fails when guest credentials are suspended by Sponsor.

This fix addresses an issue in an ISE distributed deployment. When a guest account is suspended from the sponsor portal and there is an active session associated with these credentials, a COA fails after the account is suspended.

Workaround Send a manual CoA to suspend the guest account immediately.

CSCur11055 Monitoring Node (MnT) live logs is not displayed.

This fix addresses an issue in the monitoring node. Live logs are not displayed and there are errors in the MnT log collector.

Workaround Execute option 7 of the application configure ise command.



1. Pacific/Fiji, From 26-Oct-14 to 25-Jan-15.

2. Countries where DST will change in 2015.

Workaround Choose the Coordinated Universal Time (UTC) for the above-mentioned time zones.


Caveat Description


OL-27043-01


CSCur14902 ISE Domain Name Server (DNS) Resolution Failed for “hostname” from the ISE node “hostname”.

This fix addresses an issue when an alarm is generated during a DNS failure: DNS Resolution Failed for CNAME: “hostname” from the ISE node “hostname”, although Fully Qualified Domain Name (FQDN) and DNS responses have the same FQDN.

Workaround Contact Cisco Technical Assistance Center (TAC) to manually modify the alarm script.

CSCur20079 An error message is displayed when certain attributes are retrieved from the Active Directory (AD).

A search criteria based on the attributes of a specific AD user may throw the “ORA-12899: value too large for column “MNT”.”MNT_AAA_DIAGNOSTICS” error message.

CSCur23949 Error messages are displayed in authentication policies for Firefox and IE browsers.

This fix addresses an issue in an authentication policy set rule containing many IF conditions. Firefox and Internet Explorer reports an error message when using the “>” symbol and “HTTP Status 500", respectively.

CSCur42723 The maximum configurable value for a RADIUS accounting message suppression period (quiet interval) is short.

This fix addresses an issue with the maximum configurable RADIUS accounting message suppression period that is less than 24 hours.

CSCur44079 Guest password expiration notification is not sent and related log messages are not displayed.

This fix addresses an issue when a customized sponsor language portal is created without a corresponding guest language template.

Workaround Create the missing language templates.

CSCur44879 Any change in the profiled IP address triggered a replication event across a deployment.

This fix addresses an issue when multiple replication events were triggered for each attribute change on a profiled endpoint.

CSCur54734 A Certificate Signing Request (CSR) that crosses the maximum range of characters does not appear in the user interface.

This fix addresses an issue in the Certificate Signing Requests page. A CSR that exceeds the maximum range of characters results in ISE reporting that the CSR is created; however, it does not appear in the user interface.

CSCur62838 Apache dev mode web console is accessible in guest and sponsor portals.

This fix addresses an issue when a URL was clicked, the Apache dev mode web console was accessible in the guest and sponsor portals.


Caveat Description


OL-27043-01


Open Issues in Cisco ISE Version 1.2.1.198—Cumulative Patch 5

The following table lists the open issues in Cisco ISE 1.2.1 Patch 5 that may be resolved in other releases.

CSCur65990 RADIUS requests dropped due to a failure message.

This fix addresses an issue when importing network devices from the comma-separated values (CSV) file. The failure message “11007 could not locate Network Device or AAA Client” is displayed, although they are successfully loaded in ISE.

Workaround Contact Cisco Technical Assistance Center (TAC).

CSCur75323 Change of Authorization (CoA) issued through the REST API fails.

This fix addresses an issue in the Monitoring Node (MnT). The CoA issued through the REST API is communicated to the MnT instead of the Policy Service Node (PSN).

CSCur94336 NAC Agent does not popup in case user authentication has been preceded by a machine authentication.

This fix addresses an issue associated with the persistent agent. When the persistent agent is installed, the NAC agent does not popup in case user authentication precedes machine authentication. When the persistent agent is not installed, the web browser is redirected to Client Provisioning Portal (CPP) and an HTTP 500 internal server error message is displayed.

Workaround

Clear the authentication session on the switchport.

[OR]

Unplug and reconnect the Ethernet connections or disable and enable the wired

connection interfaces in Windows.

[OR]

If available, upgrade to IOS 15.2(2)E or 3.6.1E.

CSCus68798 ISE is vulnerable to CVE-2015-0235 Linux Ghost remote code execution.

This fix addresses an issue where a vulnerability related to a buffer overflow in the GNU C library (glibc) may affect applications that call certain functions. This vulnerability may allow an attacker to obtain sensitive information from an exploited system or in some instances, perform remote code execution by exploiting the privileges of the application.


Caveat Description


OL-27043-01


Table 10 Cisco ISE Patch Version 1.2.1.198-Patch 5 Open Caveats

Caveat Description

CSCum82570 In the sponsor portal, changes done to a guest account containing double quotes results in an error message.

CSCun28218 A memory space of 2 GB is leaked outside the Java heap space by ISE. This leads to ISE running out of physical memory and using SWAP that results in authentication latency and slow performance.

Workaround Schedule reboots of the Policy Service Node (PSN) before the physical memory is depleted to prevent unscheduled outages.




CSCup97285 In the guest portal, a high authentication latency alarm is sent when the Central WebAuth (CWA) is enabled with an AUP.

Workaround Disable AUP or carefully monitor high authentication latency alarms for false positives.



CSCur12480 An end user is not redirected to the guest portal via the PlayStation 3 browser, although, the same user is able to gain access to the Sponsor and My Devices portals.

Workaround Use My Device portal to register the device and then create an authorization rule to match registered devices.

CSCur14902 An alarm is generated during a DNS failure: DNS Resolution Failed for CNAME: “hostname” from the ISE node “hostname”.

Workaround Contact TAC to manually modify the alarm script.

CSCur20079 A search criteria based on the attributes of a specific Active Directory user may throw the “ORA-12899: value too large for column “MNT”.”MNT_AAA_DIAGNOSTICS” error message.

CSCur23949 Unable to edit an authentication policy set rule, containing many if conditions, in Firefox and Internet Explorer.

Workaround Reduce the number of if conditions in the policy set rule, such as creating an identity group and referencing the group in the rule.



OL-27043-01






CSCur64918 ISE 1.2 replication stops when moving from monitoring to enforcement mode.

Workaround Reload the Primary admin node.

CSCur74721 Guest users expire after one week, even though they are set to expire after one year.

CSCur88138 The deployment list page shows status for all secondary nodes as 'Replication Stopped'. The replication however is working fine as verified by comparing replication logs on Primary Administration Node (PAN) and secondary nodes.

CSCur90991 Exporting a report fails for ISE admin logged-in with an Active Directory (AD) domain prefix.

CSCur95329 Cisco IT: SNMP polling continues after NAD SNMP settings were disabled.


CSCur99705 SponsorAllAccounts member is unable to apply TimeProfile overriding the Maximum Duration of Account of the sponsor who created the account in the first place.

Workaround Increase Max duration of Account of SponsorGroupGrpAccounts / SponsorGroupOwnAccounts group to match the highest Time Profile allowed for SponsorAllAccount group.


Caveat Description


OL-27043-01





Caveat Description

CSCuh86591 ISE SNMP walk command fails for Wireless Access Points (WAPs) connected to a stacked 48 port switch.

This fix addresses an issue while connecting a WAP to a stacked 48 port switch. Profiling failed due to an error in the SNMP walk command triggered on interfaces 25 through 48.

CSCuj17272 Upgrade from Cisco ISE Version 1.1.3 to 1.2 breaks the identity source sequence.

This fix addresses an issue while upgrading from version 1.1.3 to 1.2. The identity store sequences failed to authenticate Machine Authentication Bypass (MAB), IEEE 802.1X (dot1x), Active Directory (AD), and internal users.

Workaround Remove any RSA secureID identity stores from all identity source sequences and then delete the RSA secureID identity stores from the server.

Recreate the identity stores and add them to the identity sequences.

Restart the nodes and ensure that the “Could not find ID store” message is not displayed on ise-console.log in any of the nodes.



Workaround


[OR]

Unplug and reconnect the Ethernet connections or disable and enable the wired connection interfaces in Windows.

[OR]


CSCum73765 Incorrect profiling information received with Simple Network Management Protocol (SNMP) Version 3 Query and Trap probes.

This fix addresses an issue with the SNMP v3 queries triggered by the SNMP Trap from switches that support linkup, linkdown, and MAC notification. The switch failed SNMP v3 authorization and resulted in session termination. The same was observed when SNMP v3 query was triggered by a RADIUS Authentication probe.


OL-27043-01


CSCuq86420 SNMP query triggered via radius traps fail.

This fix addresses an issue when an SNMP query is triggered by accounting start messages by devices that are not connected to the master stack.

Workaround Lower the global SNMP query timer, configure SNMP Traps, or move endpoint devices to the master switch in the stack.

CSCuq93969 Authorization Profile using Centralized Web Auth (CWA) returns to default when static host is used.

This fix addresses an issue in the Policy > Policy Elements > Results > Authorization > Authorization Profiles page. In the Common Tasks section, when Centralized Web Auth is selected and Redirect is set to Manual, it works only for the first login attempt and does not go back to the Default option for subsequent login attempts.

CSCuq97996 My Devices Portal does not display MAC addresses of Active Directory (AD) users.

This fix addresses an issue in the Administration > Identity Management > Identities > Endpoints page. MAC addresses of devices that are authenticated through the Active Directory (AD) are not displayed in the Endpoints page.

Workaround

1. Open MyDevices_Portal_Sequence Identity store sequence.

2. Remove and add the AD store and save it.

3. Test again with an AD user.

CSCuo41482 ISE GUI login fails for external Active Directory (AD) identity source.

This fix addresses an issue when ISE GUI login fails for external AD accounts that belong to group names containing Russian Characters and displays the following message “HTTP Status 500 - Internal Error”.

CSCuo43577 Server-side validation warranted for collection filters.

This fix addresses an issue in the Administration > System > Logging > Collection Filters page. Upon adding a New Collection filter, the Attribute field allowed invalid characters to be entered due to failed server-side validation.

CSCuo66847 A saved scheduled report ceases to exist in the Scheduled Reports list when edited.

This fix addresses an issue in the Operations > Reports > ISE Reports > Saved and Scheduled Reports page. When a user edits a saved scheduled report, it does not display in the Scheduled Reports list.

Workaround Recreate the scheduled report before editing it. To delete the report that was not displayed in the Scheduled Reports list, you can login with a generic admin account and view all reports.

CSCuo80929 An error message is displayed for guest usernames with special characters.

A “value too large” error message is displayed for guest usernames containing special characters.

Workaround Avoid using special accentuated characters in guest usernames.


Caveat Description


OL-27043-01


CSCup17245 A “value out of range” message displayed while editing guest account duration.

This fix addresses an issue while trying to change the account duration of a guest account. An error message is displayed and a calendar is displayed on clicking the Submit button.

Workaround Select the guest and click the “Change Duration” button to edit the account duration. The problem is encountered only when editing expired guest accounts.

CSCup37937 ISE OpenSSL CCS injection vulnerability.

This fix addresses an issue where ISE was vulnerable to OpenSSL CCS (CVE-2010-5298 CVE-2014-0224).

CSCuq22636 ISE does not ask for Link Layer Discovery Protocol (LLDP) attributes for triggered RADIUS or SNMP trap.

This fix addresses an issue when ISE failed to send an SNMP query to obtain LLDP data in response to a triggered RADIUS or SNMP trap.

Workaround Use the ISE SNMP polling interval.

CSCuq32696 ISE Policy Service Node (PSN) removes proxy state attributes from Inline Posture Node (IPN/IPEP).

This fix addresses an issue in IPEP that serves as the proxy for RADIUS requests from the ASA to the PSN. The IPEP inserts a proxy state attribute in its RADIUS request. The PSN that is configured in proxy mode authenticates the external RADIUS server by inserting another proxy state attribute. On receiving a reply from external RADIUS, the PSN removes its own proxy attribute as well as the IPEP, which resulted in IPEP authorization failure.

CSCuq53846 A user logging in with an expired guest account is redirected to the default Cisco branded portal.

This fix addresses an issue while logging in with an expired guest account. When using mobile devices, the client was redirected to the default Cisco branded portal without displaying any error message.

CSCuq71479 Poll Mobile Device Management (MDM) Server Thread is not getting restarted when we update Interval.

This fix addresses an issue when the polling interval value was changed. The PollMDMServerThread did not restart based on the polling interval value. Also, it did not poll device compliance for the specified time.

CSCuq85955 ISE sends Change of Authorization (CoA) with empty session ID for Local Web Authentication (LWA).

This fix addresses an issue in an LWA deployment when ISE sent a COA disconnect with an empty session ID. The request was dropped from the Wireless LAN Controller (WLC) and an unnecessary alarm was generated.

Workaround Disable or ignore the alarm.


Caveat Description


OL-27043-01


CSCuo24442 Patch numbers do not display in sequence in the PDP or Policy Services Node (PSN).

This fix addresses an issue while installing patches through the GUI. The Patch Information field did not display the patch numbers in sequence.

CSCuh75367 The Network Access Device (NAD) sends an incorrect call-check message when host lookup is disabled.

This fix addresses an issue in the Policy > Policy Elements > Results > Authentication > Allowed Protocols > Allowed Protocols Services List page. When the Process Host Lookup option was checked the NAD displayed an incorrect call-check message instead of notifying that Process Host Lookup was disabled.

CSCur09231 A sponsor is able to create a guest user account beyond the specified date.

This fix addresses an issue when a sponsor was able to create an account even after the expiry of the specified Account Start Date and Maximum Duration of Account in the Sponsor group policy.

CSCun81620 Changes made to a compound guest condition affects the previously entered guest condition.

The fix addresses an issue when a change is made to a compound guest condition in Primary Administration Node (PAN) affects the previously entered guest condition while upgrading ISE 1.2 from 1.1.x.

CSCum60627 Extensible Authentication Protocol (EAP) session memory leaks on retransmission of RADIUS messages.

This fix addresses an issue encountered with an EAP session memory leak. ISE retransmits the last RADIUS message in response to duplicate packets from the Network Access Server (NAS), and the client (NAS or supplicant) dropped the conversation.

Workaround Avoid losing packets by NAS.

CSCug90087 Database locked after Reset M&T Database command is executed.

This fix addresses an issue when the database was locked after executing the Reset M&T Database command. Subsequent execution of Reset M&T Session Database command failed.

Workaround Reload the ISE node.

CSCuj76383 Admin user receives redundant password expiration email notifications.

This fix addresses an issue when an admin user received two password expiration email notifications for a password that was about to expire.


Caveat Description


OL-27043-01


CSCun25815 Intermittent user authorization failure on Policy Service Node (PSN).

This fix addresses an issue when user authentication is successful but authorization fails via the PSN. Intermittently, users are authorized using the default authorization policy instead of the configured authorization policy due to corrupted Active Directory (AD).

Workaround

1. Execute Application configure ise command, option 5 to clear the cache.

2. Reboot the system to clear the corrupted pointers.

CSCun25178 Collecting group information takes longer due to Security Identifiers (SIDs).

This fix addresses and issue when ISE failed to resolve SID history, belonging to trusted domain/forest, to their corresponding group names.

CSCuo54201 MnT pages are vulnerable to SQL injection.

This fix addresses an issue where vulnerability in the MnT pages of Cisco ISE may allow an attacker to impact the integrity by executing arbitrary SQL queries.

CSCum55279

&

CSCuo54146

Cross-site Scripting (XSS) computer security vulnerability in MnT search page.

This fix addresses an XSS vulnerability in the MnT search pages under Operations > Troubleshoot > Diagnostic Tools> General Tools.

CSCur42461 Packet capture file accessible to unauthenticated or unauthorized users.

This fix addresses an issue where unauthenticated and unauthorized users were able to access and download the packet capture file from admin UI.

CSCur57482 Intermittent failure to load sponsor and guest portals.

This fix addresses an issue when an end user navigates to 'internet.xxx.com” web pages. The sponsor and guest portals either load slowly or fail to load intermittently.

CSCul71176 Endpoints manually assigned to identity groups might change groups randomly.

This fix addresses an issue where endpoints that were manually assigned to an identity group would sometimes randomly show up belonging to another identity group if profiling is enabled.


Caveat Description


OL-27043-01


CSCul94611 ISE Dashboard fails to display live consolidated and correlated statistical data.

This fix addresses an issue when the ISE Dashboard stops updating statistical data based on the endpoints that connect to the network.

Workaround

In the command-line interface (CLI), enter the following command to enable the dashboard to display statistical data:

ms-ise-mgm01/admin# app config ise

Selection ISE configuration option

[1]Reset Active Directory settings to defaults

[2]Display Active Directory settings

[3]Configure Active Directory settings

[4]Restart/Apply Active Directory settings

[5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings

[6]Enable/Disable ERS API

[7]Reset M&T Session Database

[8]Rebuild M&T Unusable Indexes

[9]Purge M&T Operational Data

[10]Reset M&T Database

[11]Refresh M&T Database Statistics

[12]Display Profiler Statistics

[13]Exit

Execute the following command options:




CSCun00215 ISE RSA Agent Exhausted Under Heavy Load

This fix addresses an issue where the RSA agent became unresponsive due to a very large number of simultaneous PAP requests.

CSCur43427 ISE Policy Service Node (PSN) rejects RADIUS request, deadlock found in the catalina.out file.

This fix addresses an issue where the PSNs reject the RADIUS request and Java-level deadlock messages were found in the catalina.out file.



Caveat Description


OL-27043-01



Table 12 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.1.198 cumulative patch 4.

To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.


CSCur36690 Dot1x and MAC Authentication Bypass (MAB) overlap.

This fix addresses an issue when there was Dot1x and MAB authentication overlap, which resulted in incorrect authorization policies being applied.

CSCur29078 ISE evaluation of SSLv3 POODLE vulnerability.

This fix addresses an issue where SSLV POODLE vulnerability impact on third-party software was tested.

CSCur41673 Unauthenticated retrieval of backup password.

This fix addresses an issue where the backup password was retrieved with an unauthenticated POST request.

CSCur35455 Accounting requests dropped with Message 5441.

This fix addresses an issue when new RADIUS accounting requests were dropped with an error message that the endpoint had started a new session while the packets of the previous session was being processed.

CSCui15057 ISE IP cache does not ignore Martian addresses of endpoints.

This fix addresses an issue when Martian addresses are sent via RADIUS requests, the IP cache is updated. This may result in an attacker leveraging this to pollute the endpoint tables, mask IP endpoints, or cause instability in the network.

CSCul41053 The localapp authentication servlet fails.

This fix addresses an issue where the localapp authentication servlet allowed the changing of the admin's password. A user with lower privileges may be granted higher privileges resulting in the compromise of the admin account.


Caveat Description


OL-27043-01





Caveat Description

CSCul43926 Difficulty in reading the catalina.log.

This fix addresses an issue in the Operations > Troubleshoot > Download Logs > Appliance node list page. When the Debug Logs tab was selected for the required node, the catalina.log file displayed the “work_pending_i: Interrupted system call” message.

CSCum05562 Change of authorization (CoA) failed with Policy Sets.

This fix addresses an issue in the Administration > System > Settings > Policy Sets page. The CoA associated with an endpoint profiling policy was not enabled when using policy sets.

Workaround Disable policy sets or enable change of authorization (CoA) from monitoring node using fast reauthentication on switch.

CSCum94858 Guest Sponsor Mapping report truncates the username.

This fix addresses an issue in the Operations > Authentications > Reports > Endpoints and Users page. The Guest Sponsor Mapping report displayed the domain name but truncated the user name that appears after the ‘\’ character.

CSCun04863 ISE sent alarms for expired advanced evaluation licenses.

This fix addresses an issue where ISE sent alarms for expired advanced evaluation licenses, although, no advanced features were used.

Workaround Disable license alarms.

CSCun49379 Error in the custom Device Registration page redirects to the Login page.

This fix addresses an issue in the Device Registration page. Instead of the ERROR_PAGE, guest users were redirected or mapped to the CUSTOM_LOGIN_PAGE when a wrong MAC address was encountered.

CSCun66269 Data access permissions for role-based access control (RBAC) does not work for Locations selection.

This fix addresses an issue when you create a custom group of users with a set of Data and Menu access RBAC permissions. The data access criteria selected for the Location access does not work with multiple rules set in the same hierarchy of network device groups.

Workaround Create rules only for the low-level network device groups.

CSCun84251 Error after application ise reset-config on 1.2.0.899 Patch 6.

This fix addresses an issue where an error was found when the application reset-config ise command was run.

CSCuo23637 ISE Role-Based Access Control (RBAC) policy failed to control the defined access policies.

This fix addresses an issue in the Administration > Identifies Management > Identities > Users page. The access policies that were defined for a particular admin group were displayed for all User Identity Groups.


OL-27043-01


CSCuo88459 Apple iOS device, after certificate Renewal gets stuck and will always be redirected to CWA URL or wi-fi interface is down.

Workaround Click on the wi-fi, and select the option forget this network and try reconnecting to the same network, Please do the steps in the below mentioned order Device will ask user to select the authentication Method select EAP-TLS and select the user certificate. Enter the user name with the user name and click connect.

CSCup20586 Mix-up in the Extensible Authentication Protocol (EAP) and MAC Authentication Bypass (MAB) attributes for the same endpoint.

This fix addresses an issue when there is simultaneous EAP and MAB authentication requests for the same endpoint with the same audit session ID. The two authentications share the same entry in the session cache and create a mix-up of attributes.

CSCup62622 Default Sponsor Portal Fully Qualified Domain Name (FQDN) setting is changed to the FQDN of the Policy Service Node (PSN).

This fix addresses an issue in the Administration > Web Portal Management > Settings > General > Ports > Portal FQDNs page. If the user changed the “Default Sponsor Portal FQDN” setting on the admin GUI, services were restarted on the PSN. On accessing the admin GUI of the PSN via an URL, the user was redirected to the sponsor portal.

Workaround Contact the Cisco Technical Assistance Center (TAC).

CSCup74180 Conditions defined for a Sponsor Group failed.

This fix addresses an issue in the Administration > Web Portal Management > Sponsor Groups page. The Authorization Levels, Guest Roles, and Time Profiles set for a particular sponsor group failed.

CSCup80994 ISE Policy Service Node (PSN) crashes due to network access device (NAD) missing shared secret.

This fix addresses an issue when ISE app-svr crashed and Java core dump reported failure while trying to obtain the NAD IP address with missing shared secret configuration in ISE. Specifically, this occurred during dynamic authorization. Although, the wireless LAN controller (WLC) was configured in ISE without a shared secret, it continued to send the accounting information to ISE.

Workaround Remove NAD from ISE or reconfigure shared secret.

CSCup82816 Certificate is not issued for MAC OS X with wired and wireless in Native Supplicant Provisioning (NSP).


Caveat Description


OL-27043-01


CSCup96791 ISE 1.2 patch 9 breaks dashboard with Internet Explorer 9.

This fix addresses an issue with security enhancements to Internet Explorer 9 browser cache, which results in an empty ISE Dashboard.

Workaround

• Use an alternative browser.

• In Internet Explorer, navigate to Tools > Internet Options > Advanced. Scroll down and select the Do not save encrypted pages to disk option under Security and click Apply and OK.

• Under the General tab, select Delete browsing history on exit option and click Apply and OK.

CSCup97085 Data unavailable for authentication details.

This fix addresses an issue in the Operations >Authentications page. When the ISE admin user clicks the Details column for any event, an error stating “No Data Available for this record. Either the data is purged or authentication for this session record happened a week ago” was encountered.

CSCup97097 Export Results report for total endpoints is inaccurate.

This fix addresses an issue in the Home > Total Endpoints > Export Results page. The report failed to export all endpoints that were authenticated or profiled by ISE. Instead, the report displayed empty rows with the exception of the ENDPOINTPOLICY field.

CSCup97125 ISE GUI crashes with HTTPS certificates without Enhanced Key Usage (EKU).

This fix addresses an issue when HTTPS was enabled by operations such as, binding, importing, or editing certificates. If the certificates did not support Enhanced Key Usage (EKU) of ClientAuth, an error was reported. An error was also encountered by the Policy Administration Node (PAP).

CSCuq02033 The Mobile Device Management (MDM) heartbeat thread does not restart for a new MDM instance.

This fix addresses an issue where the heartbeat thread did not poll the MDM server immediately at the instance of changing any MDM server settings.

CSCuq05237 Change in the Network Access Users status failed to reflect in the Reports.

This fix addresses an issue in the Operations > Reports > Deployment Status > Change Configuration Audit page. When the status of a network access user was either enabled or disabled, in the Administration > Identity Management > Identities > Users page, it failed to reflect the change in the Change Configuration Audit page.

CSCuq07723 The Bring Your Own Device (BYOD) success page and Retry button do not display.

This fix addresses an issue with MAC OS X and Windows OS when it failed to display the BYOD success page for a successful authentication. Also, it failed to display the Retry button when a user’s authentication failed.


Caveat Description


OL-27043-01


CSCuq19789 ISE fails to match Radius:service-type EQUALS authorize-only.

This fix addresses an issue in an Inline Posture Node (IPN/IPEP) deployment. VPN users were not permitted to pass traffic after a successful VPN connection. This was encountered when the authorization policy of an IPEP node included a RADIUS server attribute.

Workaround Use the same authorization policy for IPEP and the standard authorization profile.

CSCuq55043 ISE 1.2.1 Posture Upgrade Failure

This fix addresses an issue in ISE 1.2.1 posture upgrade code that does not check for null values in AV/AS checks before referencing them, resulting in NullPointer exceptions in isedbupgrade-data-global logs and upgrade failure at Data upgrade step 34/89, RegisterPostureTypes(1.2.0.363).

Workaround Contact Cisco TAC for assistance.

CSCuq74929 ISE 1.2 External Groups does not validate input properly.

This fix addresses an issue in the Policy > Policy Elements > Conditions > Authorization > Compound Conditions page. An attribute that was selected from the Dictionaries list was truncated and appended with an ellipsis.

CSCuq75823 MAC Agent fails to validate server certificates in MAC 10.10.

This fix addresses an issue when a MAC endpoint device on the network was denied access and an SSL certificate error was displayed.

Workaround Created an intermediate MAC agent build 4.9.5.2 to bypass the ISE server certificate validation for MAC 10.10 users.

CSCuq81835 ISE base/advanced license counts remains at the default value zero.

This fix addresses an issue where the base and advanced licenses count did not match the number of active endpoints that were displayed in the dashboard and monitoring reports.


CSCuq83249 Guest users fail authentication before expiry of time profile.

This fix addresses an issue when a guest user failed authentication before the expiry of the time specified in the time profile. The specified time profile was FromFirstLogin but the behavior was FromCreation.

Workaround Resetting Guest account validity from Sponsor portal fixes the issue temporarily.


Caveat Description


OL-27043-01


CSCur00532 ISE evaluation for CVE-2014-6271 and CVE-2014-7169 (AKA ShellShock).

This fix addresses an issue in ISE nodes that are SSH enabled. If SSH is enabled, a remote user with ISE CLI credentials will be able to exploit the vulnerability and run generic Linux commands.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.5/7.5:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:U/RC:C

The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

Workaround Disable SSH and reload ISE node as follows:

ise1/admin# configure terminal

ise1/admin(config)# no service sshd enable

ise1/admin(config)# end

ise1/admin# reload

Save the current ADE-OS running configuration? (yes/no) [yes] ? yes

Continue with reboot? [y/n] y

CSCur17597 Users of some Identity Groups are not displayed.

This fix addresses an issue in the Operations > Authentications page. Users belonging to Identity Groups containing an underscore character were not displayed.


Caveat Description


OL-27043-01








CSCur94336 NAC Agent fails to popup and throws a HTTP 500 error message.

This fix addresses an issue where the NAC Agent does not popup in case user authentication has been preceded by a machine authentication. The web browser is redirected to Client Provisioning Portal (CPP) and HTTP 500 internal server error is displayed.

Workaround


[OR]

Unplug and reconnect the Ethernet connections or disable and enable the wired

connection interfaces in Windows.

[OR]



Caveat Description


OL-27043-01





Caveat Description

CSCuq01548 ISE posture dropped during Change of Authorization (CoA) due to invalid HTTP User-Agent [Trident 7.0].

This fix addresses an issue where a third-party User-Agent does not allow the download of the NAC agent.

CSCuq02222 The Simple Network Management Protocol (SNMP) Query probe failed to discover endpoints using periodic polling.

This fix addresses an issue where the ARP table failed to discover the MAC addresses of endpoints that were connected to a Catalyst switch using the SNMP Query probe.

CSCup88315 Apple iOS 8 beta failing External Web Authentication (WebAuth) with ISE.

This fix addresses an issue where Apple devices running iOS 8 beta software failed to complete external web authentication.

CSCum41138 NAS IP Address showing MnT address in ISE live logs after CoA REST API.

This fix addresses an issue in the Operations > Authentications > Show Live Authentications page. The NAS IP Address field failed to display the IP address of the network device, when Change of Authorization (CoA) was triggered via the Rest API.

CSCun74636 OSX Mavericks is profiled as Apple device based on incorrect User-Agent.

This fix addresses an issue where Cisco ISE failed to identify OSX Mavericks device based on the endpoint profiling policies.

CSCun00427 ISE 1.2 match operator returns true when LHS is NULL and RHS is constant.

This fix addresses an issue that occurred when there was a MATCHES operator in a rule/policy: if the LeftHandSide of the rule/policy was returning NULL value and the RightHandSide was CONSTANT, the operator was getting evaluated as TRUE. The operator is now evaluated as FALSE.

CSCui08084 Guest user is not terminated on the switch when suspended via Edit Account.

This fix addresses an issue with the Guest Account created using the Sponsor Portal. When suspending the Guest Account, the Account was suspended but the wired session on the switch was not terminated.

CSCuq26320 EAP-FAST authenticated provisioning with Android doesn't work

This fix addresses an issue where EAP-FAST authentication for specific Android versions was not working.

CSCun75458 ISE Apache Struts 2 vulnerabilities.

Previous versions of Cisco ISE included a version of Apache Struts2 that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-0050,CVE-2014-0094


OL-27043-01


CSCuo63900 ISE Apache Struts 1 vulnerabilities.

This product includes a version of third-party software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-0112,CVE-2014-0114

Cisco has analyzed these vulnerabilities and concluded that the product is not impacted.



PSIRT Evaluation










ise1/admin# reload



CSCul28451 RADIUS Accounting Report “Account Session Time” blank.

This fix addresses an issue in the Operations > Reports > Auth Services Status >

Radius Accounting page. In the click here for Accounting detail report option for the Stop Account Status Type, the Account Session field did not display the difference between a session’ start and stop time.

CSCup79399 Cisco ISE-related reports return blank page while launching from PI.

This fix addresses an issue where all Cisco ISE reports opened from Cisco Prime

Infrastructure resulted in a “Web page not available” error.

Table 13 Cisco ISE Patch Version 1.2.1.198-Patch 3 Resolved Caveats (continued)

Caveat Description


OL-27043-01






CSCul16354 Supplicant Provisioning Wizard (SPW) cannot be set up for MAC And Windows without Java.

The fix addresses an issue where SPW did not install on MAC and Windows without the support of Java.

CSCuj64206 Parent Endpoint Identity Group cannot be created in Windows 7, Internet Explorer 10.

This fix addresses an issue when an Endpoint Identity Group could not be created without a Parent Group in Windows 7 Internet Explorer 10. The following error message was displayed: “Invalid group name. Please select a parent group from the list displayed.”

Workaround Use Internet Explorer 8.

CSCuq11441 ISE posture was dropped via Change of Authorization (CoA) due to invalid HTTP User-Agent [Trident 5.0]

This fix addresses an issue where the posture validation was dropped via CoA terminate because of an unknown User-Agent.


Caveat Description


OL-27043-01





Caveat Description

CSCul21337 The Posture Troubleshooting tool was vulnerable to blind SQL injection.

This fix addresses an issue where a vulnerability in the web framework of Cisco ISE may allow an attacker to impact the integrity by executing arbitrary SQL queries.

PSIRT Evaluation


https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:P/I:P/A:P/E:F/RL:OF/RC:C

CVE ID CVE-2014-3275 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3275


http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCul39011 The Mobile Device Management (MDM) client failed to reject queries when MDM server was not responding.

This fix addresses an issue where timeouts were caused when the MDM server was not reachable during authorization policy evaluation.

CSCul58758 Redirected to null page in the browser after Local Web Authentication (LWA) flow with WLC-5500 series.

This fix addresses an issue where a guest user enters the username and password in the Guest Login page, but is not redirected to the specified URL.

CSCul86970 GUI does not display the Allow only listed IP addresses option to connect.

This fix addresses an issue in the Admin Access settings page, where the following option was not displayed in the UI: Allow only listed IP addresses to connect.

CSCum37237 Insufficient permission error with bulk import of guest account.

This fix addresses an issue where an error message was encountered when sponsors imported and printed guest usernames, formed from the guests email addresses.

CSCum57372 NAS identifier does not appear the authentication details in the web UI.

This fix addresses an issue where the Network Access Server (NAS) Identifier information did not appear in the Authentication Details page.

CSCun28502 Sponsor, My Devices, and Guest portals does not have a defined character limit.

This fix addresses an issue in the Administration > Web Portal Management > Settings page. The Sponsor, My Devices, and Guest portals contain the Language Template option. The Language Template option contains a list of configurations. The text fields in each configuration allow any one of the following character count: 128,512, 256, or 4000. An error message was displayed for specific fields, such as AUP and Notifications, when the character limit was above 4000 characters.


OL-27043-01





CSCun74285 ISE safe mode did not bypass admin portal certificate authentication.

This fix addresses an issue where ISE safe mode did not bypass user certificate authentication and did not enable local admin credentials.

CSCun74460 Incorrect Daylight Saving Time (DST) time zone offset in ISE affects remote syslog targets.

This fix addresses an issue where the DST time zone offset was incorrect in the prrt log.



CSCun94304 ISE RSA server configuration may fail to replicate to PSNs.

This fix addresses an issue where the RSA configuration (sdconf.rec) did not load properly and data did not replicate from the PAP node to other nodes.

CSCuo13099 ISE Sponsor, email ID used as username with space in it, throws an error.

This fix addresses an issue where the guest user email IDs with spaces encountered an error when used in usernames.

CSCuo39442 ISE 1.2 does not validate remote log target names.

This fix addresses an issue where the Remote Logging Target names displayed in the Administration > System > Logging > Remote Logging Targets page reported the following error message: Name should not contain space(s) or any of the following characters: ! % ^ : ; , [ { | } ] \ ` " = ?. The above error message was displayed even though hyphen or period was used.

CSCuo58919 Endpoint static group assignment toggles between true or false option every 55 seconds.

This fix addresses an issue where the Static Group Assignment check box in the Administration > Identity Management > Identities > Endpoints page toggled between true or false value every 55 seconds.

CSCuo63448 Modifying the ISE parent profile disables child profile.

This fix addresses an issue where in the Profiling Policies page, on modifying a parent profile, endpoints failed to reach the correct profile policy.

CSCuo75506 ISE authorization profile with Central WebAuth (CWA) and custom guest portal does not redirect to default settings.

This fix addresses an issue where a CWA authorization profile was configured and if the CWA authorization profile was edited again, the changes were displayed only in the UI, but failed to reflect in the attributes.

CSCuo88571 The IP release renew operation was not performed on Mac OSX devices.

This fix addresses an issue where a user logged into the guest portal was unable to renew the IP address after clicking Accept in the Acceptable Use Policy (AUP) page.

CSCup33018 Apple iOS 8 beta fails Native Supplicant Provisioning flow.

This fix addresses an issue where with single or dual SSIDs, Apple devices running iOS 8 beta software failed to complete provisioning.


Caveat Description


OL-27043-01






CSCup50216 ISE 1.2+ API update was overwritten by the profiler.

This fix addresses an issue where the ERS API failed to update existing endpoints in static groups.

CSCup51902 Exporting active endpoints does not work from the admin node.

This fix addresses an issue where exporting active endpoints from a Cisco ISE server Administration node did not work.

CSCup63424 Downloading software to effect release or renew of guest virtual LAN (VLAN) was not accomplished.

This fix addresses an issue where the IP address release or renew operation in the VLAN release or renew page, was nonfunctional when it was not the latest version of the Java Applet.

CSCup99806 Custom data access permissions were not working as expected.

This fix addresses an issue where Custom data access permission did not work according to the mapped RBAC policy in the Network Device page.


Caveat Description


Caveat Description

CSCty01787 Error in Generating XML Output for EndPointIPAddress API

This fix addresses an issue where an internal error was displayed in the XML when calling the EndPointByIPAddress API for a given IP address appearing in the AuthSessionList.

CSCul25066 ISE Wireless Upgrade License Type Doesn't include Profiler Feed Service

This fix addresses an issue where customers upgrading to ISE 1.2 who had the Wireless Upgrade license to add advanced license functionality to their deployment received the following alert: “Feed Service error : The Advance License installed on the ISE nodes have been expired.”


OL-27043-01




CSCul29344 ISE 1.2 HTML Custom Pages for Different Portals Not Working

This fix addresses an issue where the sample HTML for custom Guest Portal pages provided in the user guide did not work correctly.

CSCum29186 With Account Creation Time Zone Change Not Reflecting New Updated Allowed Time

This fix addresses an issue where changing the time zone during Guest account creation was not reflected with the newly updated allowed time to login.

CSCum54099 ISE Does Not Send Sponsor-related syslog Message to External syslog Server

This fix addresses an issue where ISE did not send messages like 86008 or 86006 to the external syslog server. It only sent the 86028 messages.

CSCum69410 ISE 1.2 CWA with DRW Included Doesn't Register Endpoint

This fix addresses an issue where the endpoint DB didn’t indicate that an endpoint was registered after a CWA user entered their MAC address on the Guest Device Registration screen.

CSCum85930 ISE 1.2 Custom Guest Portal Images and CSS Broken on Final Redirect

This fix addresses an issue where custom CWA portal may not have loaded images or CSS as expected.

CSCum88817 ISE 1.2 Logs Filled with Unnecessary License Validity Info

This fix addresses an issue where ISE was logging license checks in INFO mode, which caused massive output in the log files.

CSCum96035 This fix addresses an issue that occurred when a user typed in a password that violated the password policy on the default custom portal password-change page and the page refreshes instead of displaying an error message.

CSCun15601 Invalid Text Message Template Error Shown if Sponsor is CC'ed in Guest Mail

This fix addresses an issue where the message “This is an invalid text message template. Contact your system administrator for assistance.” was shown while sending Guest account through Mail/SMS if the sponsor is CC’ed.

CSCun36594 ISE 1.2 Endpoint Identity Group is Lost When Importing From CSV

This fix addresses an issue that occurred after importing endpoints from a CSV file where the “Endpoint Identity Group” was changed from the one specified in the file to Profiled.

CSCun41732 Cisco ISE Certificate Trusted List is Not Fully Read When a Corrupted Certificate is Present

This fix addresses an issue where Cisco ISE could not load the complete Trusted certificate list when a corrupted certificate was present in the list.

CSCun51094 Bulk Import of Guests by Sponsor Falls in Wrong Guest Role

This fix addresses an issue where imported guest users always get the role of default Guest during a bulk import from the Sponsor portal.

CSCun67719 Guest Portal: Error Message When Password Expired Confusing

The Cisco ISE Guest portal provides a generic error for events such as guest user account expired and gives no information on the cause of the issue.


Caveat Description


OL-27043-01


CSCun68637 SNMP Query Fails to Complete during NMAP-triggered Probe

This fix addresses an issue where an SNMP query failed to execute when it was triggered by an NMAP probe.

CSCun93673 ISE 1.2 Endpoint Export Results in Empty File if Using Lower Case Letter

This fix addresses an issue where exporting endpoints results in an empty file if you search using lower case letters.

CSCun97606 ISE Roaming Authentication Failing

This fix addresses an issue that occurred when attributes about endpoints differed from one PSN to another when using multiple PSNs for profiling or authentication.

CSCuo32987 Endpoint Register Broken

This fix addresses an issue where attempts at ERS API endpoint register end in HTTP 500 Internal Server Error.

CSCuo34449 ISE Posture Dropped via CoA Terminate Due to Invalid HTTP User-Agent

This fix addresses an issue where a client application that initiated HTTP using User-Agent was not recognized by ISE, and triggered ISE to clear that session and send a Radius CoA Terminate command to NAD.

CSCuo56780 ISE RADIUS Service Denial of Service Vulnerability

This fix addresses an issue where the RADIUS service may become unresponsive when receiving accounting packets from two different Network Access Servers (NASs).

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.8:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:U/RC:C







Caveat Description


OL-27043-01





Cisco ISE, Release 1.2.0.899 Patch UpdatesThe file naming convention for a patch will include the word “Auto” as shown in the example, ise-patchbundle-1.2.0.899-Auto13-124679.x86_64.tar.gz, for the internal purpose of managing builds. The change does not impact the patch upgrade or rollback features.

The following patch releases apply to Cisco ISE release 1.2.0:












CSCuo63892 CIAM: ISE-commons-fileupload-1-0

This fix addresses third-party software vulnerabilities.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 7.8:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C


CVE ID CVE-2014-0050 have been assigned to document this issue.



CSCuo73070

CSCuo76078

ISE 1.2 GUI Elements Missing Due to No Advanced License

This fix addresses an issue where the error “No valid system license exists” appeared for the sponsor portal and guest portal after the installation of a Cisco ISE Patch.


Caveat Description


OL-27043-01







• Enhancements in Cisco ISE Version 1.2.0.899—Cumulative Patch 8, page 103






• Enhancements in Cisco ISE Version 1.2.0.899—Cumulative Patch 4, page 120


• Support for Windows 8.1 and Mac OS X 10.9 in Cisco ISE Version 1.2.0.899—Cumulative Patch 3, page 122


• New Features in Cisco ISE Version 1.2.0.899—Cumulative Patch 2, page 127

• Support for Apple iOS 7 in Cisco ISE Version 1.2.0.899—Cumulative Patch 2, page 130









Caveat Description

CSCuw10274 Unable to install Patch 16 in ISE 1.2.0.899 through CLI.

Workaround If required, install Patch 16 by GUI.


OL-27043-01





Caveat Description

CSCuv21820 ISE 1.2 and 1.2.1 Admin portal and other portals hosted on them are not accessible after browser upgrade.

This fix addresses an issue when Firefox attempts to make an HTTPS connection to ISE, the following error message is reported: “Secure Connection Failed

An error occurred during a connection to 10.62.145.24:8443. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Please contact the website owners to inform them of this problem.”

Opera reports a similar error: “Server has a weak ephemeral Diffie-Hellman public key”

Workaround

• Use a different browser to log in to the Admin portal/install Patch 17 through GUI; the following (current as of July 2015) browsers are supported:

– Firefox 38.05

– SeaMonkey 2.33.1

– Chrome 43.0.2357.132 m

– Internet Explorer 11.0.9600.17843CO

or

• Update FF about:config per https://bugzilla.mozilla.org/show_bug.cgi?id=587407#c100

– Type "about:config" into the FireFox URL bar.

– Accept any warnings that are displayed.



This should allow the user to log in to the Admin portal.

CSCuw34253 Cisco Identity Services Engine Unauthorized Access Vulnerability


OL-27043-01










Caveat Description



CSCut04401 Vulnerability on ISE appliance - Access Control - Missing Authentication.

CSCut04544 This is a modification on the product to adopt new secure code best practices to enhance the security posture and resiliency of the product by not remembering usernames on the login page.

CSCut04556 Vulnerability on ISE: Cross-Frame Scripting.

CSCuu21947 The endpoint export from ISE dashboard is missing location field sometime.


OL-27043-01









Caveat Description

CSCul40767 Profiled endpoints cannot be deleted from PSN’s Oracle database.

This fix addresses an issue when deleting the profiled endpoints from a three-node ISE deployment, [PAN, MnT (Primary/Secondary), and PSN or PAN (Primary/Secondary), MnT, and PSN]. The endpoints are not removed from the PSN's Oracle DB. This causes the endpoints' attributes such as group associates to be removed, allowing guest access without accepting the AUP.

CSCur88138 ISE 1.2.1 P2 replication status is incorrectly shown as disabled.

This fix addresses an issue in the deployment list page. The status of all the secondary nodes is displayed as “Replication Stopped”. However, a comparison of the replication logs of the PAN and secondary nodes show that it is correct.

Workaround Reboot the Admin node.

CSCut05350 Configuration changed appears after login to the Router/Switch.

This fix addresses an issue when the customer encounters configuration changed alarm without changing the ISE configuration.

CSCut58710 ISE: The guest account fails to authenticate intermittently.

This fix addresses an issue when the guest user fails authentication intermittently with "Invalid Username/Password” error. The failure is usually seen only on mobile devices.

CSCuu04227 MAB/802.1x Session mixing still an issue.

This fix addresses an issue when

Workaround Change the authentication order on switches to 802.1x, then MAB reduces the number of occurrences seen.


OL-27043-01





Caveat Description

CSCur11083 ISE Monitoring (MnT) node generates incorrect results while querying live logs.

This fix addresses an issue when the MNT node generates incorrect results for filtering based on a specific user name.



• Pacific/Fiji, From 26-Oct-14 to 25-Jan-15.

• Countries where DST will change in 2015.

Workaround Choose the Coordinated Universal Time (UTC) for the above-mentioned time zones.

CSCur69835 The administration page of the Cisco Identity Services Engine (ISE) is vulnerable to a cross-site scripting (XSS) attack.

For additional information on XSS vulnerability and mitigation is available at the following link:

http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20060922-understanding-xss

PSIRT Evaluation:

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:C




Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

CSCur69873 Autocomplete feature is allowed in some Admin web UI pages.

This fix addresses an issue where the autocomplete feature is allowed in some of the Admin web UI pages.

CSCur90991 Exporting ISE reports or scheduling a backup fails if the admin logs in with Active Directory (AD) domain prefix.

This fix addresses an issue with failure in exporting an ISE report because \"%5c" that is automatically allocated in the report name is not supported.


OL-27043-01



https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:C






Table 21 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 14. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity

CSCur95329 Simple Network Management Protocol (SNMP) polling continues after the Network Access Device (NAD) SNMP settings are disabled.

This fix addresses an issue when disabling the NAD SNMP settings continued to trigger the periodic polling.


CSCus16049 The MnT page of the Cisco Identity Services Engine (ISE) is vulnerable to a cross-site scripting (XSS) attack.

CSCus16050 The admin-NSF page of the Cisco Identity Services Engine (ISE) is vulnerable to a cross-site scripting (XSS) attack.

CSCus16052 The admin-infra page of the Cisco Identity Services Engine (ISE) is vulnerable to a cross-site scripting (XSS) attack.

CSCus54517 ISE drops RADIUS server requests.

This fix addresses an issue when multiple accounting requests are sent by the same endpoint and the RADIUS Framed-IP-Address attribute in access requests resulted in multithreading and ISE dropping the RADIUS requests.

CSCus71483 Incorrect Daylight Saving Time (DST) time zone offset is displayed until ISE is restarted.

This fix addresses an issue when DST is entered as the time zone. The Coordinated Universal Time (UTC) time zone offset in the local store syslog messages is not in sync with the time stamp.


CSCus89119 The NAC agent does not popup after an Extensible Authentication Protocol (EAP) chaining.

This fix addresses an issue when logging into the ISE network along with the EAP chaining and Cisco AnyConnect Network Access Manager (NAM) supplicant does not popup the NAC agent for posture assessment.

Workaround

• Clear the authentication session on the switch interface or reconnect to the network via AC NAM.

• If possible, upgrade the switch to 15.2(2)E or 3.6.1E.


Caveat Description


OL-27043-01



Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Starting from Release 1.2.0 patch 12, Cisco ISE supports MAC OSX Yosemite release 10.10.




Caveat Description


This fix addresses an issue while exporting a report, based on a specified custom date range, to a target repository fails.

Workaround Use pre-configured time ranges.

CSCum53319 Improved diagnostics for failed Certificate Revocation List (CRL) download attempts.

This fix addresses an issue in the Operations > Reports > ISE Reports > Operations Audit page. The log displaying the failed CRL download attempts did not show the appropriate reason for failure.

CSCuo78457 An SNMP probe that is configured to match a profile using the "CONTAINS" operator fails.

This fix addresses an issue when an SNMP probe is configured and ISE polls with Cisco Device Protocol (CDP) and Link Layer Discovery Protocol (LLDP) attributes. If the matching profiling condition uses the “CONTAINS” operator, it fails.

Workaround Use a different operator such as “STARTS WITH”.

CSCup05013 Cisco switches are profiled as an unknown endpoint.

This fix addresses an issue when SNMP profiling using Cisco switch C4507R+E, running cat4500es8-universalk9.SPA.03.03.00.XO.151-1.XO.bin is profiled as an unknown endpoint.




CSCup45530 Identity Services Engine (ISE) External RESTful Services (ERS): Unable to set modify staticProfileAssignment without profileId.

This fix addresses an issue in the ERS where ISE is unable to modify the staticProfileAssignment field without specifying the endpoint's current profileID.


OL-27043-01



CSCuq43889 Domain Name Server (DNS) probe is not triggered after Simple Network Management Protocol (SNMP) Query probe updates IP address.

This fix addresses an issue when ISE is configured with the SNMP query and DNS probes. IP addresses were not mapped by the RADIUS, Dynamic Host Configuration Protocol (DHCP), or Cisco Device Protocol (CDP) probes.

Workaround

1. Use RADIUS authorization and IP device tracking to collect information via RADIUS Accounting. It may require RADIUS interim accounting to be enabled if Framed IP address is not populated on initial RADIUS Account Start.

2. Use DHCP probe for clients that support DHCP.

3. Use SNMP Query (triggered via RADIUS/SNMP Traps) for devices that support CDP.

CSCuq50447 Incorrect Security Group Tag (SGT) is displayed in the active sessions report if multiple SGTs are assigned.

This fix addresses an issue when multiple SGTs are assigned. ISE reports two SGTs but the active sessions report does not display them.


This fix addresses an issue in an ISE distributed deployment. When a guest account is suspended from the sponsor portal and there is an active session associated with these credentials, a COA fails after the account is suspended.


CSCur11055 Monitoring Node (MnT) live logs is not displayed.

This fix addresses an issue in the monitoring node. Live logs are not displayed and there are errors in the MnT log collector.

Workaround Execute option 7 of the application configure ise command.

CSCur14902 ISE Domain Name Server (DNS) Resolution Failed for “hostname” from the ISE node “hostname”.

This fix addresses an issue when an alarm is generated during a DNS failure: DNS Resolution Failed for CNAME: “hostname” from the ISE node “hostname”, although Fully Qualified Domain Name (FQDN) and DNS responses have the same FQDN.

Workaround Contact Cisco Technical Assistance Center (TAC) to manually modify the alarm script.

CSCur20079 An error message is displayed when certain attributes are retrieved from the Active Directory (AD).

A search criteria based on the attributes of a specific AD user may throw the “ORA-12899: value too large for column “MNT”.”MNT_AAA_DIAGNOSTICS” error message.


Caveat Description


OL-27043-01




CSCur23949 Error messages are displayed in authentication policies for Firefox and IE browsers.

This fix addresses an issue in an authentication policy set rule containing many IF conditions. Firefox and Internet Explorer reports an error message when using the “>” symbol and “HTTP Status 500", respectively.

CSCur44079 Guest password expiration notification is not sent and related log messages are not displayed.

This fix addresses an issue when a customized sponsor language portal is created without a corresponding guest language template.

Workaround Create the missing language templates.

CSCur54734 A Certificate Signing Request (CSR) that crosses the maximum range of characters does not appear in the user interface.

This fix addresses an issue in the Certificate Signing Requests page. A CSR that exceeds the maximum range of characters results in ISE reporting that the CSR is created; however, it does not appear in the user interface.


This fix addresses an issue when a URL was clicked, the Apache dev mode web console was accessible in the guest and sponsor portals.

CSCur65990 RADIUS requests dropped due to a failure message.

This fix addresses an issue when importing network devices from the comma-separated values (CSV) file. The failure message “11007 could not locate Network Device or AAA Client” is displayed, although they are successfully loaded in ISE.

Workaround Contact Cisco Technical Assistance Center (TAC).

CSCur75323 Change of Authorization (CoA) issued through the REST API fails.

This fix addresses an issue in the Monitoring Node (MnT). The CoA issued through the REST API is communicated to the MnT instead of the Policy Service Node (PSN).

CSCus68798 ISE is vulnerable to CVE-2015-0235 Linux Ghost remote code execution.

This fix addresses an issue where a vulnerability related to a buffer overflow in the GNU C library (glibc) may affect applications that call certain functions. This vulnerability may allow an attacker to obtain sensitive information from an exploited system or in some instances, perform remote code execution by exploiting the privileges of the application.


Caveat Description


OL-27043-01



Caveat Description

CSCum82570 In the sponsor portal, changes done to a guest account containing double quotes results in an error message.

CSCun28218 A memory space of 2 GB is leaked outside the Java heap space by ISE. This leads to ISE running out of physical memory and using SWAP that results in authentication latency and slow performance.

Workaround Schedule reboots of the Policy Service Node (PSN) before the physical memory is depleted to prevent unscheduled outages.




CSCup97285 In the guest portal, a high authentication latency alarm is sent when the Central WebAuth (CWA) is enabled with an AUP.

Workaround Disable AUP or carefully monitor high authentication latency alarms for false positives.



CSCur12480 An end user is not redirected to the guest portal via the PlayStation 3 browser, although, the same user is able to gain access to the Sponsor and My Devices portals.

Workaround Use My Device portal to register the device and then create an authorization rule to match registered devices.

CSCur14902 An alarm is generated during a DNS failure: DNS Resolution Failed for CNAME: “hostname” from the ISE node “hostname”.

Workaround Contact TAC to manually modify the alarm script.

CSCur20079 A search criteria based on the attributes of a specific Active Directory user may throw the “ORA-12899: value too large for column “MNT”.”MNT_AAA_DIAGNOSTICS” error message.

CSCur23949 Unable to edit an authentication policy set rule, containing many if conditions, in Firefox and Internet Explorer.

Workaround Reduce the number of if conditions in the policy set rule, such as creating an identity group and referencing the group in the rule.



OL-27043-01








CSCur74721 Guest users expire after one week, even though they are set to expire after one year.

CSCur88138 The deployment list page shows status for all secondary nodes as 'Replication Stopped'. The replication however is working fine as verified by comparing replication logs on Primary PAN and secondary nodes.

CSCur90991 Exporting a report fails for ISE admin logged-in with an Active Directory (AD) domain prefix.

CSCur95329 Cisco IT: SNMP polling continues after NAD SNMP settings were disabled.


CSCur99705 SponsorAllAccounts member is unable to apply TimeProfile overriding the Maximum Duration of Account of the sponsor who created the account in the first place.

Workaround Increase Max duration of Account of SponsorGroupGrpAccounts / SponsorGroupOwnAccounts group to match the highest Time Profile allowed for SponsorAllAccount group.


Caveat Description


OL-27043-01





Caveat Description

CSCuh86591 ISE SNMP walk command fails for Wireless Access Points (WAPs) connected to a stacked 48 port switch.

This fix addresses an issue while connecting a WAP to a stacked 48 port switch. Profiling failed due to an error in the SNMP walk command triggered on interfaces 25 through 48.

CSCuj17272 Upgrade from Cisco ISE Version 1.1.3 to 1.2 breaks the identity source sequence.

This fix addresses an issue while upgrading from version 1.1.3 to 1.2. The identity store sequences failed to authenticate Machine Authentication Bypass (MAB), IEEE 802.1X (dot1x), Active Directory (AD), and internal users.

Workaround Remove any RSA secureID identity stores from all identity source sequences and then delete the RSA secureID identity stores from the server.

Recreate the identity stores and add them to the identity sequences.

Restart the nodes and ensure that the “Could not find ID store” message is not displayed on ise-console.log in any of the nodes.



Workaround


[OR]

Unplug and reconnect the Ethernet connections or disable and enable the wired connection interfaces in Windows.

[OR]


CSCum73765 Incorrect profiling information received with Simple Network Management Protocol (SNMP) Version 3 Query and Trap probes.

This fix addresses an issue with the SNMP v3 queries triggered by the SNMP Trap from switches that support linkup, linkdown, and MAC notification. The switch failed SNMP v3 authorization and resulted in session termination. The same was observed when SNMP v3 query was triggered by a RADIUS Authentication probe.


OL-27043-01


CSCuq86420 SNMP query triggered via radius traps fail.

This fix addresses an issue when an SNMP query is triggered by accounting start messages by devices that are not connected to the master stack.

Workaround Lower the global SNMP query timer, configure SNMP Traps, or move endpoint devices to the master switch in the stack.

CSCuq93969 Authorization Profile using Centralized Web Auth (CWA) returns to default when static host is used.

This fix addresses an issue in the Policy > Policy Elements > Results > Authorization > Authorization Profiles page. In the Common Tasks section, when Centralized Web Auth is selected and Redirect is set to Manual, it works only for the first login attempt and does not go back to the Default option for subsequent login attempts.

CSCuq97996 My Devices Portal does not display MAC addresses of Active Directory (AD) users.

This fix addresses an issue in the Administration > Identity Management > Identities > Endpoints page. MAC addresses of devices that are authenticated through the Active Directory (AD) are not displayed in the Endpoints page.

Workaround

3. Open MyDevices_Portal_Sequence Identity store sequence.

4. Remove and add the AD store and save it.

5. Test again with an AD user.

CSCuo41482 ISE GUI login fails for external Active Directory (AD) identity source.

This fix addresses an issue when ISE GUI login fails for external AD accounts that belong to group names containing Russian Characters and displays the following message “HTTP Status 500 - Internal Error”.

CSCuo43577 Server-side validation warranted for collection filters.

This fix addresses an issue in the Administration > System > Logging > Collection Filters page. Upon adding a New Collection filter, the Attribute field allowed invalid characters to be entered due to failed server-side validation.

CSCuo66847 A saved scheduled report ceases to exist in the Scheduled Reports list when edited.

This fix addresses an issue in the Operations > Reports > ISE Reports > Saved and Scheduled Reports page. When a user edits a saved scheduled report, it does not display in the Scheduled Reports list.

Workaround Recreate the scheduled report before editing it. To delete the report that was not displayed in the Scheduled Reports list, you can login with a generic admin account and view all reports.

CSCuo80929 An error message is displayed for guest usernames with special characters.

A “value too large” error message is displayed for guest usernames containing special characters.

Workaround Avoid using special accentuated characters in guest usernames.


Caveat Description


OL-27043-01


CSCup17245 A “value out of range” message displayed while editing guest account duration.

This fix addresses an issue while trying to change the account duration of a guest account. An error message is displayed and a calendar is displayed on clicking the Submit button.

Workaround Select the guest and click the “Change Duration” button to edit the account duration. The problem is encountered only when editing expired guest accounts.

CSCup37937 ISE OpenSSL CCS injection vulnerability.

This fix addresses an issue where ISE was vulnerable to OpenSSL CCS (CVE-2010-5298 CVE-2014-0224).

CSCuq22636 ISE does not ask for Link Layer Discovery Protocol (LLDP) attributes for triggered RADIUS or SNMP trap.

This fix addresses an issue when ISE failed to send an SNMP query to obtain LLDP data in response to a triggered RADIUS or SNMP trap.

Workaround Use the ISE SNMP polling interval.

CSCuq32696 ISE Policy Service Node (PSN) removes proxy state attributes from Inline Posture Node (IPN/IPEP).

This fix addresses an issue in IPEP that serves as the proxy for RADIUS requests from the ASA to the PSN. The IPEP inserts a proxy state attribute in its RADIUS request. The PSN that is configured in proxy mode authenticates the external RADIUS server by inserting another proxy state attribute. On receiving a reply from external RADIUS, the PSN removes its own proxy attribute as well as the IPEP, which resulted in IPEP authorization failure.

CSCuq53846 A user logging in with an expired guest account is redirected to the default Cisco branded portal.

This fix addresses an issue while logging in with an expired guest account. When using mobile devices, the client was redirected to the default Cisco branded portal without displaying any error message.

CSCuq71479 Poll Mobile Device Management (MDM) Server Thread is not getting restarted when we update Interval.

This fix addresses an issue when the polling interval value was changed. The PollMDMServerThread did not restart based on the polling interval value. Also, it did not poll device compliance for the specified time.

CSCuq85955 ISE sends Change of Authorization (CoA) with empty session ID for Local Web Authentication (LWA).

This fix addresses an issue in an LWA deployment when ISE sent a COA disconnect with an empty session ID. The request was dropped from the Wireless LAN Controller (WLC) and an unnecessary alarm was generated.

Workaround Disable or ignore the alarm.


Caveat Description


OL-27043-01


CSCuo24442 Patch numbers do not display in sequence in the PDP or Policy Services Node (PSN).

This fix addresses an issue while installing patches through the GUI. The Patch Information field did not display the patch numbers in sequence.

CSCuh75367 The Network Access Device (NAD) sends an incorrect call-check message when host lookup is disabled.

This fix addresses an issue in the Policy > Policy Elements > Results > Authentication > Allowed Protocols > Allowed Protocols Services List page. When the Process Host Lookup option was checked the NAD displayed an incorrect call-check message instead of notifying that Process Host Lookup was disabled.

CSCur09231 A sponsor is able to create a guest user account beyond the specified date.

This fix addresses an issue when a sponsor was able to create an account even after the expiry of the specified Account Start Date and Maximum Duration of Account in the Sponsor group policy.

CSCun81620 Changes made to a compound guest condition affects the previously entered guest condition.

The fix addresses an issue when a change is made to a compound guest condition in Primary Administration Node (PAN) affects the previously entered guest condition while upgrading ISE 1.2 from 1.1.x.

CSCum60627 Extensible Authentication Protocol (EAP) session memory leaks on retransmission of RADIUS messages.

This fix addresses an issue encountered with an EAP session memory leak. ISE retransmits the last RADIUS message in response to duplicate packets from the Network Access Server (NAS), and the client (NAS or supplicant) dropped the conversation.

Workaround Avoid losing packets by NAS.

CSCug90087 Database locked after Reset M&T Database command is executed.

This fix addresses an issue when the database was locked after executing the Reset M&T Database command. Subsequent execution of Reset M&T Session Database command failed.

Workaround Reload the ISE node.

CSCuj76383 Admin user receives redundant password expiration email notifications.

This fix addresses an issue when an admin user received two password expiration email notifications for a password that was about to expire.


Caveat Description


OL-27043-01


CSCun25815 Intermittent user authorization failure on Policy Service Node (PSN).

This fix addresses an issue when user authentication is successful but authorization fails via the PSN. Intermittently, users are authorized using the default authorization policy instead of the configured authorization policy due to corrupted Active Directory (AD).

Workaround

1. Execute Application configure ise command, option 5 to clear the cache.

2. Reboot the system to clear the corrupted pointers.

CSCun25178 Collecting group information takes longer due to Security Identifiers (SIDs).

This fix addresses and issue when ISE failed to resolve SID history, belonging to trusted domain/forest, to their corresponding group names.

CSCuo54201 MnT pages are vulnerable to SQL injection.

This fix addresses an issue where vulnerability in the MnT pages of Cisco ISE may allow an attacker to impact the integrity by executing arbitrary SQL queries.

CSCum55279

&

CSCuo54146

Cross-site Scripting (XSS) computer security vulnerability in MnT search page.

This fix addresses an XSS vulnerability in the MnT search pages under Operations > Troubleshoot > Diagnostic Tools> General Tools.

CSCur42461 Packet capture file accessible to unauthenticated or unauthorized users.

This fix addresses an issue where unauthenticated and unauthorized users were able to access and download the packet capture file from admin UI.

CSCur57482 Intermittent failure to load sponsor and guest portals.

This fix addresses an issue when an end user navigates to 'internet.xxx.com” web pages. The sponsor and guest portals either load slowly or fail to load intermittently.

CSCul71176 Endpoints manually assigned to identity groups might change groups randomly.



Caveat Description


OL-27043-01



This fix addresses an issue when the ISE Dashboard stops updating statistical data based on the endpoints that connect to the network.

Workaround

In the command-line interface (CLI), enter the following command to enable the dashboard to display statistical data:


Selection ISE configuration option

[1]Reset Active Directory settings to defaults

[2]Display Active Directory settings

[3]Configure Active Directory settings

[4]Restart/Apply Active Directory settings

[5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings

[6]Enable/Disable ERS API


[8]Rebuild M&T Unusable Indexes

[9]Purge M&T Operational Data



[12]Display Profiler Statistics

[13]Exit

Execute the following command options:






CSCur43427 ISE Policy Service Node (PSN) rejects RADIUS request, deadlock found in the catalina.out file.

This fix addresses an issue where the PSNs reject the RADIUS request and Java-level deadlock messages were found in the catalina.out file.



Caveat Description


OL-27043-01



Table 24 lists the open issues in Cisco ISE 1.2.0 Patch 12 that may be resolved in other releases.

CSCur36690 Dot1x and MAC Authentication Bypass (MAB) overlap.

This fix addresses an issue when there was Dot1x and MAB authentication overlap, which resulted in incorrect authorization policies being applied.



CSCur41673 Unauthenticated retrieval of backup password.

This fix addresses an issue where the backup password was retrieved with an unauthenticated POST request.

CSCur35455 Accounting requests dropped with Message 5441.

This fix addresses an issue when new RADIUS accounting requests were dropped with an error message that the endpoint had started a new session while the packets of the previous session was being processed.

CSCui15057 ISE IP cache does not ignore Martian addresses of endpoints.

This fix addresses an issue when Martian addresses are sent via RADIUS requests, the IP cache is updated. This may result in an attacker leveraging this to pollute the endpoint tables, mask IP endpoints, or cause instability in the network.

CSCul41053 The localapp authentication servlet fails.

This fix addresses an issue where the localapp authentication servlet allowed the changing of the admin's password. A user with lower privileges may be granted higher privileges resulting in the compromise of the admin account.


Caveat Description


Caveat Description

CSCty46687 The Cisco Identity Services Engine (ISE) is affected by a cross-site scripting (XSS)

vulnerability.

CSCty60811 Clients are not redirected to the Posture Remediation page to download the NAC

agent.

CSCtz29311 SecPAP promotion is slow with FCS 1.1(alpha data) to 1.1.1.183 upgrades.

CSCtz99443 Node replication status in the deployment page always shows 'IN-PROGRESS' message to the Secondary nodes that are deployed over WAN.

CSCua10173 Changing or disabling alert rules or criteria triggers HTTP Status 400 - Request not processed message.


OL-27043-01


CSCub19047 Characters such as Hyphen (-) and dot (.) are not supported as part of the VLAN ID\Name.

CSCub35768 ISE Upgrade from 1.0 to 1.1 failed because data access permission to the user is denied.

CSCub64247 Cisco Application Deployment Engine (ADE) OS does not accept users with passwords containing front slash.

CSCub87687 Language templates in the guest portal sets a limit of 4000 characters.

CSCub99130 Corruption of database results in the loss of ISE certificates and keys.

CSCuc26772 Network devices are not displayed in the navigation pane when the Network Device Group is selected.

CSCud20339 Onboarding a device using single/dual SSID with Transport Layer Security (TLS) profiles fails.

CSCud46215 Detailed authentication failure message is not displayed for sponsor user group.

CSCud52161 Active Directory (AD) operation failure because of an unspecified error in ISE.

CSCud79538 ISE fails with two active certificates.

CSCud86135 During initialization failure ISE sends wrong alarms.

CSCud92384 Incorrect error messages displayed when ISE application server is down.

CSCue14481 “Internal error” message displayed when the number of guest user accounts created is 100,000.

CSCue23875 The monitoring database stops adding new entries for operating system strings that exceed the maximum value of 100 characters.

CSCue27949 The reset-passwd command does not allow the usage of special characters.

CSCue30432 Launch program remediation does not allow the usage of double quotes.

CSCue33447 Editing authorization profile by adding static Internal Protocol (IP) address or host name changes the redirect back to 'Default' and the 'Value' is empty.

CSCue46758 Identity Services Engine (ISE): 86107-Session cache entry missing during guest authentication.

CSCuf33854 Nessus 53491 - Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) renegotiation DoS OpenSSL reported medium vulnerabilities.

CSCuf60933 Slow GUI with large Cisco Telepresence System (CTS) Egress Matrix.

CSCuf84159 Identity Services Engine (ISE) admin access does not work with External RSA authentication.

CSCug20348 Machine authentication with Active Directory (AD) fail with MNT error “24485 Machine authentication against Active Directory has failed because of wrong password” and does not reflect the issue.

CSCug27409 Import of comma-separated value (CSV) file for Network Devices failed in ISE 1.1.3.

CSCug34679 Identity Services Engine (ISE) drops keep alive authentications coming from wireless LAN controller (WLC) marking ISE as dead.

CSCug51137 User authentication over 3 days failed with Uncaught exception.


Caveat Description


OL-27043-01


CSCug51530 Failed to send message: Socket closed, MsgType: 901.

CSCug90087 Database lock not removed after execution of reset monitoring database command.

CSCuh23877 “Identity Store Unavailable” alarm not getting triggered after authentication failed.

CSCuh41473 Active Directory (AD) group not saved as external admin group if containing a "!" character.

CSCuh47459 Connection error on Backup and Restore page after successful restore and backup.

CSCuh50486 Identity Services Engine (ISE) validates only if Domain Name Server (DNS) entry for the host exists, but not for Internet Protocol (IP) address.

CSCuh54734 Acknowledgment of alarms does not work when the instances are over 1000 occurrences.

CSCuh57033 Error message not displayed to mobile users in Central WebAuth (cwa) with invalid credentials.

CSCuh79430 Machine Access Restriction (MAR) Cache on Access Control Server (ACS) not corrected when Machine removed from Active Directory (AD).

CSCuh79607 Identity Services Engine (ISE) Active Directory (AD) group matching fails due to forward slash in AD group name.

CSCuh86591 Identity Services Engine (ISE) Simple Network Management Protocol (SNMP) profiling failed when connected to 48 ports stacked under 24 ports switch master.

CSCuh87451 Browser redirected to the guest portal when declining acceptable use policy (AUP) through a Device Registration Web Authentication (DRW).

CSCuh89530 404 Error on MnT GUI and wrong persona in deployment page after customer database restore.

CSCuh96440 Could not determine prior Cisco Agent Installation on Windows or MAC OS X machines in pre-posture state.

CSCui01605 Admin cannot duplicate and save policy-set if existing policy set has user defined simple condition.

CSCui09203 Identity Services Engine (ISE) fails When accounting message with long class string.

CSCui15711 Internal error encountered while creating guest user with a time profile that was deleted and recreated with the same name.

CSCui16843 Operational backup or restore failed when primary monitoring node is not reachable due to power down or inner shut down.

CSCui25164 Identity Services Engine (ISE) sponsors cannot view accounts that it created after change of group.

CSCui48401 Spaces in email when creating user in sponsor portal caused error in Identity Services Engine (ISE).

CSCui53920 Identity Services Engine (ISE) 1.2 dashboard metric % posture compliance is wrongly calculated for posture status other than “Complaint” or “Not Applicable”.

CSCui63474 Dynamic Host Configuration Protocol (DHCP) Switched Port Analyzer (SPAN) not starting unless Internet Protocol (IP) is assigned to the interface.


Caveat Description


OL-27043-01


CSCui65057 Current iso-to-usb.sh script does not set the proper path for syslinux when used on CentOS 6.4.

CSCui65835 Devices in the network device list is not visible when customer logs in with Active Directory (AD) credentials in to Web GUI.

CSCui72087 Default access restrictions not securely enforced on several pages existing within the Inbox, Alarms, and Schedule pages.

CSCui82602 Guest Cache Issues for Identity Groups.

CSCui82615 Guest account cache issues for time profiles set by the sponsor.

CSCuj19173 MemberOf attribute fails with regular expression if group belong to an Organizational Unit (OU) in Active Directory (AD).

CSCuj20969 Network Device Session status report fails for a switch with message “SNMP information is not configured for this device in ISE.”

CSCuj30442 ISE Application Deployment Engine (ADE) does not allow the deletion of certain files from local repository.

CSCuj30585 ISE Client Provisioning Portal (CPP) allows MAC configuration for WebAgent.

CSCuj42566 ISE guest reporting does not identify the sponsor who effects changes to a guest account.

CSCuj58037 iPEP ISE 1.2 in routed mode does not use service Internet Protocol (IP) for RADIUS packets.

CSCuj61976 Admin Graphical User Interface (GUI) fails to display certain GUI pages when using Firefox 25.

CSCuj63421 Creating ISE shared reports via interactive viewer is broken.

CSCuj64008 Profiler feed service policy for Amazon Kindle Fire tablet to be devised.

CSCuj68540 Monitoring (MnT) schema upgrade script is logging INFO messages as ERROR and WARNING.

CSCuj71399 Performing backup through the GUI or CLI throws “A backup or restore is already in progress” error.

CSCuj71819 Accented characters in guest username displayed in HEX format in ISE GUI.

CSCuj76383 Admin user receives two email notifications for password expiry.

CSCuj88351 Loading a corrupted Certificate Authority (CA) certificate on startup causes config rollback with related problems.

CSCuj99801 External RESTful Services (ERS) error codes are not consistent for the same action pertaining to different categories.

CSCuj99912 ISE 1.2 External RESTful Services (ERS) filter by name for Security Group Tag (SGT) category fails.

CSCul00148 Start and end time profiles display according to ISE timezone instead of Guest timezone.

CSCul00743 The Operation > Authentication page is blank for invalid characters in username.

CSCul00985 Ubuntu laptop users without posture checks are redirected to the Client Provisioning Portal (CPP) page after Centralized Web Authentication (CWA).


Caveat Description


OL-27043-01


CSCul02830 Active Directory (AD) test connection fails for domain\user-ID.

CSCul05429 Authorization rule does not match CVPN3000/ASA/PIX7x-Tunnel-Group-Name.

CSCul05764 Incorrect references when Certificate Authority (CA) ID Store Name is changed.


CSCul30358 Active Base license count exceeds the allowed license count.

CSCul37463 Scheduled backup does not work on upgrading from previous version to 1.2.

CSCul45573 Network Access Device (NAD) config does not accept % in RADIUS shared secret/SNMP community string.

CSCul47387 Character limit should be increased for policy rule name.

CSCul53156 Device Registration page is blank when used with AddTrust certificates.

CSCul56940 Endpoint profiling is incorrect when two Cisco or Linksys routers are connected to a Multi-Domain Authentication (MDA) port.

CSCul65329 ADclient cache is not cleared via the application configure ise command.

CSCul82600 Unable to delete custom attribute even after deleting the linked authentication policy.

CSCul86934 On executing the reset-config command, ISE Secure Shell (SSH) sessions are allowed only from allowed Internet Protocol (IP) access subnets.

CSCul88799 Cisco Integrated Management Controller (CIMC) KVM console displays “Out of Range” against a green background, on entering the “terminal length X” command.

CSCul92356 Devices registered by Guest users fall into the Unknown group.


CSCul94858 Certificate Revocation List (CRL) retrieval does not use globally configured proxy server.

CSCul95195 Custom Supplicant Provisioning Wizard (SPW) for Telstra RADIUS proxy with differentUserName and nonBroadCast options unchecked.

CSCul96935 An hour difference between Graphical User Interface (GUI) and Command Line Interface (CLI) during daylight savings time.

CSCum05014 ISE does not display endpoint profiling policies in the Graphical User Interface (GUI)

CSCum41336 ISE reports fail on Network Control System (NCS) platform cross launch.

CSCum41378 Static profile assignments to an endpoint Identity group for some devices are removed resulting in device reprofiling.

CSCum46269 Active endpoints count on the dashboard does not match the actual active endpoints, when there is a surge of endpoints.

CSCum48676 ISE 1.2 does not display information in the System Summary Applet on the dashboard if the Logging Category is set to a severity level other than INFO.

CSCum49249 External RESTful Services (ERS) Application Programming Interface (API) does not list all endpoints as specified in the Software Development Kit (SDK) guide.

CSCum53319 Diagnostics for failure to download the Certificate Revocation List (CRL) should be precise.


Caveat Description


OL-27043-01


CSCum58581 MAC OSX 10.9 device is not redirected to the Bring Your Own Device (BYOD) flow when using the guest device registration page.

CSCum60924 Extensible Authentication Protocol (EAP) chaining mode does not allow more than one value for the EapAuthentication attribute.

CSCum68149 The Live Authentication Report page does not display the accurate currenttime and currentdate attributes.

CSCum69229 Create Random Accounts setting using Google Chrome does not display the desired results.

CSCum70441 Incorrect value is displayed for the GET request sent to find the total internal users in ISE External RESTful Services (ERS) Application Programming Interface (API).

CSCum72386 Endpoints delete all confirmation messages when “No” button is deactivated.

CSCum73765 Profiling with SNMP v3 Query fails when triggered by SNMP trap/RADIUS Accounting probe.

CSCum86183 Notifications for license expiry alarm are received from deregistered nodes.

CSCum86331 ISE does not allow comma in Organizational unit name (OU) or Organization name (O) fields when creating a Certificate Signing Request (CSR).

CSCum95069 Inline Posture Node (IPN) sends only username for authorization when Extensible Authentication Protocol (EAP) chaining is configured.

CSCun00882 ISE does not create logs of erroneous usernames in the sponsored guest portal.

CSCun21197 In a simple authentication condition, if the operator “Ends with” or “Not ends with” is used, it is not saved properly.

CSCun23340 Randomly created guest users are not displayed in Firefox.

CSCun23357 Uploaded guest users are not displayed in Firefox.

CSCun25832 Unable to activate expired guest accounts.

CSCun28218 ISE: Java Memory Leak outside of Heap space.

CSCun31175 Registered endpoint report does not include manually added devices.

CSCun33755 Unable to create the required number of Guest accounts from the sponsor portal.

CSCun33774 The status of a new guest user account that is created in the sponsor portal is Active instead of Awaiting Initial Login.

CSCun42967 ISE 1.2: The SNMP process stops randomly.

CSCun45607 ISE incorrectly authenticates users based on the authorization PAC file.

CSCun46242 Deletion of the Thawte Primary Root CA from ISE results in failure of provisioning and posture updates.

CSCun48940 ISE Radius authentication over Gig1 stops if Gig0 down.

CSCun53951 ISE presents self-signed certificate instead of CA-signed certificate.

CSCun57304 The KRON command is not working for backup logs.

CSCun59740 ISE 1.2: Only 5000 entries are displayed when viewing Guest Live reports.

CSCun81620 Editing a guest condition in PAN applies the same changes to the previously condition.


Caveat Description


OL-27043-01


CSCun89615 ISE duplicate attributes cause failure to locate network devices.

CSCun89771 Running ISE reports for 30 days generates only up to 100 pages.

CSCun92193 In Certificate Authentication Profile (CAP), ISE selects incorrect information from the SAN field for multiple entries.

CSCun94882 ISE 1.2: Change of Network Device Group name does not reflect in CSV export.

CSCun95554 The monitoring node stops logging for email notification configured on ISE.

CSCun96746 ISE self registering guest users do not inherit specified time profile.

CSCun97251 ISE 1.1.4: Cannot find machine with DNS suffix which does not exist on the Domain Controller Group List.

CSCun98217 Cross-Domain referer leakage in Admin portal.

CSCuo00404 ISE 1.2: ACL syntax checker is incorrect.

CSCuo05180 Cannot authorize external certificate authenticated users by using the device's identity group as an “other condition”.

CSCuo05345 Cannot match an Authorization policy rule configured with an “other condition” of IdentityGroup:Name.

CSCuo14398 ISE 1.2: ISE disregards the current password policy when editing an internal user.

CSCuo14953 ISE: MobileIron MDM test connection passes but Save fails.

CSCuo16506 Internal users cannot change their password in the guest portal.

CSCuo19521 Repository in the WebGUI with special characters fails.

CSCuo24274 SNMP should run in all interfaces not only in Gig0.

CSCuo24384 ISE: Guest:Mobile Portal in Custom portals does not follow browser local language.

CSCuo39832 ISE takes IP address from same subnet and has incorrect ARP entries.

CSCuo41482 GUI admin Active Directory (AD) login fails with HTTP error 500.

CSCuo41713 Identity Services Engine (ISE) 1.2: Installation of patch 5 in distributed deployment caused first time login users to go active.

CSCuo54987 Identity Services Engine (ISE) does not drop Radius packet if value is too large for database.

CSCuo58786 Authentication, authorization, and accounting (AAA) services not available during purging of guest users.

CSCuo60767 Identity Services Engine (ISE) UTF-8 character encoding displayed garbage characters on screen for profiler attribute.

CSCuo62245 Failed to purge data from the operations database.

CSCuo63358 Incorrect success message being displayed, when provisioning Apple iOS Device through supplicant portal in Bring Your Own Device (BYOD) SSID.

CSCuo64251 Unable to manage ISE AD user device as it does not show up in “My Devices” portal.

CSCuo66847 When a user edits a saved scheduled report, it ceases to exist.

CSCuo67423 Reconfiguring the IP address of an iPEP node with the service IP that was previously used results in missing tabs in high availability configuration.


Caveat Description


OL-27043-01


CSCuo68012 ISE services fail to start when time zone is set to Asia/Riyadh89.

CSCuo78051 A custom portal setting is saved but the configured setting fails to reflect in the GUI.

CSCuo78457 An SNMP probe that is configured to match a profile using the “CONTAINS” operator fails.

CSCuo78949 Changing the password policy in the GUI of Primary PAP server does not change the password policy in the iPEP server.

CSCuo79012 Unable to support SNMP triggered queries with NAD using iOS version with deprecated STACK-MIB.

CSCuo80929 An “value too large” error message is displayed for guest usernames with special characters.

CSCuo93398 Unable to integrate the Active Directory (AD) with ISE using the admin GUI.

CSCuo94313 Unable to pull Lightweight Directory Access Protocol (LDAP) groups for admin/service accounts containing the “+” sign in the password.

CSCuo95635 Change of Endpoint Device Group name appears correctly in the Identity Group Assignment option but fails in the Identity Group.

CSCuo95660 Endpoints exported to comma-separated values (CSV) file displays an incorrect endpoint device group name.

CSCuo97007 Failed to start database during initial setup for Identity Services Engine (ISE).

CSCuo99160 Identity Services Engine (ISE) 1.2: Failed registration and GUI error thrown when Policy Service Node (PSN) failed to ping Primary Administration Node (PAN) during registration.

CSCup03116 Identity Services Engine (ISE) 1.2: Editing NDG does not update AuthC/AuthZ conditions.

CSCup05013 Identity Services Engine (ISE) 1.2: p8 IOS-XE switch profiled as unknown endpoint.

CSCup08017 Accidental Ctrl + C should not break Restore/Upgrade during important operations.

CSCup15453 Identity Services Engine (ISE) Guest Sponsor Mapping Report causes CPU on primary MnT node to increase dramatically.

CSCup16700 Reset password does not check for valid user before asking for new password.

CSCup17245 “Value our of range” error displayed when editing a guest account.

CSCup20844 Identity Services Engine (ISE) NAC agent does not popup if machine and user authentication is connected to switch sw: 15.2(1)E.

CSCup22534 Multiple vulnerabilities in OpenSSL/CiscoSSL released during June 2014.

CSCup27305 Identity Services Engine (ISE) 1.2: DACL Validator does not enforce source must be “any”.

CSCup32455 Identity Services Engine (ISE) 1.2: Password for admin user detected in clear text in the file support\dbexport\ise-dbimport.sh.

CSCup38457 Importing guest account using comma-separated value (CSV) failed through sponsor portal.

CSCup42129 Swiss/posture INFO logs filling ise-psc.log and not moving to DEBUG level.


Caveat Description


OL-27043-01


CSCup45530 Identity Services Engine (ISE) External RESTful Services (ERS): Cannot modify staticProfileAssignment field without specifying the endpoint's current profileId.

CSCup45594 Identity Services Engine (ISE): External RADIUS server is not persistent after failover.

CSCup47501 Identity Services Engine (ISE) 1.2.1: Inline Posture Enforcement (iPEP) node interface driver booting out of order with no response when cable remains plugged into interface Gig Etho.

CSCup47873 Identity Services Engine (ISE) upgrade failed due to LOB corruption. (Please check on this LOB term)

CSCup55211 Identity Services Engine (ISE) 1.2: Mobile Device Management (MDM) input Validation with % in password cannot login.

CSCup57288 Bring Your Own Device (BYOD) DUAL SSID with native supplicant provisioning results in a second entry in the live authentication log.

CSCup57871 ERS cannot filter by username, if it is a number.

CSCup60155 Guest users are deleted when upgrading or restoring a backup from ISE 1.1.x to ISE 1.2.1.

CSCup64698 On IPN ISE 1.2, latency is caused by HDPARM process for every 10 minutes.

CSCup67195 While upgrading from ISE 1.2 to ISE 1.2.1, upgrade failure occurs in Step 3 due to invalid certificate.

CSCup69753 After deleting a profile in Simple Certificate Enrollment Protocol (SCEP), an error message is displayed when the associated Registration Authority (RA) certificate is removed.

CSCup69985 ISE VM on which DB is restored is not accessible via SSH and GUI. Only ping and console are available.

CSCup72664 In ISE 1.2, the guest account time profile is reset to one day.

CSCup80194 ISE deletes VLAN to SGT mappings while deploying IP-to-SGT mapping.

CSCup88564 Use a different name for a newly created time profile.

When the old time profile is deleted, you cannot reuse the same time profile name for a newly created time profile.

CSCup89812 Upgrade from ISE 1.1.2 to ISE 1.2 fails because of posture rules.

CSCuq11966 Multi-nested custom profiles cannot be created.

CSCuq14441 Replication fails on deployment when custom portal is deleted.

CSCuq17787 ISE crashes when the value of Type Field Length is set to 2.

CSCuq22514 In ISE 1.2, when the authorization and authentication policies are set to Monitor Only mode, the details of the policy names are not displayed.

CSCuq22636 ISE does not ask for LLDP attributes for triggered RADIUS or SNMP traps.

CSCuq24719 When upgrading to ISE 1.2 Patch 9, account start time is not updated in Sponsor portal.

CSCuq32696 ISE Policy Service Node (PSN) removes proxy-state attributes from Inline Posture Node (IPN/IPEP).


Caveat Description


OL-27043-01


CSCuq35206 In ISE 1.2, the shutdown command is present in the running configuration of the interface while the interface is operational.

CSCuq35663 Attribute retrieval for a user fails when AD sends back photo thumbnail.

CSCuq39743 Import guest users on ISE using sponsor bypass mandatory fields.

CSCuq40153 Quick filter option does not work when it is used to search endpoint profiles using a MAC address.

CSCuq43889 IP address learned from SNMP query should trigger DNS probe.

CSCuq45219 Renewing Ticket Granting Ticket (TGT) fails if there are Read Only (RO) domain controllers.

CSCuq48588 Replace cross-signed thawte Primary Root CA with its normal version.

CSCuq52277 Error occurs when there are too many node entries in Subject Alternative Name (SAN) field in CA certificate.

CSCuq53846 A user logging in with an expired guest account is redirected to the default Cisco branded portal without displaying an error message.

CSCuq64817 DB import fails in ISE 1.2.

CSCuq83249 After upgrade from ISE 1.2 Patch 8 to ISE 1.2.1 Patch 1, guest user authentication fails if they login after the time profile validity time.

CSCuq85679 Change of Authorization (CoA) is not sent from ISE to Wireless LAN Controller (WLC) for guest users.

CSCuq85955 For an LWA deployment, ISE sends CoA disconnect with empty session ID.

CSCuq86420 Triggered SNMP Query via Radius traps not working.

CSCuq90710 Posture policies are not listed after creation.

CSCuq92558 PSNs move to Replication Stopped state when the application server does not start normally.

CSCuq92574 In ISE 1.2.1, Bring Your Own Device (BYOD) profile installation fails.

CSCuq93969 Authorization profile using CWA returns to default when static host is used.

CSCuq95245 ISE 1.2, CoA fails when guest credentials are suspended in the Sponsor portal.

CSCuq96971 In ISE 1.2.1, Framed-Pool attribute is not available in the authorization profile.

CSCuq97996 MyDevices portal does not display MAC addresses added by the AD user.

CSCur00110 Sponsor login fails when child user group is added as a guest in the sponsor group.

CSCur03113 Local Web Authentication (LWA) language template is corrupted after upgrading to ISE 1.2.1.

CSCur07303 ISE GUI 1.x (except ISE 1.3) does not allow to import more than 100 custom portals.

CSCur09231 In ISE 1.2.1, if a sponsor account is configured to use Account Start Date, the sponsor creates an account even after that date.

CSCur09439 SCEP EAP-TLS flow on OS X 10.9.5 fails to install the profile or provision certificate.

CSCur11055 When running ISE 1.2.1, MNT Livelog does not display logs.

CSCur11083 MNT Livelog displays incorrect user details.


Caveat Description


OL-27043-01






CSCur12480 In ISE 1.2.1 guest flow, redirection to the guest portal via PlayStation 3 browser fails.

CSCur19320 Sponsor users who are not granted privileges are able to view and edit guest accounts using the search criteria.

CSCur36291 Delay in BYOD Success Message

In Mac OS X 10.10, there is a delay in the CoA after SPW and hence when the users click the Exit button, they do not get access.


Caveat Description


Caveat Description


This fix addresses an issue in the Operations > Troubleshoot > Download Logs > Appliance node list page. When the Debug Logs tab was selected for the required node, the catalina.log file displayed the “work_pending_i: Interrupted system call” message.


This fix addresses an issue in the Administration > System > Settings > Policy Sets page. The CoA associated with an endpoint profiling policy was not enabled when using policy sets.

Workaround Disable policy sets or enable change of authorization (CoA) from monitoring node using fast reauthentication on switch.


This fix addresses an issue in the Operations > Authentications > Reports > Endpoints and Users page. The Guest Sponsor Mapping report displayed the domain name but truncated the user name that appears after the ‘\’ character.


OL-27043-01





This fix addresses an issue where ISE sent alarms for expired advanced evaluation licenses, although, no advanced features were used.

Workaround Disable license alarms.


This fix addresses an issue in the Device Registration page. Instead of the ERROR_PAGE, guest users were redirected or mapped to the CUSTOM_LOGIN_PAGE when a wrong MAC address was encountered.


This fix addresses an issue when you create a custom group of users with a set of Data and Menu access RBAC permissions. The data access criteria selected for the Location access does not work with multiple rules set in the same hierarchy of network device groups.

Workaround Create rules only for the low-level network device groups.


This fix addresses an issue in the Administration > Identifies Management > Identities > Users page. The access policies that were defined for a particular admin group were displayed for all User Identity Groups.


This fix addresses an issue when there is simultaneous EAP and MAB authentication requests for the same endpoint with the same audit session ID. The two authentications share the same entry in the session cache and create a mix-up of attributes.


This fix addresses an issue in the Administration > Web Portal Management > Settings > General > Ports > Portal FQDNs page. If the user changed the “Default Sponsor Portal FQDN” setting on the admin GUI, services were restarted on the PSN. On accessing the admin GUI of the PSN via an URL, the user was redirected to the sponsor portal.



This fix addresses an issue in the Administration > Web Portal Management > Sponsor Groups page. The Authorization Levels, Guest Roles, and Time Profiles set for a particular sponsor group failed.


Caveat Description


OL-27043-01



This fix addresses an issue when ISE app-svr crashed and Java core dump reported failure while trying to obtain the NAD IP address with missing shared secret configuration in ISE. Specifically, this occurred during dynamic authorization. Although, the wireless LAN controller (WLC) was configured in ISE without a shared secret, it continued to send the accounting information to ISE.

Workaround Remove NAD from ISE or reconfigure shared secret.


CSCup96791 ISE 1.2 patch 9 breaks dashboard with Internet Explorer 9.

This fix addresses an issue with security enhancements to Internet Explorer 9 browser cache, which results in an empty ISE Dashboard.

Workaround

• Use an alternative browser.

• In Internet Explorer, navigate to Tools > Internet Options > Advanced. Scroll down and select the Do not save encrypted pages to disk option under Security and click Apply and OK.

• Under the General tab, select Delete browsing history on exit option and click Apply and OK.


This fix addresses an issue in the Operations >Authentications page. When the ISE admin user clicks the Details column for any event, an error stating “No Data Available for this record. Either the data is purged or authentication for this session record happened a week ago” was encountered.


This fix addresses an issue in the Home > Total Endpoints > Export Results page. The report failed to export all endpoints that were authenticated or profiled by ISE. Instead, the report displayed empty rows with the exception of the ENDPOINTPOLICY field.


This fix addresses an issue when HTTPS was enabled by operations such as, binding, importing, or editing certificates. If the certificates did not support Enhanced Key Usage (EKU) of ClientAuth, an error was reported. An error was also encountered by the Policy Administration Node (PAP).


This fix addresses an issue in the Operations > Reports > Deployment Status > Change Configuration Audit page. When the status of a network access user was either enabled or disabled, in the Administration > Identity Management > Identities > Users page, it failed to reflect the change in the Change Configuration Audit page.


Caveat Description


OL-27043-01



This fix addresses an issue with MAC OS X and Windows OS when it failed to display the BYOD success page for a successful authentication. Also, it failed to display the Retry button when a user’s authentication failed.


This fix addresses an issue in an Inline Posture Node (IPN/IPEP) deployment. VPN users were not permitted to pass traffic after a successful VPN connection. This was encountered when the authorization policy of an IPEP node included a RADIUS server attribute.

Workaround Use the same authorization policy for IPEP and the standard authorization profile.

CSCuq29015 MAC agent does not support MAC OS X Yosemite version 10.10.

This fix addresses an issue where the MAC Agent failed to support MAC OS X Yosemite version 10.10.

CSCuq59006 Unable to install MAC SPW 1.0.0.26 in Wired MAC OS X version 10.7/8/9.

This fix addresses an issue when the Network Setup Assistant failed to install MAC SPW 1.0.0.26 in Wired MAC OS X and displayed the Secure access configuration failed message.


This fix addresses an issue in the Policy > Policy Elements > Conditions > Authorization > Compound Conditions page. An attribute that was selected from the Dictionaries list was truncated and appended with an ellipsis.


This fix addresses an issue when a MAC endpoint device on the network was denied access and an SSL certificate error was displayed.

Workaround Created an intermediate MAC agent build 4.9.5.2 to bypass the ISE server certificate validation for MAC 10.10 users.


This fix addresses an issue where the base and advanced licenses count did not match the number of active endpoints that were displayed in the dashboard and monitoring reports.


CSCuq87920 MAC Agent provisioning is not supported in MAC 10.10.

This fix addresses an issue when the MAC Agent 4.9.5.2 did not get installed in MAC 10.10 using Safari.


Caveat Description


OL-27043-01







PSIRT Evaluation










ise1/admin# reload



CSCur09439 ISE OS X 10.9.5 Simple Certificate Enrollment Protocol (SCEP) Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) flow fails.

This fix addresses an issue where SCEP EAP-TLS flow fails to install the profile or provision certificate.


This fix addresses an issue in the Operations > Authentications page. Users belonging to Identity Groups containing an underscore character were not displayed.


Caveat Description


OL-27043-01


To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.



Caveat Description


This fix addresses an issue with the Guest Account created using the Sponsor Portal. When suspending the Guest Account, the Account was suspended but the wired session on the switch was not terminated.

CSCul16354 Supplicant Provisioning Wizard (SPW) cannot be set up for MAC And Windows without Java.

The fix addresses an issue where SPW did not install on MAC and Windows without the support of Java.


This fix addresses an issue in the Operations > Reports > Auth Services Status > Radius Accounting page. In the click here for Accounting detail report option for the Stop Account Status Type, the Account Session field did not display the difference between a session’ start and stop time.


This fix addresses an issue in the Operations > Authentications > Show Live Authentications page. The NAS IP Address field failed to display the IP address of the network device, when Change of Authorization (CoA) was triggered via the Rest API.


This fix addresses an issue that occurred when there was a MATCHES operator in a rule/policy: if the LeftHandSide of the rule/policy was returning NULL value and the RightHandSide was CONSTANT, the operator was getting evaluated as TRUE. The operator is now evaluated as FALSE.


This fix addresses an issue where Cisco ISE failed to identify OSX Mavericks device based on the endpoint profiling policies.


This fix addresses an issue where all Cisco ISE reports opened from Cisco Prime Infrastructure resulted in a “Web page not available” error.


This fix addresses an issue where Apple devices running iOS 8 beta software failed to complete external web authentication.


OL-27043-01





Table 27 lists the open issues in Cisco ISE 1.2.0 Patch 10 that may be resolved in other releases.






This fix addresses an issue where a third-party User-Agent does not allow the download of the NAC agent.


This fix addresses an issue where the ARP table failed to discover the MAC addresses of endpoints that were connected to a Catalyst switch using the SNMP Query probe.


This fix addresses an issue where EAP-FAST authentication for specific Android versions was not working.


Caveat Description


Caveat Description

CSCup99724 Log displaying active endpoints does not get updated with the latest authenticated user.

In the Operations > Authentications page, a user is authenticated and the username is updated in the Endpoints page. When a new user logs in from the same system, the new username is not updated in the Endpoints page.

CSCuq11506 Deletion of repositories containing special characters in their passwords fail.

In the System > Maintenance > Repository page, deleting a Repository Name that uses special characters, such as %, in the password encounters an error.


OL-27043-01





Caveat Description


This fix addresses an issue where a vulnerability in the web framework of Cisco ISE may allow an attacker to impact the integrity by executing arbitrary SQL queries.

PSIRT Evaluation









This fix addresses an issue where timeouts were caused when the MDM server was not reachable during authorization policy evaluation.


This fix addresses an issue where a guest user enters the username and password in the Guest Login page, but is not redirected to the specified URL.


This fix addresses an issue in the Admin Access settings page, where the following option was not displayed in the UI: Allow only listed IP addresses to connect.


This fix addresses an issue where an error message was encountered when sponsors imported and printed guest usernames, formed from the guests email addresses.


This fix addresses an issue where the Network Access Server (NAS) Identifier information did not appear in the Authentication Details page.


This fix addresses an issue in the Administration > Web Portal Management > Settings page. The Sponsor, My Devices, and Guest portals contain the Language Template option. The Language Template option contains a list of configurations. The text fields in each configuration allow any one of the following character count: 128,512, 256, or 4000. An error message was displayed for specific fields, such as AUP and Notifications, when the character limit was above 4000 characters.


OL-27043-01






This fix addresses an issue where ISE safe mode did not bypass user certificate authentication and did not enable local admin credentials.


This fix addresses an issue where the DST time zone offset was incorrect in the prrt log.




This fix addresses an issue where the RSA configuration (sdconf.rec) did not load properly and data did not replicate from the PAP node to other nodes.

CSCus91469 All authentications on RSA server fail with the message “failed to init RSA agent lib”

This fix addresses an issue when RSA authentication failed and displayed an error message.

Workaround Force RSA config replication, i.e. import sdconf.rec and reset shared secret securid on the RSA server.

Note You must delete the RSA configuration before applying the patch for CSCun94304


This fix addresses an issue where the guest user email IDs with spaces encountered an error when used in usernames.


This fix addresses an issue where the Remote Logging Target names displayed in the Administration > System > Logging > Remote Logging Targets page reported the following error message: Name should not contain space(s) or any of the following characters: ! % ^ : ; , [ { | } ] \ ` " = ?. The above error message was displayed even though hyphen or period was used.


This fix addresses an issue where the Static Group Assignment check box in the Administration > Identity Management > Identities > Endpoints page toggled between true or false value every 55 seconds.


This fix addresses an issue where in the Profiling Policies page, on modifying a parent profile, endpoints failed to reach the correct profile policy.


Caveat Description


OL-27043-01







This fix addresses an issue where a CWA authorization profile was configured and if the CWA authorization profile was edited again, the changes were displayed only in the UI, but failed to reflect in the attributes.


This fix addresses an issue where a user logged into the guest portal was unable to renew the IP address after clicking Accept in the Acceptable Use Policy (AUP) page.


This fix addresses an issue where with single or dual SSIDs, Apple devices running iOS 8 beta software failed to complete provisioning.


This fix addresses an issue where the ERS API failed to update existing endpoints in static groups.


This fix addresses an issue where exporting active endpoints from a Cisco ISE server Administration node did not work.


This fix addresses an issue where the IP address release or renew operation in the VLAN release or renew page, was nonfunctional when it was not the latest version of the Java Applet.


This fix addresses an issue where Custom data access permission did not work according to the mapped RBAC policy in the Network Device page.


Caveat Description


OL-27043-01





Caveat Description


This fix addresses an issue where an internal error was displayed in the XML when calling the EndPointByIPAddress API for a given IP address appearing in the AuthSessionList.

CSCui57100 EAP-TLS authentication fails with two sets of CRLs because CRL signature decrypt failed

When Certificate Authority certificates are about to expire, an old and new version of the certificate can coexist on ISE to make sure there is no downtime for users. Both versions have their dedicated CRLs.

This fix addresses an issue where ISE was not able to match the CRLs with the appropriate Certificate Authority certificate, which resulted in failed authentication with the message “CRL signature decrypt failure.”

CSCuj36104 ISE does not allow CRL when the name is the same on two Certificate Authorities

This fix addresses an issue where an handshake error occurred because there were two issuing Certificate Authorities with the same exact name and ISE did not allow CRL checking on both certificates.


This fix addresses an issue where customers upgrading to ISE 1.2 who had the Wireless Upgrade license to add advanced license functionality to their deployment received the following alert: “Feed Service error : The Advance License installed on the ISE nodes have been expired.”


This fix addresses an issue where the sample HTML for custom Guest Portal pages provided in the user guide did not work correctly.


This fix addresses an issue where changing the time zone during Guest account creation was not reflected with the newly updated allowed time to login.


This fix addresses an issue where ISE did not send messages like 86008 or 86006 to the external syslog server. It only sent the 86028 messages.


This fix addresses an issue where the endpoint DB didn’t indicate that an endpoint was registered after a CWA user entered their MAC address on the Guest Device Registration screen.


This fix addresses an issue where custom CWA portal may not have loaded images or CSS as expected.


This fix addresses an issue where ISE was logging license checks in INFO mode, which caused massive output in the log files.


OL-27043-01


CSCum96035 This fix addresses an issue that occurred when a user typed in a password that violated the password policy on the default custom portal password-change page and the page refreshes instead of displaying an error message.


This fix addresses an issue where the message “This is an invalid text message template. Contact your system administrator for assistance.” was shown while sending Guest account through Mail/SMS if the sponsor is CC’ed.


This fix addresses an issue that occurred after importing endpoints from a CSV file where the “Endpoint Identity Group” was changed from the one specified in the file to Profiled.


This fix addresses an issue where Cisco ISE could not load the complete Trusted certificate list when a corrupted certificate was present in the list.


This fix addresses an issue where imported guest users always get the role of default Guest during a bulk import from the Sponsor portal.


The Cisco ISE Guest portal provides a generic error for events such as guest user account expired and gives no information on the cause of the issue.


This fix addresses an issue where an SNMP query failed to execute when it was triggered by an NMAP probe.


This fix addresses an issue where exporting endpoints results in an empty file if you search using lower case letters.


This fix addresses an issue that occurred when attributes about endpoints differed from one PSN to another when using multiple PSNs for profiling or authentication.


This fix addresses an issue where attempts at ERS API endpoint register end in HTTP 500 Internal Server Error.


This fix addresses an issue where a client application that initiated HTTP using User-Agent was not recognized by ISE, and triggered ISE to clear that session and send a Radius CoA Terminate command to NAD.


Caveat Description


OL-27043-01



This fix addresses an issue where the RADIUS service may become unresponsive when receiving accounting packets from two different Network Access Servers (NASs).

PSIRT Evaluation










PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 7.8:



CVE ID CVE-2014-0050 have been assigned to document this issue.



CSCuo73070

CSCuo76078


This fix addresses an issue where the error “No valid system license exists” appeared for the sponsor portal and guest portal after the installation of a Cisco ISE 1.2 Patch.


Caveat Description


OL-27043-01







Enhancements in Cisco ISE Version 1.2.0.899—Cumulative Patch 8

New Plus License

Cisco ISE, Release 1.2 Patch 8, includes the new Plus license. The Plus license provides the following services:


• Profiling


• TrustSec SGT

The Advanced license provides access to the same features, as well as additional services. The Plus license does not include Base services.

For more information, refer to the “Cisco ISE Licenses” chapter in the Cisco Identity Services Engine User Guide, Release 1.2.

New Customize ISE 1.2 Web Portals HowTo Guide

Learn how to customize Cisco ISE 1.2.x portals using this new HowTo guide: http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-42-Customize_ISE12_Web_Portals.pdf

New Sample HTML Files for Custom ISE 1.2.x Web Portals

You can download the ISE12CustomPortalPackage-v#.zip file, which contains sample HTML files for customizing Cisco ISE 1.2 Web portals, at http://software.cisco.com/download/release.html?mdfid=283801620&flowid=26081&softwareid=283802505&release=1.2

Updated Cisco ISE 1.2.x User Guide

The sample HTML code has been removed from Appendix D. Use the downloadable sample files and the new Customize Web Portals HowTo guide for information on creating custom Cisco ISE 1.2.x Web portals.

You can find the updated user guide at http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide.html




OL-27043-01



http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-42-Customize_ISE12_Web_Portals.pdf

http://software.cisco.com/download/release.html?mdfid=283801620&flowid=26081&softwareid=283802505&release=1.2

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide.html

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-42-Customize_ISE12_Web_Portals.pdf







Caveat Description

CSCun49379 If you enter an invalid MAC address on the default custom device registration page, the default login page is returned with an error message instead of the custom login page.

CSCuo20069 Device Registration done through a custom portal does not allow user to continue after adding MAC addresses because it is missing the Continue button.

Workaround Use the default portal.

CSCuo27093 The default custom portal is not in sync with some of the functionality of the default portal, including:

3. The Decline button on the custom AUP page is disabled.

4. Sessions are expired in less than 2 minutes.

5. Input validation is not working on the Login, Password Change, Self-Registration, and Device Registration Pages.

6. If you idle for a while after creating a guest on the Self Registration page, you are taken to the default portal login page.

7. The default custom portal’s Self Registration page does not show the optional fields set in Cisco ISE. It also does not apply the mandatory fields set in Cisco ISE.

CSCup34046 Example custom AUP and Guest_Success pages are not in sync for DRW flow.

Workaround Validation cases.


OL-27043-01





Caveat Description

CSCud89273 Passed Numbers Not Appearing on Authentications Dashlet

This fix addresses an issue where the passed numbers were not appearing on the Authentications Dashlet when there were a large number of passed authentications.

CSCuh79596 Freshly Installed Standalone ISE Server Not Logging MDM Events

This fix addresses an issue where MDM events were not being recorded by monitoring components in freshly installed ISE 1.2 standalone deployments.

CSCuj97669 DNS Resolution Failed for CNAME:"hostname" from the ISE node "hostname"

This fix addresses an issue where the DNS name resolution failure alarm had the wrong description or context.

CSCul10677 ISE 1.2 CWA Failure Reason 86017

This fix addresses an issue where a guest user was redirected back to guest login page after accepting the Acceptable Use Policy. The live log showed the failed attempt as 86017 error.

CSCul55934 ISE 1.2 Cannot Delete Guest Users Created Using Unavailable Timezone Setting

This fix addresses an issue where you could not delete guest user accounts that were created using the old timezone settings in 1.1.x after upgrading to 1.2.

CSCum10047 Invalid Account Date When Changing Account Duration

This fix addresses an issue where you couldn’t edit the Start/End duration for accounts on the sponsor portal.

CSCum13453 ISE SYSLOG Parsing Failure when Forwarding to Third-Party SYSLOG

This fix addresses a parsing error that occurred when trying to forward SYSLOG messages to a 3rd party SYSLOG server.

CSCum40721 Optional Data Field Not Matching in Authorization Rules

This fix addresses an issue where the client authentication for a guest user failed to match data in the “Optional Data Field” to the authorization rules.

CSCum62918 ISE 1.2 Sample guest portal HTML files should be improved

This fix addresses the issues with the sample Web portal examples using "static" examples instead of variables to populate the fields.

CSCum82815 Acceptable Use Policy Page Shouldn't Be Presented if ISE Knows Session is Expired on Login

This fix addresses an error where a user was presented with the Acceptable Use Policy page after their session had expired, only to be told that their session expired after accepting the AUP.

CSCum82829 Cisco-branded Expiration Page Presented on Custom Portal

This fix addresses an error where a user was redirected to the Cisco default guest portal expiration page after thier session expired instead of a custom expiration page.

CSCun60443 No Dashboard or Live Logs for Long Time After Primary MnT Failure

This fix addresses an issue where no dashboard or live logs were available for long time after the primary MnT failed in an ISE distributed deployment.


OL-27043-01






If you experience problems installing the patch, contact Cisco Technical Assistance Center.

CSCun61928 Not All Authorization Profiles are Recognized by Runtime

This fix addresses an issue where an error message was displayed stating that ISE could not find selected Authorization Profiles because ISE was unable to load all of the selected profiles from the database.

CSCuo02708 ERS Port Should Not Request Client Certificate

This fix addresses an issue where ISE requested a client certificate when a HTTP request was sent to the ERS port (9060).

CSCuo04860 Raise Alarms for EAP Session and Context Limits

This fix adds an MnT alarm when ISE reaches EAP session and context limits.

CSCuo16503 ISE 1.2 Patch 7 AD Sponsor Created Guest Users Cannot Log In

This fix addresses an issue where guest users created with a Sponsor holding their credentials on Active Directory could not log in.


Caveat Description


Caveat Description

CSCtx94533 The Endpoint DeviceRegistrationStatus Attribute Always Shows “Pending”

This fix addresses an issue where devices stayed in “Pending” status when client provisioning policy was not available and the endpoint already existed in the database.

CSCty87291 Admin Web Portal Requests ID certification When It’s Password authentication-only

This fix addresses an issue where web browsers prompted for an ID certificate when navigating to ISE admin web portals, although no certification authentication was configured for admin users.

CSCuh41450 IP Columns Sort on Char on Network Devices Page

This fix addresses an issue where the IP columns on the Network Devices page sorted on char, not varchar, which lead to incorrect sorting.


OL-27043-01




CSCui15038 ISE HTTP control interface for NAC Web Agent XSS Vulnerability

This fix addresses an issue where, due to insufficient input validation, a cross-site scripting (XSS) vulnerability was present in the naccontrol web application of Cisco Identity Services Engine (ISE).

PSIRT Evaluation



Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0680


CSCui15064 Certain ISE Reports Vulnerable to XSS Injection

This fix addresses an issue where certain report pages within the Cisco Identity Services Engine (ISE) administration interface were subject to a cross-site scripting (XSS) vulnerability.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C




CSCui21839 “Export Endpoints” Creates Empty File When Quick Filter is On

This fix addresses an issue where the Export Endpoints function created empty files when the quick or advanced filter was on and used a non alphanumeric character (i.e. :,.).

CSCui78135 On Alpha Alarms Still Show Up When We Select All and Acknowledge

This fix addresses an issue where Alpha Alarms still showed up even though the user selected all the alarms and acknowledged them.


Caveat Description


OL-27043-01




https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C




CSCui82998 Custom Guest Portal Loops after AUP Due to Loss of Session ID

This fix addresses an issue where, due to the custom guest portal, a user received a 404 message or was looped back to the portal’s login page after accepting the AUP.

CSCui96322 Default Guest Portal Email Address Limited to 24 Characters

This fix addresses an issue where the default guest portal limited email addresses to 24 characters.

CSCuj07535 IP Address Change is Not Recorded in Endpoint Profile on ISE 1.2

This fix addresses an issue where a change in the IP address was not recorded in an endpoint profile.

CSCuj11040

CSCum97337

ISE Should Not Degrade a Profile Based on Problematic User-Agent

This fix addresses an issue where iPads were not profiled as iPads, but as Apple-device only, due to an application sending a HTTP packet with a user-agent field of “MobileAsset/1.0” which downgrades the profile in ISE to “Apple-device.”

CSCuj25038 ERS Service Disabled After Reboot

This fix addresses an issue where the ERS API was disabled after reboot, even though it was enabled before the reboot and the configuration was saved using “write mem.”

CSCuj36310 “@” Character Not Accepted in Wireless SSIDs Fields

This fix addresses an issue where ISE did not allow the use of the @ character in wireless SSID fields.

CSCuj66093 86017 Error page sessionExpired.jsp images links are invalid

This fix addresses an issue where the sessionExpired.jsp page (the page that is displayed after error 86017, where a guest user tried to authenticate using an expired sessionID) image links were broken.

CSCul03597 LDAP User Authorization Doesn't Work with EAP-FAST Chaining

This fix addresses an issue where LDAP user authorization didn’t work with EAP-FAST chaining.

CSCul35820 ISE Guest Registration Breaks with Apple IOS7 User Name as Emil Address

This fix addresses an issue where the ISE Guest registration process had issues with Apple iOS 7 using an Emil address for the username instead of the first and last name.

CSCul66272 Terminate Change of Authorization during Posture for Unknown User-agent DynGate

This fix addresses an issue where the NAC Agent got stuck in a posture loop due to the TeamViewer application by DynGate.

CSCul77793 Scheduled Reports Not Exported When Using Illegal Character as a Report Name

This fix addresses an issue where you couldn’t export a schedule report if an illegal character (i.e., ~%<>) was used as the report name.


Caveat Description


OL-27043-01


CSCul84544 Retrieval of Active Directory Groups or Attributes from GUI is Failing

This fix addresses an issue where the user was unable to fetch Groups and/or attributes from Active Directory on the ISE GUI.

CSCul87300 Special Character in LDAP password is not read correctly by ISE

This fix addresses an issue where LDAP authentication and/or group fetch failed when the admin/service account password had special characters, especially double quotation marks.

CSCum26362 Authentications Details are Missing All the Required Data

This fix addresses an issue where the Authentication details page was missing data, such as Authentication Protocol, Authentication method, Network device and service type data.

CSCum60627 Client EAP Sessions Never Get Cleared

This fix addresses an issue where an EAP session would leak when ISE retransmitted the last RADIUS message in response to duplicate packet from NAS, and then the client (NAS or supplicant) dropped the conversation.

CSCum77223 Increase Maximum Login Failures for Guest

This patch allows you to increase the number of maximum login failures for guest users. You can select the maximum number of login failures from a range between 1 and 999. Guest users are also redirected to the Custom Portal login page after exceeding maximum login failures if the Custom portal is in use.

CSCum86347 ISE Guest Start and Expiration Dates Don't Reflect Sponsor Portal Time Zone

This fix addresses an issue where the guest start and expiration dates did not reflect the time zone configured in the sponsor portal settings.

CSCum93050 Patch info not shown in CLI and GUI after installing from CLI

This fix addresses and issue where the patch information was not shown in the Cisco ISE CLI and GUI after installing the Cisco ISE, Release 1.2 patch from the CLI.

CSCum92155 ISE REST API (ERS) - PUT Update Request Removes identityGroups Value

This fix addresses an issue where the identityGroups value was removed when you updated any value using a PUT method via the ISE REST API (ERS).



CSCun08410 Guest Account’s Start and End Time Validated Against System Time Zone

This fix addresses an issue where an error message is displayed if the start and end time for a guest user’s account uses a time zone that’s earlier than the system’s time zone.


Caveat Description


OL-27043-01







CSCun11240 Guest Sponsor Mapping Report Incorrectly Changes Sponsor

This fix addresses an issue where a Guest Sponsor Mapping Report showed the Sponsor as GuestAction instead of the sponsor who created the account.

CSCun25178 Fetching Group Information Takes a Long Time Because of SIDHistory

This fix addresses an issue where Cisco ISE failed to resolve SIDHistory to group names if the SIDHistory belonged to a trusted domain/forest.

The large number of SIDHistory values in the user's token used to cause long delay (2-5 minutes) during user authentication.


Caveat Description


Caveat Description

CSCud38634 Guest sponsor details shows wrong sponsor name

This fix addresses an issue where the username shown as the Sponsor was the username of the Guest when viewing Guest Sponsor Details from a report.

CSCud70219 Log.xml files are not cleaned out regularly

This fix addresses an issue where /opt/oracle/base/diag/rdbms/cpm10/cpm10/alert folder filled up with log XML files and caused the hard drive to fill up.

CSCuf76821 .trc and .trm files are not cleaned out regularly

This fix addresses an issue where the /opt/oracle/base/diag/rdbms/cpm10/cpm10/trace folder filled up with *.trc and *.trm files and caused the hard drive to fill up.

CSCug96069 Replication status update fails for all nodes if the network is restored on PAP

This fix addresses an issue in large scale deployments where the status of one or more PSN nodes was shown as 'Replication Stopped' and the data was not published or replicated to other PSN nodes from the PAN node.


OL-27043-01




CSCui40950 Guest login takes long time and times out

This fix addresses an issue where a guest login could take a long time and then times out after 5 minutes.

CSCui57882 Some expired guest accounts cannot be deleted from PDP

This fix addresses an issue where some expired guests accounts could not be deleted from the sponsor portal.

CSCui57933 Purge expired guest accounts does not work

This fix addresses an issue where some accounts were in a state where they could not be deleted due to incorrect attributes.

CSCui57961 When editing an expired guest account that cannot be deleted, logs out

This fix addresses an issue where the UI logged you out with error “You do not have sufficient permission to access this page” when editing an expired guest account that cannot be deleted.

CSCui72658 Guest Portal cookies not set as Secure or HTTP Only

This fix addresses an issue where the JSESSIONID cookie used in the Guest Portal is not set to Secure or set as HTTP Only.

CSCuj01781 ISE uses SAN of user certificate for machine lookup in Active Directory

This fix addresses an issue where machine lookup in Active Directory failed during EAP-chaining authentication if both machine and user were authenticated with EAP-TLS and principal Username X509 Attribute is configured to SAN.

CSCuj13804 IE8 gives error on ISE1.2 when accessing the provisioning portal

This fix addresses an issue where Internet Explorer 8 on Windows XP displayed an error when you tried to open the client provisioning portal.

CSCuj26086

CSCuj80131

ISE Client Provisioning - NSP does not launch on Safari 7 (Mac OS X 10.9)

Java Applet fails to install SPW/Agent from Client Provisioning page on Safari browser version 7 available with Mac OSX 10.9.

Patch 6 addresses this issue by displaying a message on the login page with instructions on how to configure Safari to allow the Java applet to install.

Before clicking Click to Install Agent, go to: Safari->Preferences->Security->Manage Website Settings->Java->Click on your ISE URL->Run in unsafe mode.


Caveat Description


OL-27043-01


CSCuj34004 User name change detected for the session removes all session attributes

When using Machine authentication followed by user authentication, changing the username will remove attributes for the session from the cache, including the attributes in the whitelist category. This would result in authorization evaluation failure where the first user authentication falls into the wrong authorization profile.

if there is a username change on the session, this cleans up all the session attributes including the ones that are in whitelist category (attrsToKeep).This can result in authz evaluation failure where the first user authentication falls into the wrong authz profile.

This fix addresses this issue by re-initializing the default attributes with their default values.

CSCuj38204 ISE does not allow access for guest with no webagent if posture is configured

This fix addresses an issue where Cisco ISE did not allow access for guest with no NAC web agent if posture is configured.

CSCuj47806 ISE redirects to default guest pages when it’s configured to redirect to custom pages

This fix addresses an issue where the browser renders the initial login page when the user enters the wrong username/password instead of the custom error.html page.

CSCuj49903 Downloading / viewing large log files from PDP causes out of memory error

This fix addresses an issue where downloading or viewing large log files from PDP caused out of memory error.

CSCuj84427 ISE 1.2 Admin password alerts not functioning properly

This fix addresses an issue where admin password alerts were being sent earlier than the Password Policy setting specified.

CSCul02821 MDM attributes doesn't update to Endpoint objective

This fix addresses an issue in Cisco ISE where the MDM can't update into endpoint objective at ISE GUI.

CSCul48352 Right-Click - Copy to MAC and Username in Live Log

This fix addresses an issue where items in the Live Log grid are not selectable enabled by default. Therefore, the user could not select and copy out live log grid cell content.

The MAC address and Username columns in the Live Log grid can now be selected and copied using a right-click.

CSCul50495 Device Registration failed with Cisco Catalyst 3850 Switch

This fix addresses an issue where the Device Registration page displayed an error message when working with the Cisco Catalyst 3850 Switch.

CSCul50720 Samsung Galaxy S4 cannot be on-boarded in dual SSID flow

This fix addresses an issue where Android devices, including the Samsung Galaxy S4, that did not contain “Linux” in their user-agent string were not on-boarded in dual SSID flow.


Caveat Description


OL-27043-01




CSCul58895 ISE 1.2 Patch 3 StartEnd time profiles do not work for guest import

This fix addresses an issue where importing guests using the Import Accounts Option on the Sponsor Portal using a csv file failed on ISE 1.2 patch 3 to an invalid format for the date.

CSCul62175 ISE BYOD enhancement troubleshooting for SCEP

Cisco ISE 1.2 Patch 6 adds logging for Certificate provisioning. This includes interaction messages with the SCEP server.

CSCul65045 Cannot create/edit network device if advanced license expired

This fix addresses an issue where ISE refused to accept new changes to existing network devices or add new ones if the advanced evaluation license expired, even if you did not use any of the advanced feature set.

CSCul66218 Posture delays due to HTTP thread exhaustion

This fix addresses an issue where the NAC Agent took a few minutes to load into the system tray after logging into Windows and then took up to 10 minutes to pop and complete posture assessment.

CSCul71176 Endpoints manually assigned to identity groups might change groups randomly


CSCul71532 XML external entity injection found under ERS

This fix addresses an issue where ERS was vulnerable to XML injection attacks using the DOCTYPE and ENTITY meta data tags in the XML sent in ERS request.

CSCul77732 Warning message while creating Guest user with hyphen in Self Registration

This fix addresses an issue where the Self Registration page displayed an error message if the guest’s first name or last name included a hyphen.

CSCul82658 “Strip prefixes listed below” for Active Directory in GUI is a typo

This fix addresses an issue where the Advanced Settings page for Active Directory in the GUI has a typo that says “Strip prefixes listed below” when it should be “suffixes” instead of “prefixes.” This has been corrected.

CSCum01290 MDM Integration Not Working With ISE 1.2 Patch 3 and Patch 4

This fix addresses an issue where MDM enrollment failed while running ISE 1.2 patch 3 or patch 4. Upon redirect to the ISE MDM portal, clients were immediately presented with an error related to "The MDM system is not reachable at this time" even when the MDM server was reachable. MDM logging to ise-psc.log was missing key server response and connection failed syslog info when running the patch.


Caveat Description


OL-27043-01




Note Please be aware that applying patch 5 to Cisco ISE 1.2 will reboot the nodes on which it is installed. Please make sure you carry out this activity in a maintenance window with a downtime. Cisco ISE 1.2 will also reboot if you revert from patch 5 to an earlier version.



Caveat Description

CSCub18575 Problem with sponsor accounts starting with a "0"

This patch fixes an issue where you could not log into the Sponsor Portal with an account that started with the number 0.

CSCuf24898 ISE repository max password length 16 characters

This fix addresses an issue where FTP / SFTP repository access failed when the user password was larger than 16 characters.

CSCug20065 Unable to enforce RBAC as desired to a custom administrator

This fix addresses an issue where a user, who only has permissions to a custom endpoint identity group, is unable to add, modify, or delete identities unless the entire identities are visible to him.

CSCuh25506 Cisco ISE CSRF Vulnerability

This fix addresses an issue where CSRF protection did not work for some of the web pages and an attacker could exploit this issue to perform CSRF attack against the users of the web interface.

PSIRT Evaluation


https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:U/RC:C







OL-27043-01



https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:U/RC:C




CSCui30266 ISE MDM Portal Cross-Site Scripting Vulnerability

This fix addresses an issue where the Mobile Device Management (MDM) portal of Cisco Identity Services Engine (ISE) was vulnerable to a cross-site scripting (XSS) attack.

PSIRT Evaluation



CVE ID has been assigned to document this issue.





CSCui46739 Guest applet fails after update to Java 7 update 25

This patch addresses an issue where both Guest Authentication and Supplicant Provisioning failed due to Java 7 update 25’s CRL check feature.

To disable the CRL check feature:

1. Allow the CRL check through the Redirect ACL, Port ACL and any Firewall in place.

2. Clear the checkbox for the CRL check in the Java Control Panel:

• OS X: System Preferences > Java Advanced > Perform certificate revocation using1: Change to 'Do not check (not recommended)'

• Windows: Control Panel > Java Advanced > Perform certificate revocation using: Change to 'Do not check (not recommended)'


Caveat Description


OL-27043-01





CSCui67495 Uploaded Filenames/Content Not Properly Sanitized

This fix addresses an issue where filenames and content uploaded to Cisco Identity Services Engine (ISE) was not filtered/sanitized effectively. This could have resulted in a file of incorrect type being uploaded to ISE or the filename leading to a potential cross-site scripting (XSS) issue.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/4:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:P/A:N/E:H/RL:U/RC:C






CSCui67511 Certain File Types are not Filtered and are Executable

This fix addresses an issue where, due to insufficient filtering and access control, potentially malicious file types could have been uploaded to, and executed within, the Cisco Identity Services Engine (ISE) web interface.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/4:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:H/RL:U/RC:C






CSCui72269 ISE unable to understand SNMP attribute coming from Switch

This fix addresses an issue where Cisco ISE was unable to handle a bad attribute in an SNMPT query coming from a switch, which caused high CPU cycles on PAP node.

CSCuj48111 Hyphen and minus sign can't be entered as first or last name

This fix addresses an issue where a guest sponsor was unable to enter a hyphen or minus as part of a first or last name while entering a guest’s account information.


Caveat Description


OL-27043-01



https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:P/A:N/E:H/RL:U/RC:C


https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:H/RL:U/RC:C


CSCuj61976 Admin UI fails to display certain UI pages when using Firefox 25

This fix addresses an issue where ISE admin UI pages with a tree view were not displayed correctly in Firefox 25.

CSCuj84194 ISE sometimes does not send DACL in authorization profile

This fix addresses an issue where ISE sometimes did not send DACL in an authorization profile.

CSCuj98726 iOS devices bypass account suspension/lock by starting new EAP session

This fix addresses an issue where an iOS device can bypass account suspension/lock even it is enabled, due to it being reported as '5440 Endpoint abandoned EAP session and started new' instead of using a wrong password.

CSCul02860 Struts Action Mapper Vulnerability

Previous versions of ISE Cisco ISE included a version of Apache Struts that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-2013-4310

Cisco has analyzed these vulnerabilities and concluded that the product is not impacted, however the affected component has been updated as harden measure.

PSIRT Evaluation

The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.

If you believe that there is new information that would cause a change in the severity of this issue, please contact [email protected] for another evaluation.




Caveat Description


OL-27043-01



CSCul03127 Struts 2 Dynamic Method Invocation Vulnerability

Previous versions of Cisco ISE included a version of Apache Struts2 that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-2013-4316

PSIRT Evaluation


https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C




CSCul03621 Endpoint Profiling Information is not being replicated correctly

This fix addresses an issue where Endpoint Profiling Information was not replicated on the PSN that was not doing the profiling.

CSCul06431 Active Directory attribute value in ATZ profile is not sent

This fix addresses an issue where an Active Directory attribute was not sent to the client as part of an ATZ profile.

CSCul13757 Audit records MUST log to External Syslog Servers: CLI log level

This fix addresses an issue where any configured External Syslog servers failed to receive audit records after using the command line interface (CLI) commands to change the log level to any of the following levels: 2, 3, 4, 5, 6 or 7.

CSCul13805 Audit records MUST log to External Syslog Servers: HTTPS idle timeout

This fix addresses an issue where External Syslog Servers failed to receive an audit record in the case of HTTPS Admin GUI idle session timeout occurs and auditable events could only be seen locally by setting the Debug Log Configuration for admin-infra and infrastructure to DEBUG level.

CSCul13812 Audit records MUST log to External Syslog servers: SSH publickey

This fix addresses an issue where SSH server authentication using the publickey authentication method fails to record an audit log and failed connecting to External Syslog Servers.

CSCul13883 Audit records MUST log to External Syslog servers: SSH KEX Group14

This fix addresses an issue where Configured External Secure Syslog servers failed to receive audit events for the administration configuration of SSH server enforcement requiring diffie-hellman-group14-sha1 key exchange algorithm in order to successfully connect.


Caveat Description


OL-27043-01


https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C


CSCul13905 Audit records MUST log to External Syslog Servers: CLI clock set

This fix addresses an issue where no audit logs were recorded for changing the system clock via the CLI.

CSCul13946 Audit records MUST log to External Syslog servers: Purge M&T Data

This fix addresses an issue where no audit logs were recorded after purging M&T operational data using the CLI command.

CSCul15967 ISE 1.2 Patch 3 Windows 8.1 CPP OS Detection Failure in Distributed Setup

This fix addresses an issue in the ISE 1.2 patch 3 where Windows 8.1 clients received an error on secondary PSNs after a CPP redirect.

CSCul16300 Audit records MUST log to External Syslog servers: CLI idle timeout

This fix addresses an issue where External Syslog Servers fail to receive the audit syslog event when command line interface (CLI) connections are closed due to idle session timeout.

CSCul18169 Blocking ISE admin UI access for Chrome browser

This fix addresses some issues that blocked Chrome browsers from using the ISE admin UI.

CSCul18521 Audit records MUST log to External Syslog servers: VGA CLI AUTHC

This fix addresses an issue where External Syslog Servers fail to receive audit syslog events for administrative CLI logins on a VGA console.

CSCul18555 Audit records MUST log to External Syslog servers: SSH conn fail

This fix addresses an issue where External Syslog Servers fail to receive audit syslog events for common SSH connection failures.

CSCul23070

CSCul23252

Audit records MUST log to External Syslog Servers: SSH exit forceout

This fix addresses an issue where External Syslog Servers fail to receive audit syslog events for CLI exit and forceout commands.

CSCul42646 Failed to create Posture Condition with "NOT ENDS WITH" Operator

This fix addresses an issue where creating a Posture condition with an NOT ENDS WITH operator resulted in an error.

CSCul46893 URL preservation not working with self service guest user in MAB flow

This fix addresses an issue where, after connecting to a wired MAB and creating a guest account, the user’s browser did not redirect to the URL that they originally attempted to access.

CSCul58758 Redirecting to 'null' page in the browser after LWA flow with WLC-5500

This fix addresses an issue where connecting to the Guest Wireless LWA flow using a Windows client machine resulted in a guest account getting redirected to a "null" page in the browser window instead of original URL.


Caveat Description


OL-27043-01


Enhancements in Cisco ISE Version 1.2.0.899—Cumulative Patch 4

Automatic Update of Compliance Module on Mac OS X Clients

Starting from Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 4, the Cisco NAC Agent supports automatic update of the Compliance Module on Mac OS X clients. Ensure that you have installed the Mac OS X Agent version 4.9.4.1 or later so that the Compliance Module gets updated automatically. Refer to Cisco ISE Installation Files, Updates, and Client Resources, page 25 for more information on automatic updates. See Also CSCui83009, page 121.

Domain Stripping for Active Directory

Starting from Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 4, you can strip prefixes or suffixes from user names when Active Directory is used as External Identity Source. You can configure the prefixes or suffixes to be stripped from the user names by navigating to Administration > Identity Management > External Identity Sources > Active Directory > Advanced Settings. Refer to the “Configuring Active Directory as an External Identity Source” section in the Cisco Identity Services Engine User Guide, Release 1.2 for more information. See Also CSCuj95908, page 122.







OL-27043-01







Caveat Description

CSCug90502 ISE Blind SQL Injection Vulnerability

This fix addresses an issue where the Cisco Identity Services Engine (ISE) was vulnerable to blind SQL injection. This could allow a remote, authenticated user to modify information in the database.

PSIRT Evaluation


https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:U/RC:C






CSCuh84099 ISE should verify non-printable characters in x.509 certificates

This fix addresses an issue where ISE was unable to add any endpoints and threw exceptions due to the import of x.509 certificates with non-printable characters.

CSCui22884 ISE presents wrong HTTPS certificate

This fix addresses an issue where ISE presented an old HTTPS certificate when user accesses the admin or sponsor GUI even though it has been configured to use a new imported certificate for HTTPS.

CSCui83009 Unable to push compliance module to NAC agent on Macs

Fixed an issue where ISE did not push the latest compliance modules to the NAC agent for Macs on the fly like it does with the Windows version.

CSCui94488 MyDevice Portal allows endpoints with static endpoint ID group other than RegisteredDevices

This fix addresses an issue where ISE MyDevice Portal is allowed employees to register existing endpoints with a static group assignment other than RegisteredDevices, unless the endpoints already associated with another PortalUser.

CSCuj03131 Lower "Request Rejection Interval" minimum to 5 minutes

The minimum length of time for the “Request Rejection Interval” for RADIUS has been lowered to 5 minutes.

CSCuj28968 Guest Activity Report is not working

This fix addresses an issue where the Guest Activity report was blank.

CSCuj39926 Kaspersky remediation does not appear anymore in the AV remediation

This fix addresses an issue where Kaspersky remediation did not appear for AV remediation (Posture Results).


OL-27043-01

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:U/RC:C




Support for Windows 8.1 and Mac OS X 10.9 in Cisco ISE Version 1.2.0.899—Cumulative Patch 3

ISE 1.2 Patch 3 supports clients using the Windows 8.1 and Mac OS X 10.9 operating systems.

Please see Open Caveats, page 132 for a workaround for client provisioning using Safari 7 in Mac OS X 10.9.



CSCuj62435 ISE 1.2 TrendMicro not listed for AV Remediation

This fix addresses an issue where Trend Micro was not seen in the AV vendor list when creating an AV Remediation.

CSCuj63046 Text fields impose 24 character limit during guest self-registration

This fix addresses an issue where guest users could not enter information into the boxes on the Self Registration page in excess of 24 characters.

CSCuj72022 Cannot use “Ends With” operator in a Posture condition on ISE

This fix addresses an error that occurred when the user attempted to create a Posture rule using the ENDS WITH logical operator.

CSCuj90823 Guest Portal: IP Refresh Failing in IE 11

This fix addresses an issue where IP Refresh was not working properly in the Guest Portal due to ActiveX in Internet Explorer 11 for Windows 8.

CSCuj91050 Creating Guest users shows incorrect timezone 'GMT+2 ECT'

This fix addresses an issue where Guest user would fail to login with the following error due to an incorrect time zone being assigned to the account: "An internal error occurred. Contact your system administrator for assistance. Contact your system administrator.”

CSCuj95908 ISE does not do domain stripping for Active Directory external store

This fix addresses an issue where ISE did not allow the modification of the domain name before authentication when the external identity store used is Active Directory.

CSCul62723 Mobile Guest Portal: Success page redirects to http://10.86.149.92

This fix addresses an issue where the success page on the Mobile Guest Portal redirected the guest to http://10.86.149.92.

CSCuh94133 NAC agent with ISE slowly leaking memory after posture

This fix addresses the issue where there was a memory leakage in the client machine when NAC Agent was connected to Cisco ISE after posture.


Caveat Description


OL-27043-01






Caveat Description

CSCue14864 Endpoint statically assigned to ID group may appear in different group

This fix addresses an issue where endpoints that are statically assigned to an Endpoint ID group unexpectedly appear in another group. The issue was that, where authorization profiles are based on ID group, these endpoints may wind up getting assigned the wrong authorization result.

This issue had been observed where the administrator creates endpoint identity groups and manually add endpoints to the Cisco ISE database, making them static.

CSCuf47491 Timestamp of core files not preserved in support bundle

This fix addresses an issue where core-dump were timestamps not always from when the core dump was created.

CSCug59579 Windows 8 and 8.1 not included in Client Provisioning

This fix addresses an issue where Windows 8 is not included in the OS options for Client Provisioning Policies.

CSCuh14228 Internal administrator summary report export not working

This fix addresses an issue where the export feature for the Internal administrator summary report was not working.

CSCuh20322 Need ISE application server restart reason and timestamp

This fix addresses reformats the timestamp for the show application status ise command in order for the user to determine the uptime of the application.

CSCuh23536 RADIUS drop should have last event timestamp

This fix adds a new time stamp column for the radius drops, misconfigured supplicants, and misconfigured network devices log counters

CSCuh30587 Backup fails due to ISE restart

This fix addresses an issue where the ISE application server restarts in the middle of a backup because of a local certificate change, which causes the backup to fail. Now, ISE prevents you from restarting the application server if a backup or restore is in progress.

CSCuh36333 Successful DACL download authentication is counted under authentication dashlet

This fix addresses an issue where the authentication dashlet incorrectly included DACL download authentications.


OL-27043-01




CSCuh45239 Node Status Patch page does not refresh automatically

This fix addresses an issue where the Node Status page would not automatically refresh when installing an patch. This fix adds a Refresh button to the page.

CSCui21439 Message code texts are blank or incorrect

This fix addresses an issue where the texts for message codes 86009, 86010, 86017, and 86019 were blank and the text for message code 5411 was incorrect. This fix also addresses an issue where the failure reason text for the RADIUS Authentications report did not display properly.

CSCui30275 Fixed an issue where a component of the administration page of the Cisco Identity Services Engine (ISE) was vulnerable to a cross-site scripting (XSS) attack.

For additional information on cross-site scripting attacks and the methods used to exploit these vulnerabilities, please refer to the Cisco Applied

Mitigation Bulletin ''Understanding Cross-Site Scripting (XSS) Threat Vectors'', which is available at the following link:


PSIRT Evaluation:


CVE ID has been assigned to document this issue.



CSCui35514 'show tech' script in support bundle needs fixing

This fix addresses errors in the output of the “show tech” script in the support bundle. These errors included:

• incorrectly displaying "grep: writing output: Broken pipe" errors

• the order not being the same as the 'show tech' output on the ADE OS CLI

• the certificate output having a bad new line character (^M), rendering the PEM output unusable unless manually modified

CSCui36643 ISE Editing schedule report complains of existing report name in use

This fix addresses an issue where editing a scheduled report returned the error "This schedule name has been used. Please specify a different one.”


Caveat Description


OL-27043-01






CSCui71484 ISE SEC PAP has write access via ERS API

This fix addresses an issue where a provisioning request (add/delete/modify) could be done on SEC PAP via ERS API, although it should have only allowed using a GET method.

CSCui77336 Customized URL ISE self registration not working

This fix addresses an issue where ISE Customized web portal self-registration was not working for guest users when using a custom portal with the guestUser.timezone input tag specified in the self-registration html page.

CSCui89741 ISE ERS API creates endpoint with invalid format MAC address

This fix addresses an issue where an invalid MAC address format could be added to ISE database by the External RESTful Services API using the CURL command.

CSCui96960 MNT Livelog/Dashboard performance

This fix addresses an issue where the Livelog and Dashboard performance in ISE 1.2 suffered when the underlying query ran for a specific MAC address and when there was a large volume of data in the newly-created partition without stats.

CSCuj03071 EndPoint update not being saved to PAP due to high latency

This fix addresses an issue where systems with high latency might skip endpoint updates when endpoints are created on PSNs over the WAN from the PAP. For example, Cisco-IP-Phone may appear as Cisco-Device even if the information was collected and endpoint was profiled as Cisco-IP-Phone.

This occurred when there was a very high latency (low bandwidth) between PSN to PAP. Around 0.5 seconds time to create an endpoint.

CSCuj03697 Allow Tunnel* attributes in policies

This fix addresses an issue where tunnel attributes in the Radius IETF dictionary could not be seen in the pull down when configuring a condition.

CSCuj05295 ISE Application server crashed and stuck in initialized state with “null” in collection filter

This fix addresses an issue where ISE crashes and the Application server gets stuck in an initialized state if a Collection Filter is created with value “null.”

CSCuj09430 Guest account is not working according to its Time Zone

This fix addresses an issue where a guest account worked only on the time zone of the server, not the user, which affected when a guest could log into the guest portal and when the guest account expired.

CSCuj14382 Cannot statically assign IP address as FramedAddress

This fix addresses an issue where assigning a string IP value to an IPV4 attribute resulted in a validation error.

CSCuj15372 Authentications fail with MDM authentication rules enabled

This fix addresses an issue where, with MDM authentication rules enabled, all RADIUS authentications fail after several successful runs with the following error message: 5436 RADIUS packet already in the process.


Caveat Description


OL-27043-01


CSCuj16049 HA Licensing

This fix addresses an issue where in the deployment process, once the secondary is promoted as primary, the HA licensing file could not be installed on the promoted secondary.

CSCuj19882 Unable to edit the existing Guest accounts after restoring old backup

This fix addresses an issue where you could not edit a guest account from the sponsor portal if the account was created before ISE 1.2 patch 2 was applied.

CSCuj28447 Endpoint statically assigned to ID group may appear in different group

This fix addresses an issue where an endpoint statically assigned to an Endpoint ID group may have been seen in another group for no apparent reason. Authorization profiles based on ID group led to the endpoint being assigned the wrong authorization result.

CSCuj45431 ISE Support for Mac OS X 10.9 NAC Agent

ISE 1.2 patch 3 supports a NAC Agent for Mac OS X 10.9.

CSCuj45766 Add/Remove MDM server never got replicated to PSNs in distributed deployment

This fix addresses an issue where ISE would still use a previously configured MDM server when another MDM server is created as an active MDM or updated as an Active MDM.

CSCuj51094 Captured TCPDump file is not working

This fix addresses the issue where you are unable to open the captured TCPDump.pcap file in a program like Wireshark.

CSCuj54630 ISE 1.2 patch 2 is rejecting https cookies from the Mobile Iron Server

This fix addresses an issue between ISE 1.2 (899) patch 2 and Mobile Iron Stand Alone (VSP 5.7.1 Build 74). When ISE used the API to check on the status of an endpoint, ISE rejected cookies issued from MI, thus preventing the server from properly identifying what devices are compliant or not. This resulted in the status of "unknown," which prevented access for endpoints that are compliant (via AuthZ rule set).

CSCuj57335 Egress Matrix: require default SGACL that includes log option

This fix adds new log functionality to the default Egress rule.

CSCuj60796 ISE Support for IE 11

ISE 1.2 patch 3 supports Internet Explorer 11.

CSCuj70022 EAP-FAST authenticated provisioning with Android doesn't work

This fix addresses an issue where ISE TLV failed when parsing a TLV sequence that some versions of Android sent during authenticated provisioning.

CSCuj82378 Downloaded captured TCP dump file for remote node is not of proper size

This fix addresses issues with TCP dump files. Previously, the Download button would not respond after running the TCP dump for more than five minutes. Also, an error occurred after downloading the TCP dump file because the file size was incorrect. These issues have been resolved.


Caveat Description


OL-27043-01


New Features in Cisco ISE Version 1.2.0.899—Cumulative Patch 2

Support for Guest Self-Registration Based on Email Domain Whitelist

You can allow guests to create their own accounts by enabling the self-service feature by choosing: Administration > Web Portal Management > Settings > Guest > Multi-Portal Configurations > Operations > Guest users should be allowed to do self service. When you enable this feature, the account credentials display on the screen, and they are also emailed to the email address used to create the account.

You can restrict this feature by limiting guests’ ability to create their own accounts based on their email domain. By creating an email domain whitelist, you can ensure that only guest users with email accounts on those domains can create guest accounts.

To prevent the account credentials from displaying on the screen, you must create a custom portal when using an email domain whitelist. These steps provide an overview:

1. Create a custom portal, following these guidelines:

– Add a required email field and an acceptable use policy (AUP) page to the Self-Registration html file. See New Sample HTML Files for Custom ISE 1.2.x Web Portals, page 103 for information on downloading a sample file.

– Add text to refer users to their email for their login credentials on the Self-Registration Results html file. See New Sample HTML Files for Custom ISE 1.2.x Web Portals, page 103 for information on downloading a sample file.

– Map the Login file to the Self-Registration page. See the “Mapping HTML Files to Guest Portal Pages” section in the Cisco Identity Services Engine User Guide, Release 1.2 for detailed instructions.

2. Configure the SMTP server to support notifications (Administration > System > Settings > SMTP Server).

3. Specify the default e-mail address from which to send all guest notifications. (Administration > System > Settings > SMTP Server and choose Use Default email address).

4. Create the email domain whitelist. See the “Restricting Self-Registration Based on Email Domain” section on page 127.

5. Customize the self-registration credentials email message. See the “Customizing the Self-Registration Credentials Email” section on page 128.

6. Customize the self-registration failure message. See the “Customizing the Self-Registration Failure Message” section on page 128

Restricting Self-Registration Based on Email Domain

Before You Begin

• Configure the SMTP server to support notifications (Administration > System > Settings > SMTP Server).

• Specify the default e-mail address from which to send all guest notifications. (Administration > System > Settings > SMTP Server and choose Use Default email address).

Step 1 Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configurations.


OL-27043-01



Step 2 Add or edit a guest portal and click Operations.

Step 3 Check these options:

• Guest users should be allowed to do self service.

• Send self-registration credentials to whitelisted email domains

Step 4 Enter the allowable domains in the Whitelisted email domains field, following these criteria:

• Enter the exact domain name; wildcard characters are not supported.

• Use commas to separate multiple domain names

• The field supports a maximum of 4000 bytes so the total number of supported domains varies, depending on multibyte or unicode requirements.

Step 5 Click Save.

Customizing the Self-Registration Credentials Email

You can customize the email message sent to users containing their self-registration login credentials. When customizing this message, be sure to configure it for the languages supported for your guest users. This email is sent to the guest and sponsor using the guest notification language (specified in this setting: Sponsor portal > Edit guest account > Notification language).

Step 1 Choose Administration > Web Portal Management > Settings > Sponsor > Language Template > English (or other language) > Configure Email Notifications > Self-Registration Credentials.

Step 2 Customize the message and click Save.

Customizing the Self-Registration Failure Message

You can customize the error message that displays when users attempt to register using an email account from an unsupported domain.

Step 1 Choose Administration > Web Portal Management > Settings > Guest > Language Template > English (or other language) > Configure Error Messages > Self Service Failed Message.

Step 2 Customize the message and click Save.

Guest Account Expiration Notifications

You can notify guests and sponsors in advance that guests’ accounts are close to expiring. Sponsors can then proactively extend the account duration.

These restrictions apply when sending account expiration notifications:

• Notifications are sent only to active accounts. Pending, suspended, and expired accounts will not receive a notification.

• Accounts using the FromFirstLogin time profile will not receive a notification until they have become activated and are in the expiration notification window.

• The timezone of the guest account is used to determine the account expiration.


OL-27043-01


Configuring Guest Account Expiration Notifications

Step 1 Choose Administration > Web Portal Management > Settings > Guest > Time Profiles.

Step 2 Add or edit a time profile.

Step 3 Check these options:

• Send account expiration notification

• Notification time—enter a value between 0 and 336 hours. You must enter a time allowed by the time profile. (For example, if the time profile limits guest access to one week, you might enter 24 to send the expiration notification a day in advance.)

• Send email to guest or Send email to sponsor—you must choose at least one of these options.

Step 4 Click Save.

Customizing the Guest Account Expiration Notification

You can customize the messages sent to guests and sponsors to warn them that the guest account is expiring soon. When customizing these messages, be sure to configure it for the languages supported for your guest and sponsor users. This email is sent to sponsors and guests in the language indicated by these settings:

• Sponsors—Sponsor Portal > My Settings > Language template

• Guests—Sponsor portal > Edit guest account > Notification language

Step 1 Choose one of these options:

• Guests—Administration > Web Portal Management > Settings > Guest > Language Template > English (or other language) > Configure Email Notifications > Account Expiration Notification Message.

• Sponsors—Administration > Web Portal Management > Settings > Sponsor > Language Template > English (or other language) > Configure Email Notifications > Account Expiration Notification Message.

Step 2 Customize the message to send to sponsors and guests, using these supported variables:

• $guest$—first name of the account or the username if first name is empty

• $username$—login of the guest account

• $firstname$—first name on guest account

• $lastname$—last name on guest account

• $sponsor$—the sponsors login username

• $time$—the time remaining on the account before expiration. Displays as: HH:MM

• $remaininghours$—the remaining number of hours before expiration

• $remainingminutes$—the remaining number of minutes before expiration

• $starttime$—the start date and time of the account. Displays as: EEE dd, MMM yyyy HH:mm. For example: Fri 30, Aug 2013 10:30.

• $endtime$—the end date and time of the account. Displays as: EEE dd, MMM yyyy HH:mm. For example: Fri 30, Aug 2013 10:30.


OL-27043-01


Step 3 Click Save.

Support for Apple iOS 7 in Cisco ISE Version 1.2.0.899—Cumulative Patch 2

ISE 1.2 Patch 2 supports iOS 7 Endpoints for Guest users (Local Web Authentication and Central Web Authentication), as well as BYOD on-boarding. Please note that to ensure iOS 7 endpoint support with ISE 1.2 Patch 2, the WLC needs to be updated to version 7.4.115.0.

The WLC 7.4.115.0 update for these devices:

• Cisco 2504 Wireless Controller



• Cisco Flex 7510 Wireless Controller

• Cisco Virtual Wireless Controller

can be downloaded by registered users of Cisco.com from this location: http://software.cisco.com/download/special/release.html?config=fe18b0e824ca3427253bf74fdf50dab9

The WLC 7.4.115.0 update for the Cisco Wireless Services Module 2 (WiSM2) can be downloaded by registered users of Cisco.com from this location: http://software.cisco.com/download/special/release.html?config=dc3ed2770a7e6d66be495ac1d8cf0cc5







OL-27043-01



http://software.cisco.com/download/special/release.html?config=fe18b0e824ca3427253bf74fdf50dab9

http://software.cisco.com/download/special/release.html?config=dc3ed2770a7e6d66be495ac1d8cf0cc5



Caveat Description

CSCuh25868 Authorization policy condition’s re-editable text/string limited to 16 characters.

This fix addresses an issue where editing an authorization policy’s conditions resulted the text box only showing the first 16 characters in a string condition. The remaining characters were replaced by "..."

CSCuh56278 Local Web Authentication (LWA) Guest access by iOS 6 devices on ISE 1.2 fails.

This fix ensures that iOS 6 devices are authenticated correctly and gain access to the network appropriately.

CSCui34389 RADIUS accounting drop is not suppressed, flooding live log

This fix addresses an issue where message codes for RADIUS accounting drops were not suppressed, resulting with live logs being flooded.

CSCui36160 Whitelist and expiration notification.

The new Guest Self-Service feature provides administrators and sponsors the ability to have a customized notification email sent to guest users or sponsors X days before the guest account expires, allowing the sponsor (or guest user in SPP) to update the time profile and extend the account expiration.

Self Service Guest accounts have password credentials sent via email, with an additional Email Whitelist feature for validation.

Note See Support for Guest Self-Registration Based on Email Domain Whitelist, page 127 for more information.

CSCui42788 Exporting of imported profile policy results a garbled description.

This fix addresses an issue where exporting an imported policy with a description field resulted in a garbled description field.

CSCui44324 Backup task can't be configured in ISE 1.2 UI.

This fix addresses an issue where a scheduled backup couldn’t be configured on ISE 1.2 in UI under "Administration -> System -> Backup and restore". After filling all data and clicking on "Save" button, nothing happened. (e.i., neither is a task created nor an error generated).

CSCui56071 ISE: Ignore 0.0.0.0 in Framed-IP-Address Profiler Updates

This fix filters incoming Framed-IP-Address that contains zero IP address (0.0.0.0) to reduce replication.

CSCui58390 Multiple names in SAN Field and ISE choose value randomly

This fix addresses an issue where the ISE chose the wrong Subject Alternative Name if there are multiple names in the SAN field values in the certificate.

CSCui75335 ISE 1.2 NAC agent fails posture due to 'NAC Server not available'

This fix addresses an issue where a NAC agent fails a posture assessment attempt and displayed a “NAC Server not available” error.

CSCuj23727 A change in iOS 7 to the user-agent string for an iPod Touch breaks its BYOD workflow.

This fix ensures that an iPod Touch device is recognized as such in a BYOD workflow.


OL-27043-01

Cisco ISE, Release 1.2.x, Open Caveats






Cisco ISE, Release 1.2.x, Open Caveats• Open Caveats, page 132

• Open Agent Caveats, page 155

Open Caveats


Caveat Description

CSCui16528 Wrong service selection for NDAC Policy

This fix addresses the issue in a Cisco ISE deployment with SGA functionality implemented, where the authentication request was rejected by the Cisco ISE PSN server and the request from the client timed out.

Table 39 Cisco ISE, Release 1.2.x, Open Caveats

Caveat Description

CSCua97013 Apple iOS devices are prompted to accept “Not Verified” certificates

Apple iOS devices (iPhone & iPad) are asked to accept the certificate, appearing to them as “Not Verified,” when connecting to WLAN (802.1X).

By design, Apple iOS devices are prompted to accept a proprietary certificate, but Apple OS X and Android devices work without being prompted to accept a certificate.

This happens even when the certificate is signed by a known CA, as there is an intermediate certificate in the server certificate chain.

Workaround Click Accept to acknowledge the certificate. While browsing any URL, the user is redirected to provision the device. After provisioning, the intermediate certificate is installed on the iDevice.


OL-27043-01




CSCub17522 IP Phone IEEE 802.1X authentication reverts to PAC-based authentication when the “Accept client on authenticated provisioning” option is not enabled.

When the “Accept client on authenticated provisioning” option is off, Cisco IP Phone EAP-FAST authentication sessions always end with an Access-Reject event. This requires the IP phone to perform PAC-based authentication to pass authentication. Since Cisco IP Phones perform authentication via authenticated provisioning and not via PAC-based authentication, it is not possible for the phone to authenticate when this option is off.

Workaround Try one of the following:

• Turn on the Cisco IP Phone “Accept client on authenticated provisioning” option.

• Switch from EAP-FAST protocol to PAC-less mode.

• Authenticate Cisco IP Phones via EAP-TLS rather than EAP-FAST.

CSCuc60349 False alarms on patch install/rollback as failure on secondary node

ISE sometimes generates critical false alarms for install or rollback failure alarms on secondary node even though the install or rollback operations were successful.

Workaround Use PAP (Administration > Maintenance > Patch > Show Node Status) to verify patch installation status.

CSCuc92246 Disk input/output operation while importing users slows down the appliance

If you enabled the Profiler service in your deployment, you have a Cisco ISE 3315 appliance as your primary Administration node, and you import users, accessing the user interface becomes very slow.

Workaround None

CSCud00407 Microsoft Active Directory 2012 user authentication with Alternative User Principal Name suffix fails.

This issue occurs when the Alternative User Principal Name (UPN) is the same as the name of the parent or ancestral domain to which Cisco ISE is joined. For example, if Cisco ISE is joined to a domain named “sales.country.region.global.com,” and you have an Alternative UPN named “global.com,” then user authentication fails.

Workaround Use an Alternative UPN that is not the same as the parent or an ancestor.

Table 39 Cisco ISE, Release 1.2.x, Open Caveats (continued)

Caveat Description


OL-27043-01


CSCud18190 Unable to reregister a device (via EAP-TLS) that was provisioned earlier.

If you delete an endpoint that was provisioned, you have to force the deleted or missing endpoint to re register with Cisco ISE so that the endpoint is created again.

Workaround Create an authorization rule similar to the following:

Re-register-Policy NetworkAccess.AuthenticationMethod == x509_PKI CWA-Policy

This rule redirects to the CWA policy and authenticates the user (you must add the identity store to the guest authentication store sequence), and re-provisions the endpoint.

CSCue08385 After changing the domain name could not access node in 3 node setup.

After changing the domain name in PAP node, it is not possible to access the PAP node through GUI and HTTP error is thrown.

CSCue17018 MNT node gets messages even after it is out of deployment and is disconnected.

CSCue46758 Session expired error occurs during guest authentication. Cisco ISE displays the following error message:

ISE: 86107- Session cache entry missing

For Central Web Authentication, when you configure an authorization profile, and modify the cisco-av-pair (cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa), the user is redirected to the Web Authentication page, but the session expires after the user logs in.

Workaround Do any one of the following:

• Do not replace “ip” in the cisco-av-pair with a value.

• Do not modify cisco-av-pair. Instead, configure the Web Authentication option under Common Tasks.

CSCue51298 Guest users who are assigned the ActivatedGuest role and First Login time profile have to change their password at first login or after password expiration.

This issue occurs when you assign the ActivatedGuest guest role and the From First Login time profile to a guest user.

This time profile requires the guest users to first access the Guest portal to change their password. The typical flow for these activated guest users does not require them to access the Guest portal because they sign in using IEEE 802.1X (dot1x) authentication or VPN.

Workaround For activated guest users, use the From Creation time profile instead of the From First Login time profile.


Caveat Description


OL-27043-01


CSCuf77949 After upgrade, two instances of the same alarm appear on your dashboard.

After you upgrade, you might see two instances of the same alarm being generated. This issue exists for about 15 minutes after the upgrade is complete.

Workaround None.

CSCug60740 While using Chrome as browser on Nexus 7 tablet, if the Javascript is disabled, users logging in to the Guest portal for the first time will not be able to continue with the site security certificate page.

Workaround Enable Javascript for the browser or install trusted certificate on ISE to avoid the site security certificate page.

CSCuh07358 Holistic solution is required to resolve Java/SPW issue on Mac OS X/Windows provisioning.

While onboarding Mac OS X devices, if Java is not installed, an error message is displayed. This requires the user to install Java and rerun the flow again to onboard the device.

CSCuh75971 Issue running applet in Windows or Macintosh OS with latest Java 7 update 25.

If Java 7 update 25 or above is installed, launching of the Agents or Network Setup Assistant during client provisioning or the onboarding process on a Windows or Mac OS X clients would take about 3 minutes as this Java update has Perform revocation checks enabled by default. This causes the applets signed certificates to be verified against the issuers CA server, which is currently blocked. This issue affects only Java applet and does not affect ActiveX, so there is less impact on Internet Explorer that uses ActiveX by default.

Workaround Cisco ISE administrator should allow access to crl.thawte.com and oscp.verisign.net for restricted network during provisioning. If the administrator is not able open access to these sites, then the end user should turn off Perform certificate revocation checks in Java as follows:

Open the Java Control Panel, click the Advanced tab, go to Perform certificate revocation checks on and select Do not check.

CSCuh78210 Agent does not turn TLS1.0 in IE if FIPS ciphers are disabled by default

When redirected from Internet Explorer, if the FIPS cryptographic cyphers from local security policies on client machines are enabled or disabled, then the NAC Agent does not pop up for posture assessment.

Workaround Exit and launch the NAC Agent again to get the latest FIPS settings.

CSCuh07275 Roaming of iPad breaks onboarding process.

If a device roams to a different Access point or WLC that connects to a different PSN, then the CoA is sent to WLC that is not expecting it and the onboarding goes into a loop.

Workaround Disconnect from the wireless and try to connect again.


Caveat Description


OL-27043-01


CSCuh12619 BYOD: Device registration is successful even after canceling the profile installation.

CSCuh21153 IP Address does not refresh in Windows 7 client when using Internet Explorer for authentication in DRW flow.

CSCuh22013 Some endpoint devices like iPAD and iPhone have issues with wildcard certificates when CN is blank.

CSCuh43300 Node group cluster information is deleted if a node is made primary and included in a node group at a time.

When a node group is created in a standalone node and then the node is made as primary, the failover information is not notified to the primary node.

CSCuh60829 While upgrading from ISE 1.1.1 to ISE 1.2, the Time and Date condition configured as 'All Day' changes to specific hours and it fails for all authentication and authorization policies that use the time based condition.

CSCuh64576 Language Template description and browser Locale Map are not carried over

After upgrading to ISE 1.2, the 'Description' and 'Browser Locale Mapping' in the template definition are not carried over for Sponsor, My Devices, and Guest Language template.

Workaround After the upgrade, set the flags manually.

CSCuh77967 Error message when same rule name appears under local and Global exception

When global and local exception rules are created with same names, they get saved successfully. While trying to edit and save the policy, an error message is displayed that the exception rule already exists.

CSCuh78514 Config Restore including ADE-OS could cause nodes go out of sync

In a deployment, nodes are not in sync after ADE-OS restore.

Workaround After the restore is successful, the nodes need to be syncronized manually using ISE Administration web UI.

CSCuh88557 User password policy attribute migration issue

In ACS UI, the Password may not contain the username or its characters in reversed order checkbox is enabled and exported to ISE. After importing the policies, the checkbox appears disabled.

CSCuh90273 BYOD flow does not work when ISE acts as RADIUS proxy.

Once AD user is authenticated successfully against remote RADIUS server, the user is redirected to NSP portal. In the NSP portal, it is not possible to obtain the user information. An error is thrown and instead of the 'Register' option, 'Try Again' option is displayed.

CSCuh94096 IE9: Register button greyed out when ActiveX is disabled

In a Windows 7 client using Internet Explorer 9 with ActiveX disabled, while trying to perform the BYOD flow the browser redirects the user to ‘Device Registration’ page, where the ‘Register’ option is greyed out.

Workaround Enable the ActiveX to get the Register option properly.


Caveat Description


OL-27043-01


CSCui00865 After creating guest accounts using Mozilla Firefox, the 'Manage Guest Accounts' page does not contain the newly created guests and has missing objects.

Workaround Clear the cache and restart the browser.

CSCui01605 Saving Duplicate policy set which has user defined simple condition fails

It is not possible to duplicate and save a policy set that contains user defined simple condition.

Workaround

• Create a new policy set with same user defined simple conditions and save it.

OR

• Duplicate a policy set with authorization simple condition and delete the user defined simple conditions in the policy set. Create the same condition in the duplicated policy set and save it.

CSCui03041 Device ID does not go to RegisteredDevices group

When a laptop with Mac OS X is connected to a network through BYOD flow, both the wired and wireless MAC addresses are listed in 'RegisteredDevices' group. When the same laptop is connected again after cleaning up the profiles and user credentials, only the wireless MAC address is listed in the 'RegisteredDevices' group.

CSCui05265 Guest Role configuration in the Administration UI using IE does not work properly

Configuring Guest Role at Administration > Web Portal Management > Settings > Guest > Guest Roles Configuration, using Internet Explorer does not display the ID groups properly.

Workaround Use other browsers like Firefox.

CSCui07457 WLC ACL issue with Android device during BYOD

In a BYOD flow, when the ACLs are created through the Setup Assistant, Android devices fail to download the Network Setup Assistant application.

Workaround Do any one of the following to enable the Android devices to download the profile and connect to the network successfully.

• Update the ACL in the WLC GUI by deleting one of the ACLs and creating it again with same values.

OR

• In the Edit page of the WLC, click Save without changing the values. This will update the ACL.

CSCui10632 NSP profile deleted and replaced by another after downloading the resources

After creating an NSP profile for EAP-TLS and using it in a client provisioning policy, when the agents and resources are downloaded through the update feed URL, the NSP profile gets deleted. It is replaced with one of the downloaded NSP profiles.


Caveat Description


OL-27043-01


CSCui12947 After upgrading, replication fails on deployment when secondary PAP is promoted.

Workaround Delete the local certificates and restart the PAP.

CSCui16373 Upgrading any secondary node from Limited Availability Release to Release 1.2 Fails.

This issue occurs only when you upgrade from the Limited Availability release to Cisco ISE, Release 1.2. This issue is seen when you have backup schedules configured in Cisco ISE.

Workaround Disable or cancel the backup schedules before you upgrade to Release 1.2.

CSCui16876 Default authentication policy matching instead of default dot1x rule

When the default policy is modified to 'deny access' and dot1x authentication is performed against PDP with internal user, authentication fails. The authentication matches with 'AllowedProtocolMatchedRule'.

Workaround Instead of deny access, select identity source/sequence to get authenticated.

CSCui18956 Not able to update the custom RBAC policies after upgrading to Cisco ISE 1.2

After upgrading from Cisco ISE 1.1.x to 1.2, it is not possible to update the RBAC policies, custom menu access and data access permissions that were created in Cisco ISE 1.1.x.

Workaround

1. Create new menu access permission after upgrading to 1.2

2. Update the RBAC policy created in 1.1.x with the newly created menu access permission and save the policy.

3. Log in with the RBAC user and the updated menus will be displayed.

CSCui19072 After creating RBAC menu access permission, navigate to the Home page and click the Show button. This throws the following error: 'TypeError: selectedItem is undefined'.

Workaround This happens only for the first time. Edit the menu access, go to the Home page, and click Show.

CSCui28492 Registered Endpoints report takes a few minutes.

Workaround Gather the statistics in CEPM schema and the reports are generated without delay.


Caveat Description


OL-27043-01


CSCui87386 Default Guest Portal displays Self Service Results on screen with the White Listing Feature enabled.

Workaround Use Custom Guest Portal, with the Self Service Results Page customized not to display the Results on screen. Additionally disable the Self Service option in Default Guest Portal Settings, as there is risk of accessing the Default Guest Portal tweaking the redirected URL

CSCuj10678 The iPEP Node is unable to correctly handle tagged VLANs.

Workaround Make the native VLAN on the switch the same as the management VLAN.

CSCuj22597 When using the notification feature, emails are delivered even when notifications disabled for the sponsor in admin.

Workaround Disable the notification on the time profile setting instead.

CSCuj40148 During the BYOD flow the end user will be continuously redirected to the device registration page after installing Java.

This occurs when:

• the endpoint does not have Java installed and after the installation is completed on the Firefox browser, or

• Java is uninstalled and the Firefox browser was not quit before starting the BYOD flow

Workaround Quit and relaunch the Firefox browser after installing the Java package from www.java.com/en/download and then continue with the BYOD onboarding.

CSCuj62777 After uninstalling 1.2 Patch 3, the PAP node goes down and doesn’t come up, showing HTTP 404 Error in GUI.

CSCul27693 If you do a CSV bulk import from the sponsor portal, you are asked to which role to tie the imported guests. If you use the "Guest" group as suggested by default and then try to authenticate with one of those guests, they never hit the authorization rule where you configured "identity group=guest" as condition because ISE sees the guest account as part of the “Any” identity group.

Workaround As the sponsor, edit the guest account but change nothing and save the account without having changed anything. The user will correctly show as belonging to Guest group when logging in.

CSCul69609 The same session ID is being used by multiple guest users, so some guest users see login page even after accepting AUP.


Caveat Description


OL-27043-01


CSCul39011 For installations of ISE 1.2 with MDM server integrated, ISE tries to query the MDM server during EAP sessions. If the server does not respond, it continuously retries and this causes the session to hang in runtime. The ISE live authentication logs may report 5436, 5405/5411, and 5441 errors making it appear as if the supplicant is misbehaving while the ISE alarms report “External MDM Server Connection Failure.”

Workaround Make sure the MDM server is constantly able to respond to queries. If profiling is used, configure and assign logical profiles to the MDM rules to reduce the scope to mobile devices only. Add the MDMServerReachable condition to the configured MDM authorization rule to allow ISE to use MDM reachability as a condition match.

CSCul92356 While using Guest Portal along with “Guest users should be allowed to do Device Registration,” when the Guest user registers the device, the device falls into the UNKNOWN Group whereas it should go in either the GuestEndpoints group or in the RegisteredDevices group.

Workaround We can force the endpoint to fall into a different group by manually creating a profiler policy.

• Create a Profiling condition where the “IP_EndPointSource” EQUALS “GUEST Portal.” Allow it to Create a matching Identity group.

• We can see that the endpoints will now fall into the new Endpoint Identity group under Endpoint groups > Profiled and can be used in an authorization Policy.


Caveat Description


OL-27043-01


CSCul94611 Issue with the Live dashboard in ISE 1.1.4 not displaying information and only showing “No Data Available.”

Workaround Enter the following commands below:


Selection ISE configuration option[1]Reset Active Directory settings to defaults[2]Display Active Directory settings[3]Configure Active Directory settings[4]Restart/Apply Active Directory settings[5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings[6]Enable/Disable ERS API[7]Reset M&T Session Database[8]Rebuild M&T Unusable Indexes[9]Purge M&T Operational Data[10]Reset M&T Database[11]Refresh M&T Database Statistics[12]Display Profiler Statistics[13]Exit

Select the following options:

7 to reset the session db

10 to reset the M&T database

11 to refresh the statistics (Possibly do not need. Was only needed in 1 case.)

Once you have run these commands the DashBoard should begin to display information.

This process can take up to 12 hours to complete all three steps. Roughly 1 to 3 hours per option selected.

CSCum05066 When rolling back a patch update using the GUI, it is uninstalled successfully on primary node but it does not happen in secondary nodes. On the Primary node, the GUI shows patch is no longer installed in Primary but shows the patch as installed on the secondary node.

This issue is fixed in ISE 1.2 patch 5. However, it will occur if you rollback a fresh install of ISE 1.2 patch 6 or 7, or if you rollback ISE 1.2 patch 5.

Workaround The user needs to run the rollback again from the Primary GUI.

CSCum05562 An endpoint might not matching the right authorization profile because the change of authorization was not sent.

Workaround Don't use policy sets or use fast reAuths on switch as doing a CoA from MnT works as well.


Caveat Description


OL-27043-01


CSCum21201 Windows workstation devices that have a MAC address starting with "3C:97:0E" are profiled as a "Nortel-Device."

Workaround Remove Nortel condition matching on "OUI CONTAINS Wistron" and increase the Certainty Factor of Windows workstation device so that it prefers Windows profile policy over Nortel policy.

CSCum41138 After CoA REST API is issued successfully, ISE live logs shows the “NAS IP Address” to be the MnT address, instead of the switch address.

CSCum73765 While using profiling with SNMP v3 Query and Trap probes, the correct profiling information is not fetched. The SNMP v3 queries triggered by the SNMP traps generated by linkup/linkdown or mac-notification from the switch fails SNMP v3 authorization and leads to closing of the SNMP session.

The same is seen when the SNMP v3 query is triggered by a Radius Accounting probe.

In the profiler.log, we can clearly see that the SNMP v3 authorization fails and the SNMP session is closed.

Workaround There is no workaround. The only options available currently are:

1. Use SNMP v2c instead of SNMP v3.

2. Reduce the polling interval to 600 seconds on the network device configuration. Now, when the device is connected, it will be profiled wrongly at first but 10 minutes later (600 seconds), when the independent query takes place, it will get correctly profiled. This delay will be seen only the first time the device is bought in the network. From the next time onwards, it will connect and get the correct policy immediately since it is already saved with the right profiling information.

CSCum85832 On the Fresh installation setup of 1.2.1 and restoring the Operational (MNT) data of 1.2. Operational restore will be completed successfully.

CSCun23340 Randomly created guest users are not shown for exporting and printing the user information in Firefox.


CSCun23357 Uploaded guest users are not shown in Firefox.



Caveat Description


OL-27043-01


CSCun53951 ISE presents self-signed cert instead of CA-signed cert even though the GUI shows the CA-signed cert marked for HTTPS use.

The standalone ISE node has 2 certificates in its local certificate store: a self signed one and a CA signed one.

The CA signed certificate is marked to be used for HTTPS and EAP. This node presents the CA signed certificate when the GUI is accessed.

Once the above ISE node is registered to the primary, it starts presenting the self signed cert.

Workaround After registration, choose the self-signed cert in the GUI, so that the node presents the CA signed cert.

CSCun65239 The desktop device does not display sessionExpired page when the “change password” and “device registration” options are enabled.

The mobile portal does not display sessionExpired page when session is terminated. This occurs when the following options are enabled:

• Guest users should agree to an acceptable use policy - Every Login

• Enable Mobile Portal

• Allow guest users to change password

• Guest users should be allowed to do self service

Workaround If the login page loops after the session has expired, disconnect and reconnect SSID/network. Then have the client redirect to the guest portal by entering an external URL in the address bar so they get a new session ID.

1. Disable mobile portal option.

2. Disable the following options:

– Require guest users to change password at expiration and first login

– Guest users should be allowed to do device registration

CSCun75689 ISE is unable to save a Scheduled Report using UTF-8 characters in the report name. You will receive the following message: “Schedule name should only contain alphanumeric and _ - . characters.”

Workaround Rename the Schedule Report with non-UTF-8 characters.

CSCuo34855 When using a REGEX as an attribute in a Client Provisioning Policy in ISE 1.2, Cisco ISE does not match the policy to an applicable endpoint.

The redirect page displays the following error: "The system administrator has either not configured or enabled a policy for your device. Contact your system administrator."

Workaround Use attributes defined in the ISE dictionary in lieu of REGEX when creating a client provisioning policy.


Caveat Description


OL-27043-01


CSCuo40057 EAP-Chaining authorization is stuck with out successful certificate renewal.

Workaround In order to identify EAP-Chaining with expired cert functionality, you can have a rule which reads: if Network Access.UseCase EQUALS EAP-Chaining AND CertRenewalRequired then DenyAccess.

CSCuo54649 An endpoint consuming advanced features will show against both Advanced and Plus license if both licenses are available in the system.

Workaround Refer to Current Licenses page instead of details of licenses installed.

CSCuo56327 Since Plus license support was introduced in Cisco ISE 1.2 patch 8, the Plus license will be removed if admin removes Cisco ISE 1.2 patch 8 or Cisco ISE 1.2.1.

CSCuo62507 Once the disk space is been reached to more than 80 % aggressive purging will be triggered automatically from the back-end. If admin tried to perform the CLI purging while backend purge is in progress. Data will be partially purged.

Workaround Once Both process is completed. Again triggered the CLI PURGE. All the data will be purged successfully as per the threshold which we set.

CSCuo88056 Guest Action word is displayed instead of sponsor name in the Reports after Guest Password is changed.

Workaround Guest user can change his password after login to the Guest portal, so that Sponsor name will be displayed properly in the reports.

CSCuo88459 Apple iOS device, after certificate Renewal gets stuck and will always be redirected to CWA URL or wi-fi interface is down.

Workaround Click on the Wi-fi, and select the option forget this network and try reconnecting to the same network, Please do the steps in the below mentioned order Device will ask user to select the authentication Method select EAP-TLS and select the user certificate. Enter the user name with the user name and click connect.

CSCuo89783 When we trigger a backup to invalid repository, the backup fails and no alarm is generated.

Workaround Can check the backup status in Administration > System > Backup & Restore Page.

CSCup00209 Guest user name is not displayed for Guest attribute value, instead “Self Registration” word / Internal Sponsor name is shown under Guest Sponsor mapping and Guest Sponsor Detail reports respectively.

Workaround Guest user can be created by Sponsor via Sponsor Portal.

CSCup08066 Performing a backup preserves alarm notifications. In Cisco ISE 1.2.1, this causes alarms to trigger in the dashboard.

CSCup10918 Consistency issue in French localization. “Vous devez renouveler l'inscription de votre périphérique pour continuer à utiliser le réseau sécurisé” should be “Vous devez renouveler l'enregistrement de votre périphérique pour continuer à utiliser le réseau sécurisé.”


Caveat Description


OL-27043-01


CSCup23595 Exporting endpoints results in an empty file if filtering by IP address.

Workaround Export endpoints using the “Export Selected” option.

CSCup39916 Exporting endpoints with the _ special character in the profile name results in an empty file.

Workaround Export endpoints using the “Export Selected” option.

CSCup44205 CoA session quarantine doesn't do any action but gives successfully applied message.

Workaround Disable EPS services for ASA COA users. Quarantine option will not be displayed in MnT.

CSCup52657 Error messages occur when the servers are placed in the following deployment and APIs are executed for the Secondary MnT IP address:

PAP(P)+MnT(S)+PDP- Node 1

PAP(S)+MnT(P)- Node 2

Workaround Change the deployment as follows:

PAP(P)+MnT(P)+PDP

PAP(S)+MnT(S)

CSCup68428 CoA session re-authentication is successful the first time, but the session is terminated for second re-authentication if Posture isn’t completed.

Workaround Issue the ASA CaA re-authentication once Posture is completed.

CSCup94688 When trying to add or delete IP addresses for admin access, the Save and Reset buttons functionalities are not properly implemented.

Workaround No functional/Flow impact. Just Add and Delete will do it.

CSCty46687 The Cisco Identity Services Engine (ISE) is affected by a cross-site scripting (XSS) vulnerability.

CSCty60811 Clients are not redirected to the Posture Remediation page to download the NAC agent.

CSCtz29311 SecPAP promotion is slow with FCS 1.1(alpha data) to 1.1.1.183 upgrades.

CSCtz99443 Node replication status in the deployment page always shows 'IN-PROGRESS' message to the Secondary nodes that are deployed over WAN.

CSCua10173 Changing or disabling alert rules or criteria triggers HTTP Status 400 - Request not processed message.

CSCub19047 Characters such as Hyphen (-) and dot (.) are not supported as part of the VLAN ID\Name.

CSCub35768 ISE Upgrade from 1.0 to 1.1 failed because data access permission to the user is denied.


Caveat Description


OL-27043-01


CSCub64247 Cisco Application Deployment Engine (ADE) OS does not accept users with passwords containing front slash.

CSCub87687 Language templates in the guest portal sets a limit of 4000 characters.

CSCub99130 Corruption of database results in the loss of ISE certificates and keys.

CSCuc26772 Network devices are not displayed in the navigation pane when the Network Device Group is selected.

CSCud20339 Onboarding a device using single/dual SSID with Transport Layer Security (TLS) profiles fails.

CSCud46215 Detailed authentication failure message is not displayed for sponsor user group.

CSCud52161 Active Directory (AD) operation failure because of an unspecified error in ISE.

CSCud79538 ISE fails with two active certificates.

CSCud86135 During initialization failure ISE sends wrong alarms.

CSCud92384 Incorrect error messages displayed when ISE application server is down.

CSCue14481 “Internal error” message displayed when the number of guest user accounts created is 100,000.

CSCue23875 The monitoring database stops adding new entries for operating system strings that exceed the maximum value of 100 characters.

CSCue27949 The reset-passwd command does not allow the usage of special characters.

CSCue30432 Launch program remediation does not allow the usage of double quotes.

CSCue33447 Editing authorization profile by adding static Internal Protocol (IP) address or host name changes the redirect back to 'Default' and the 'Value' is empty.

CSCue46758 Identity Services Engine (ISE): 86107-Session cache entry missing during guest authentication.

CSCuf33854 Nessus 53491 - Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) renegotiation DoS OpenSSL reported medium vulnerabilities.

CSCuf60933 Slow GUI with large Cisco Telepresence System (CTS) Egress Matrix.

CSCuf84159 Identity Services Engine (ISE) admin access does not work with External RSA authentication.

CSCug20348 Machine authentication with Active Directory (AD) fail with MNT error “24485 Machine authentication against Active Directory has failed because of wrong password” and does not reflect the issue.

CSCug27409 Import of comma-separated value (CSV) file for Network Devices failed in ISE 1.1.3.

CSCug34679 Identity Services Engine (ISE) drops keep alive authentications coming from wireless LAN controller (WLC) marking ISE as dead.

CSCug51137 User authentication over 3 days failed with Uncaught exception.

CSCug51530 Failed to send message: Socket closed, MsgType: 901.

CSCug90087 Database lock not removed after execution of reset monitoring database command.

CSCuh23877 “Identity Store Unavailable” alarm not getting triggered after authentication failed.


Caveat Description


OL-27043-01


CSCuh41473 Active Directory (AD) group not saved as external admin group if containing a "!" character.

CSCuh47459 Connection error on Backup and Restore page after successful restore and backup.

CSCuh50486 Identity Services Engine (ISE) validates only if Domain Name Server (DNS) entry for the host exists, but not for Internet Protocol (IP) address.

CSCuh54734 Acknowledgment of alarms does not work when the instances are over 1000 occurrences.

CSCuh57033 Error message not displayed to mobile users in Central WebAuth (cwa) with invalid credentials.

CSCuh79430 Machine Access Restriction (MAR) Cache on Access Control Server (ACS) not corrected when Machine removed from Active Directory (AD).

CSCuh79607 Identity Services Engine (ISE) Active Directory (AD) group matching fails due to forward slash in AD group name.

CSCuh86591 Identity Services Engine (ISE) Simple Network Management Protocol (SNMP) profiling failed when connected to 48 ports stacked under 24 ports switch master.

CSCuh87451 Browser redirected to the guest portal when declining acceptable use policy (AUP) through a Device Registration Web Authentication (DRW).

CSCuh89530 404 Error on MnT GUI and wrong persona in deployment page after customer database restore.

CSCuh96440 Could not determine prior Cisco Agent Installation on Windows or MAC OS X machines in pre-posture state.

CSCui01605 Admin cannot duplicate and save policy-set if existing policy set has user defined simple condition.

CSCui09203 Identity Services Engine (ISE) fails When accounting message with long class string.

CSCui15711 Internal error encountered while creating guest user with a time profile that was deleted and recreated with the same name.

CSCui16843 Operational backup or restore failed when primary monitoring node is not reachable due to power down or inner shut down.

CSCui25164 Identity Services Engine (ISE) sponsors cannot view accounts that it created after change of group.

CSCui48401 Spaces in email when creating user in sponsor portal caused error in Identity Services Engine (ISE).

CSCui53920 Identity Services Engine (ISE) 1.2 dashboard metric % posture compliance is wrongly calculated for posture status other than “Complaint” or “Not Applicable”.

CSCui63474 Dynamic Host Configuration Protocol (DHCP) Switched Port Analyzer (SPAN) not starting unless Internet Protocol (IP) is assigned to the interface.

CSCui65057 Current iso-to-usb.sh script does not set the proper path for syslinux when used on CentOS 6.4.

CSCui65835 Devices in the network device list is not visible when customer logs in with Active Directory (AD) credentials in to Web GUI.


Caveat Description


OL-27043-01


CSCui72087 Default access restrictions not securely enforced on several pages existing within the Inbox, Alarms, and Schedule pages.

CSCui82602 Guest Cache Issues for Identity Groups.

CSCui82615 Guest account cache issues for time profiles set by the sponsor.

CSCuj19173 MemberOf attribute fails with regular expression if group belong to an Organizational Unit (OU) in Active Directory (AD).

CSCuj20969 Network Device Session status report fails for a switch with message “SNMP information is not configured for this device in ISE.”

CSCuj30442 ISE Application Deployment Engine (ADE) does not allow the deletion of certain files from local repository.

CSCuj30585 ISE Client Provisioning Portal (CPP) allows MAC configuration for WebAgent.

CSCuj42566 ISE guest reporting does not identify the sponsor who effects changes to a guest account.

CSCuj58037 iPEP ISE 1.2 in routed mode does not use service Internet Protocol (IP) for RADIUS packets.

CSCuj61976 Admin Graphical User Interface (GUI) fails to display certain GUI pages when using Firefox 25.

CSCuj63421 Creating ISE shared reports via interactive viewer is broken.

CSCuj64008 Profiler feed service policy for Amazon Kindle Fire tablet to be devised.

CSCuj68540 Monitoring (MnT) schema upgrade script is logging INFO messages as ERROR and WARNING.

CSCuj71399 Performing backup through the GUI or CLI throws “A backup or restore is already in progress” error.

CSCuj71819 Accented characters in guest username displayed in HEX format in ISE GUI.

CSCuj76383 Admin user receives two email notifications for password expiry.

CSCuj88351 Loading a corrupted Certificate Authority (CA) certificate on startup causes config rollback with related problems.

CSCuj99801 External RESTful Services (ERS) error codes are not consistent for the same action pertaining to different categories.

CSCuj99912 ISE 1.2 External RESTful Services (ERS) filter by name for Security Group Tag (SGT) category fails.

CSCul00148 Start and end time profiles display according to ISE timezone instead of Guest timezone.

CSCul00743 The Operation > Authentication page is blank for invalid characters in username.

CSCul00985 Ubuntu laptop users without posture checks are redirected to the Client Provisioning Portal (CPP) page after Centralized Web Authentication (CWA).

CSCul02830 Active Directory (AD) test connection fails for domain\user-ID.

CSCul05429 Authorization rule does not match CVPN3000/ASA/PIX7x-Tunnel-Group-Name.

CSCul05764 Incorrect references when Certificate Authority (CA) ID Store Name is changed.



Caveat Description


OL-27043-01


CSCul30358 Active Base license count exceeds the allowed license count.

CSCul37463 Scheduled backup does not work on upgrading from previous version to 1.2.

CSCul45573 Network Access Device (NAD) config does not accept % in RADIUS shared secret/SNMP community string.

CSCul47387 Character limit should be increased for policy rule name.

CSCul53156 Device Registration page is blank when used with AddTrust certificates.

CSCul56940 Endpoint profiling is incorrect when two Cisco or Linksys routers are connected to a Multi-Domain Authentication (MDA) port.

CSCul65329 ADclient cache is not cleared via the application configure ise command.

CSCul82600 Unable to delete custom attribute even after deleting the linked authentication policy.

CSCul86934 On executing the reset-config command, ISE Secure Shell (SSH) sessions are allowed only from allowed Internet Protocol (IP) access subnets.

CSCul88799 Cisco Integrated Management Controller (CIMC) KVM console displays “Out of Range” against a green background, on entering the “terminal length X” command.

CSCul92356 Devices registered by Guest users fall into the Unknown group.


CSCul94858 Certificate Revocation List (CRL) retrieval does not use globally configured proxy server.

CSCul95195 Custom Supplicant Provisioning Wizard (SPW) for Telstra RADIUS proxy with differentUserName and nonBroadCast options unchecked.

CSCul96935 An hour difference between Graphical User Interface (GUI) and Command Line Interface (CLI) during daylight savings time.

CSCum05014 ISE does not display endpoint profiling policies in the Graphical User Interface (GUI)

CSCum41336 ISE reports fail on Network Control System (NCS) platform cross launch.

CSCum41378 Static profile assignments to an endpoint Identity group for some devices are removed resulting in device reprofiling.

CSCum46269 Active endpoints count on the dashboard does not match the actual active endpoints, when there is a surge of endpoints.

CSCum48676 ISE 1.2 does not display information in the System Summary Applet on the dashboard if the Logging Category is set to a severity level other than INFO.

CSCum49249 External RESTful Services (ERS) Application Programming Interface (API) does not list all endpoints as specified in the Software Development Kit (SDK) guide.

CSCum53319 Diagnostics for failure to download the Certificate Revocation List (CRL) should be precise.

CSCum58581 MAC OSX 10.9 device is not redirected to the Bring Your Own Device (BYOD) flow when using the guest device registration page.

CSCum60924 Extensible Authentication Protocol (EAP) chaining mode does not allow more than one value for the EapAuthentication attribute.


Caveat Description


OL-27043-01


CSCum68149 The Live Authentication Report page does not display the accurate currenttime and currentdate attributes.

CSCum69229 Create Random Accounts setting using Google Chrome does not display the desired results.

CSCum70441 Incorrect value is displayed for the GET request sent to find the total internal users in ISE External RESTful Services (ERS) Application Programming Interface (API).

CSCum72386 Endpoints delete all confirmation messages when “No” button is deactivated.

CSCum73765 Profiling with SNMP v3 Query fails when triggered by SNMP trap/RADIUS Accounting probe.

CSCum86183 Notifications for license expiry alarm are received from deregistered nodes.

CSCum86331 ISE does not allow comma in Organizational unit name (OU) or Organization name (O) fields when creating a Certificate Signing Request (CSR).

CSCum95069 Inline Posture Node (IPN) sends only username for authorization when Extensible Authentication Protocol (EAP) chaining is configured.

CSCun00882 ISE does not create logs of erroneous usernames in the sponsored guest portal.

CSCun21197 In a simple authentication condition, if the operator “Ends with” or “Not ends with” is used, it is not saved properly.

CSCun23340 Randomly created guest users are not displayed in Firefox.

CSCun23357 Uploaded guest users are not displayed in Firefox.

CSCun25832 Unable to activate expired guest accounts.

CSCun28218 ISE: Java Memory Leak outside of Heap space.

CSCun31175 Registered endpoint report does not include manually added devices.

CSCun33755 Unable to create the required number of Guest accounts from the sponsor portal.

CSCun33774 The status of a new guest user account that is created in the sponsor portal is Active instead of Awaiting Initial Login.

CSCun42967 ISE 1.2: The SNMP process stops randomly.

CSCun45607 ISE incorrectly authenticates users based on the authorization PAC file.

CSCun46242 Deletion of the Thawte Primary Root CA from ISE results in failure of provisioning and posture updates.

CSCun48940 ISE Radius authentication over Gig1 stops if Gig0 down.

CSCun53951 ISE presents self-signed certificate instead of CA-signed certificate.

CSCun57304 The KRON command is not working for backup logs.

CSCun59740 ISE 1.2: Only 5000 entries are displayed when viewing Guest Live reports.

CSCun81620 Editing a guest condition in PAN applies the same changes to the previously condition.

CSCun89615 ISE duplicate attributes cause failure to locate network devices.

CSCun89771 Running ISE reports for 30 days generates only up to 100 pages.

CSCun92193 In Certificate Authentication Profile (CAP), ISE selects incorrect information from the SAN field for multiple entries.


Caveat Description


OL-27043-01


CSCun94882 ISE 1.2: Change of Network Device Group name does not reflect in CSV export.

CSCun95554 The monitoring node stops logging for email notification configured on ISE.

CSCun96746 ISE self registering guest users do not inherit specified time profile.

CSCun97251 ISE 1.1.4: Cannot find machine with DNS suffix which does not exist on the Domain Controller Group List.

CSCun98217 Cross-Domain referer leakage in Admin portal.

CSCuo00404 ISE 1.2: ACL syntax checker is incorrect.

CSCuo05180 Cannot authorize external certificate authenticated users by using the device's identity group as an “other condition”.

CSCuo05345 Cannot match an Authorization policy rule configured with an “other condition” of IdentityGroup:Name.

CSCuo14398 ISE 1.2: ISE disregards the current password policy when editing an internal user.

CSCuo14953 ISE: MobileIron MDM test connection passes but Save fails.

CSCuo16506 Internal users cannot change their password in the guest portal.

CSCuo19521 Repository in the WebGUI with special characters fails.

CSCuo24274 SNMP should run in all interfaces not only in Gig0.

CSCuo24384 ISE: Guest:Mobile Portal in Custom portals does not follow browser local language.

CSCuo39832 ISE takes IP address from same subnet and has incorrect ARP entries.

CSCuo41482 GUI admin Active Directory (AD) login fails with HTTP error 500.

CSCuo41713 Identity Services Engine (ISE) 1.2: Installation of patch 5 in distributed deployment caused first time login users to go active.

CSCuo54987 Identity Services Engine (ISE) does not drop Radius packet if value is too large for database.

CSCuo58786 Authentication, authorization, and accounting (AAA) services not available during purging of guest users.

CSCuo60767 Identity Services Engine (ISE) UTF-8 character encoding displayed garbage characters on screen for profiler attribute.

CSCuo62245 Failed to purge data from the operations database.

CSCuo63358 Incorrect success message being displayed, when provisioning Apple iOS Device through supplicant portal in Bring Your Own Device (BYOD) SSID.

CSCuo64251 Unable to manage ISE AD user device as it does not show up in “My Devices” portal.

CSCuo66847 When a user edits a saved scheduled report, it ceases to exist.

CSCuo67423 Reconfiguring the IP address of an iPEP node with the service IP that was previously used results in missing tabs in high availability configuration.

CSCuo68012 ISE services fail to start when time zone is set to Asia/Riyadh89.

CSCuo78051 A custom portal setting is saved but the configured setting fails to reflect in the GUI.

CSCuo78457 An SNMP probe that is configured to match a profile using the “CONTAINS” operator fails.


Caveat Description


OL-27043-01


CSCuo78949 Changing the password policy in the GUI of Primary PAP server does not change the password policy in the iPEP server.

CSCuo79012 Unable to support SNMP triggered queries with NAD using iOS version with deprecated STACK-MIB.

CSCuo80929 An “value too large” error message is displayed for guest usernames with special characters.

CSCuo93398 Unable to integrate the Active Directory (AD) with ISE using the admin GUI.

CSCuo94313 Unable to pull Lightweight Directory Access Protocol (LDAP) groups for admin/service accounts containing the “+” sign in the password.

CSCuo95635 Change of Endpoint Device Group name appears correctly in the Identity Group Assignment option but fails in the Identity Group.

CSCuo95660 Endpoints exported to comma-separated values (CSV) file displays an incorrect endpoint device group name.

CSCuo97007 Failed to start database during initial setup for Identity Services Engine (ISE).

CSCuo99160 Identity Services Engine (ISE) 1.2: Failed registration and GUI error thrown when Policy Service Node (PSN) failed to ping Primary Administration Node (PAN) during registration.

CSCup03116 Identity Services Engine (ISE) 1.2: Editing NDG does not update AuthC/AuthZ conditions.

CSCup05013 Identity Services Engine (ISE) 1.2: p8 IOS-XE switch profiled as unknown endpoint.

CSCup08017 Accidental Ctrl + C should not break Restore/Upgrade during important operations.

CSCup15453 Identity Services Engine (ISE) Guest Sponsor Mapping Report causes CPU on primary MnT node to increase dramatically.

CSCup16700 Reset password does not check for valid user before asking for new password.

CSCup17245 “Value our of range” error displayed when editing a guest account.

CSCup20844 Identity Services Engine (ISE) NAC agent does not popup if machine and user authentication is connected to switch sw: 15.2(1)E.

CSCup22534 Multiple vulnerabilities in OpenSSL/CiscoSSL released during June 2014.

CSCup27305 Identity Services Engine (ISE) 1.2: DACL Validator does not enforce source must be “any”.

CSCup32455 Identity Services Engine (ISE) 1.2: Password for admin user detected in clear text in the file support\dbexport\ise-dbimport.sh.

CSCup38457 Importing guest account using comma-separated value (CSV) failed through sponsor portal.

CSCup42129 Swiss/posture INFO logs filling ise-psc.log and not moving to DEBUG level.

CSCup45530 Identity Services Engine (ISE) External RESTful Services (ERS): Cannot modify staticProfileAssignment field without specifying the endpoint's current profileId.

CSCup45594 Identity Services Engine (ISE): External RADIUS server is not persistent after failover.


Caveat Description


OL-27043-01


CSCup47501 Identity Services Engine (ISE) 1.2.1: Inline Posture Enforcement (iPEP) node interface driver booting out of order with no response when cable remains plugged into interface Gig Etho.

CSCup47873 Identity Services Engine (ISE) upgrade failed due to LOB corruption. (Please check on this LOB term)

CSCup55211 Identity Services Engine (ISE) 1.2: Mobile Device Management (MDM) input Validation with % in password cannot login.

CSCup57288 Bring Your Own Device (BYOD) DUAL SSID with native supplicant provisioning results in a second entry in the live authentication log.

CSCup57871 ERS cannot filter by username, if it is a number.

CSCup60155 Guest users are deleted when upgrading or restoring a backup from ISE 1.1.x to ISE 1.2.1.

CSCup64698 On IPN ISE 1.2, latency is caused by HDPARM process for every 10 minutes.

CSCup67195 While upgrading from ISE 1.2 to ISE 1.2.1, upgrade failure occurs in Step 3 due to invalid certificate.

CSCup69753 After deleting a profile in Simple Certificate Enrollment Protocol (SCEP), an error message is displayed when the associated Registration Authority (RA) certificate is removed.

CSCup69985 ISE VM on which DB is restored is not accessible via SSH and GUI. Only ping and console are available.

CSCup72664 In ISE 1.2, the guest account time profile is reset to one day.

CSCup80194 ISE deletes VLAN to SGT mappings while deploying IP-to-SGT mapping.

CSCup88564 Use a different name for a newly created time profile.

When the old time profile is deleted, you cannot reuse the same time profile name for a newly created time profile.

CSCup89812 Upgrade from ISE 1.1.2 to ISE 1.2 fails because of posture rules.

CSCuq11966 Multi-nested custom profiles cannot be created.

CSCuq14441 Replication fails on deployment when custom portal is deleted.

CSCuq17787 ISE crashes when the value of Type Field Length is set to 2.

CSCuq22514 In ISE 1.2, when the authorization and authentication policies are set to Monitor Only mode, the details of the policy names are not displayed.

CSCuq22636 ISE does not ask for LLDP attributes for triggered RADIUS or SNMP traps.

CSCuq24719 When upgrading to ISE 1.2 Patch 9, account start time is not updated in Sponsor portal.

CSCuq32696 ISE Policy Service Node (PSN) removes proxy-state attributes from Inline Posture Node (IPN/IPEP).

CSCuq35206 In ISE 1.2, the shutdown command is present in the running configuration of the interface while the interface is operational.

CSCuq35663 Attribute retrieval for a user fails when AD sends back photo thumbnail.

CSCuq39743 Import guest users on ISE using sponsor bypass mandatory fields.


Caveat Description


OL-27043-01


CSCuq40153 Quick filter option does not work when it is used to search endpoint profiles using a MAC address.

CSCuq43889 IP address learned from SNMP query should trigger DNS probe.

CSCuq45219 Renewing Ticket Granting Ticket (TGT) fails if there are Read Only (RO) domain controllers.

CSCuq48588 Replace cross-signed thawte Primary Root CA with its normal version.

CSCuq52277 Error occurs when there are too many node entries in Subject Alternative Name (SAN) field in CA certificate.

CSCuq53846 A user logging in with an expired guest account is redirected to the default Cisco branded portal without displaying an error message.

CSCuq64817 DB import fails in ISE 1.2.

CSCuq83249 After upgrade from ISE 1.2 Patch 8 to ISE 1.2.1 Patch 1, guest user authentication fails if they login after the time profile validity time.

CSCuq85679 Change of Authorization (CoA) is not sent from ISE to Wireless LAN Controller (WLC) for guest users.

CSCuq85955 For an LWA deployment, ISE sends CoA disconnect with empty session ID.

CSCuq86420 Triggered SNMP Query via Radius traps not working.

CSCuq90710 Posture policies are not listed after creation.

CSCuq92558 PSNs move to Replication Stopped state when the application server does not start normally.

CSCuq92574 In ISE 1.2.1, Bring Your Own Device (BYOD) profile installation fails.

CSCuq93969 Authorization profile using CWA returns to default when static host is used.

CSCuq95245 ISE 1.2, CoA fails when guest credentials are suspended in the Sponsor portal.

CSCuq96971 In ISE 1.2.1, Framed-Pool attribute is not available in the authorization profile.

CSCuq97996 MyDevices portal does not display MAC addresses added by the AD user.

CSCur00110 Sponsor login fails when child user group is added as a guest in the sponsor group.

CSCur03113 Local Web Authentication (LWA) language template is corrupted after upgrading to ISE 1.2.1.

CSCur07303 ISE GUI 1.x (except ISE 1.3) does not allow to import more than 100 custom portals.

CSCur09231 In ISE 1.2.1, if a sponsor account is configured to use Account Start Date, the sponsor creates an account even after that date.

CSCur09439 SCEP EAP-TLS flow on OS X 10.9.5 fails to install the profile or provision certificate.

CSCur11055 When running ISE 1.2.1, MNT Livelog does not display logs.

CSCur11083 MNT Livelog displays incorrect user details.

CSCur12480 In ISE 1.2.1 guest flow, redirection to the guest portal via PlayStation 3 browser fails.

CSCur19320 Sponsor users who are not granted privileges are able to view and edit guest accounts using the search criteria.


Caveat Description


OL-27043-01


Open Agent Caveats

Table 40 Cisco ISE, Release 1.2, Open Agent Caveats

Caveat Description

CSCti60114 The Mac OS X Agent 4.9.0.x install is allowing downgrade

The Mac OS X Agent is allowing downgrades without warnings.

Note Mac OS X Agent builds differ in minor version updates only. For example, 4.9.0.638 and 4.9.0.637.

CSCti71658 The Mac OS X Agent shows user as “logged-in” during remediation

The menu item icon for Mac OS X Agent might appear logged-in before getting full network accesses

The client endpoints are connecting to an ISE 1.0 network or NAC using device-filter/check with Mac OS X Agent 4.9.0.x.

Workaround Please ignore the icon changes after detecting the server and before remediation is done.

CSCtj22050 Certificate dialog seen multiple times when certificate is not valid

When the certificate used by the agent to communicate with the server is not trusted, the error message can be seen multiple times.

Workaround Make sure you have a valid certificate installed on the server and that it has also been accepted and installed on the client.

Note The additional certificate error message is primarily informational in nature and can be closed without affecting designed behavior.

CSCtj31552 Pop-up Login windows option not used with 4.9 Agent and Cisco ISE

When right clicking on the Windows taskbar tray icon, the Login option is still present, but is not used for Cisco ISE. The login option should be removed or greyed out.

Workaround There is no known workaround for this issue.

CSCtk34851 XML parameters passed down from server are not using the mode capability

The Cisco ISE Agent Profile editor can set parameter modes to merge or overwrite. Mac OS X agent is not processing the mode correctly. Instead, the complete file is overwritten each time.

Workaround To use a unique entry, the administrator must set up a different user group for test purposes, or set the file to read only on the client machine and manually make the necessary changes to the local file.

CSCtl53966 Agent icon stuck on Windows taskbar

The taskbar icon should appear when the user is already logged in.

Workaround Right-click on the icon in the taskbar tray and choose Properties or About. After you close the resulting Cisco NAC Agent dialog, the taskbar icon goes away.


OL-27043-01


CSCto33933 Login Success display does not disappear when user clicks OK

This can occur if the network has not yet settled following a network change.

Workaround Wait a few seconds for the display to close.

CSCto45199 “Failed to obtain a valid network IP” message does not go away after the user clicks OK

This issue has been observed in a wired NAC network with IP address change that is taking longer then normal. (So far, this issue has only been only seen on Windows XP machines.)

Workaround None. The user needs to wait for the IP address refresh process to complete and for the network to stabilize in the background.

CSCto48555 Mac OS X agent does not rediscover the network after switch from one SSID to another in the same subnet

Agent does not rediscover until the temporary role (remediation timer) expires.

Workaround The user needs to click Complete or Cancel in the agent login dialog to get the agent to appear again on the new network.

CSCto63069 The nacagentui.exe application memory usage doubles when using “ad-aware”

This issue has been observed where the nacagentui.exe memory usage changes from 54 to 101MB and stays there.

Workaround Disable the Ad-Watch Live Real-time Protection function.

CSCto84932 The Cisco NAC Agent takes too long to complete IP refresh following VLAN change

The Cisco NAC agent is taking longer than normal to refresh IP address due to double IP refresh by supplicant and NAC agent.

Workaround Disable the Cisco NAC Agent IP address change function if there is a supplicant present capable of doing the same task.

CSCto97486 The Mac OS X VLAN detect function runs between discovery, causing a delay

VLAN detect should refresh the client IP address after a VLAN detect interval (5) X retry detect (3) which is ~ 30 sec, however it is taking an additional 30 sec.

This issue has been observed in both a wired and wireless deployment where the Cisco NAC agent changes the client IP address in compliant or non-compliant state since Mac OS X supplicant cannot.

An example scenario involves the user getting a “non-compliant” posture state where the Cisco ISE authorization profile is set to Radius Reauthentication (default) and session timer of 10 min (600 sec). After 10 min the session terminates and a new session is created in the pre-posture VLAN. The result is that the client machine still has post-posture VLAN IP assignment and requires VLAN detect to move user back to the pre-posture IP address.

Workaround Disconnect and then reconnect the client machine to the network.

Table 40 Cisco ISE, Release 1.2, Open Agent Caveats (continued)

Caveat Description


OL-27043-01


CSCtq02332 Windows agent does not display IP refresh during non-compliant posture status

The IP refresh is happening on the client machine as designed, but the Agent interface does not display the change appropriately (for example, following a move from preposture (non-compliant) to postposture (compliant) status).

Workaround There is no known workaround for this issue.

CSCtq02533 The Cisco NAC Agent takes too long to complete IP refresh following VLAN change

The Cisco NAC agent is taking longer than normal to refresh IP address due to double IP refresh by supplicant and Cisco NAC agent.

Workaround Disable the Cisco NAC Agent IP address change function if there is a supplicant present capable of doing the same task.

CSCts80116 OPSWAT SDK 3.4.27.1 causes memory leak on some PCs

Client machines that have version 8.2.0 of Avira AntiVir Premium or Personal may experience excessive memory usage.

Note This has only been observed with version 8.2.0 of Avira AntiVir Premium or Personal. Later versions of the application do not have this issue.

Workaround Install later version of Avira AntiVir Premium or Personal.

CSCty02167 IP refresh fails intermittently for Mac OS 10.7 guest users

This problem stems from the way Mac OS 10.7 handles certificates. Marking the certificate as “trusted” in the CWA flow is not good enough to download the java applet required to perform the DHCP refresh function.

Workaround The Cisco ISE certificate must be marked as “Always Trust” in the Mac OS 10.7 Keychain.

CSCub62836 In Live Authentication page, certain UTF-8 characters do not display correctly

This only happens for a very limited set of characters.

Workaround Use RADIUS Authentications report instead, to view the same information correctly.

CSCul10891 Upgrade from earlier version of NAC Agent to version 4.9.0.1013 fails to launch Agent popup

After upgrading to NAC Agent version 4.9.0.1013 on Windows 8 or Windows 8.1 64-bit clients, the upgraded Agent might not launch automatically.

Workaround If the Agent does not launch automatically, then manually double-click the NAC Agent UI shortcut on the desktop to launch the Agent.


Caveat Description


OL-27043-01

Cisco ISE, Release 1.2.1, Resolved Caveats

Cisco ISE, Release 1.2.1, Resolved CaveatsThe following table lists the resolved caveats in Cisco ISE, Release 1.2.1.

CSCum88173 Minimum compliance module version required for configuring SEP 12.1.x definition check on Mac OS is 3.6.8616.2 and not 3.6.8501.2.

The minimum Compliance Module version required for configuring AV check in NAC support charts for Symantec Endpoint Protection (SEP) 12.1 for Mac OS is displayed as 3.5.8501.2. However, the version 3.5.8501.2 has issues in detecting the definition date/version for SEP 12.1.x on Mac OS. As this issue is addressed in Compliance Module 3.6.8616.2, administrators need to use 3.6.8616.2 as the minimum Compliance Module needed for detecting SEP 12.1 definitions on Mac OS.

CSCun60071 UI not visible for application launched by NAC agent during remediation

When Cisco ISE is configured to launch an application as a remediation, the application gets launched and is available in the task manager, but the UI is not visible to the user, irrespective of whether the user is logged in as admin or not. Since Launch program remediation feature is modified from user privilege to system privilege, NAC Agent allows UAC Elevation for all Launch program remediation actions.

For more details, refer to CSCun60071.

CSCtw50782 Agent hangs awaiting posture report response from server

Workaround

The issue occurs with Mac OS X 10.7.2 clients.

Kill the CCAAgent Process and then start CCAAgent.app.

Perform the following:

1. Go to Keychain Access.

2. Inspect the login Keychain for corrupted certificates, like certificates with the name “Unknown” or without any data

3. Delete any corrupted Certificates

4. From the pull-down menu, select Preferences and click the Certificates tab

5. Set OCSP and CRL to off.

CSCty51216 Upgrading Mac OS X Agent version 4.9.0.638 to later versions fails.

Workaround

1. Remove the “CCAAgent” folder from temporary directory

2. Reboot the client

3. Connect to Web login page and install the Agent from there


Caveat Description


OL-27043-01

https://tools.cisco.com/bugsearch/bug/CSCun60071


Table 41 Cisco ISE, Release 1.2.1, Resolved Caveats

Caveat Description




CSCua69331 IE 8 + ChromeFrame BHO - CWA authorization profiles not displaying correctly.


CSCud38634 Guest sponsor details shows wrong sponsor name.

CSCud70219 Log.xml files are not cleaned out regularly.

CSCud70397 Need support SCSI controller (VMware Paravirtual) for VMware install.



CSCue98728 No indication of character limit for 'Configure Email Notification' box

CSCuf24898 ISE repository max password length 16 characters.

CSCuf47491 Timestamp of core files not preserved in support bundle.

CSCuf76821 .trc and .trm files are not cleaned out regularly.

CSCug20065 Unable to enforce RBAC as desired to a custom administrator.

CSCug59579 Windows 8 not included in Client Provisioning

CSCug90502 ISE Blind SQL Injection Vulnerability.

CSCug96069 Replication status update fails for all nodes if the network is restored on PAP.

CSCuh01760 Misconfigured NAS criteria needs to be changed


CSCuh15572 Invalid license file, possibly license file has expired or is corrupt.




CSCuh25868 Authorization: re-editable text/string condition limited to 16 characters



CSCuh38253 IP columns sorts on char instead on num on.


CSCuh44972 DenyUsers oracle statement removed during upgrade.


CSCuh56170 MCPSS Mnt DB Sanity Check failed during upgrade from 1.1.2.145 to 1.2.

CSCuh56278 Local Web Authentication (LWA) Guest access by iOS 6 devices on ISE 1.2 fails

CSCuh65084 Scroll issue for small screens on Live Log page


CSCuh81511 ISE remote command execution


OL-27043-01


CSCuh84099 ISE should verify non-printable characters in x.509 certs

CSCuh88637 Method “getAlarmsOccuredAfter” throws exception

CSCuh95845 After internal password change policies using NA conditions match default Policy.

CSCui02984 Sponsor authentication failed for Active Directory user with Sponsor_Portal_Sequence.

CSCui14093 Oracle Critical Patch Update


CSCui15042 BYOD Stress causes MNT to stop reporting current Authentication Sessions


CSCui15354 ISE should remove ENDSW operators

CSCui15633 Sponsor portal login fails for some users




CSCui23231 Certain custom ISE reports cannot be exported

CSCui26708 ISE node to node HTTP Basic Authentication username and password logged


CSCui30275 Component of the administration page of the Cisco Identity Services Engine (ISE) was vulnerable to a cross-site scripting (XSS) attack

CSCui34389 RADIUS accounting drop is not suppressed, flooding live log.


CSCui36643 ISE Editing schedule report complains of existing report name in use.

CSCui38818 ISE 1.2 NFS repository configuration has extra colon after upgrade

CSCui40950 Guest login takes long time and times out.



CSCui45891 Upgrade logs are missing in ADE.log after upgrade failed

CSCui46739 Guest applet fails after update to Java 7 update 25.

CSCui48779 Clicking ‘Undo Latest’ on Feed Service page does not clean up rules in some conditions.

CSCui48781 NSF Rule with complex condition - names are not unique per service


CSCui57100 EAP-TLS auth fails with two sets of CRLs because CRL signature decrypt failed

CSCui57152 Endpoint Policy not updated for endpoints added using ERS API

CSCui57374 ISE iPEP Invalid RADIUS Authenticator error during high load



Table 41 Cisco ISE, Release 1.2.1, Resolved Caveats (continued)

Caveat Description


OL-27043-01


CSCui57961 When editing an expired guest account that cannot be deleted, logs out.

CSCui58123 Upgrading to 1.2 with \"Select Condition\" in Posture Requirements

CSCui58390 Multiple names in SAN Field and ISE choose value randomly.

CSCui59370 Upgrade fails on Guest update sponsor user: email is null

CSCui62290 Develop REST APIs for ISE MnT alarms

CSCui65530 Upgrade failed with DuplicateEntityException for TimeProfile




CSCui72269 ISE unable to understand SNMP attribute coming from Switch.

CSCui72330 HTML comments disclose potentially sensitive information

CSCui72658 Guest Portal cookies not set as Secure or HTTP Only.

CSCui74478 Self Service Flow checking for email address

CSCui74496 Domain Names should be validated before saving the Portal settings

CSCui74678 Getting Account Expiration Notification too early for the Guest accounts

CSCui75335 ISE 1.2 NAC agent fails posture due to ‘NAC Server not available.’

CSCui75669 Endpoint update calls from guest-portal causing replication issues

CSCui76932 Unable to Save Notification details while creation of Time Profile

CSCui77336 Customized URL ISE self registration not working.


CSCui78802 Usability issues while validating security defect

CSCui78849 Warning message should be more meaning full while creating Time Profile

CSCui80340 Partner MDM performance improvements

CSCui81442 Domain Validation should be Case Insensitive

CSCui81825 Unable to Save Notification details while editing Sponsor Lang template.

CSCui82674 Unable to save and modified edited endpoint with Base license ONLY


CSCui83009 Unable to push compliance module to NAC agent on Macs.

CSCui89741 ISE ERS API creates endpoint with invalid format MAC address.

CSCui90286 Able to create TimeProfile eventhough Notification time > duration

CSCui94488 MyDevice Portal allows endpoints with static endpoint ID group other than RegisteredDevices.


CSCui96960 MNT Livelog/Dashboard performance.




Caveat Description


OL-27043-01



CSCuj03697 Allow Tunnel attributes in policies

CSCuj03811 No suppression for misconfigured NAS when errors are alternating

CSCuj04748 Original URL preservation for BYOD provisioning and Guest flows

CSCuj05295 ISE App server crashed and stuck in initialized state with "null" in collection filter



CSCuj11040

CSCum97337


CSCuj11855 ISE gives little debugs when SCEP fails for Windows-related reasons





CSCuj17272 Upgrade from 1.1.3 to 1.2 breaks identity source sequence instances

CSCuj19602 Sponsor portal banners do not work on upgraded ISE


CSCuj23727 Change in iOS 7 user-agent string for an iPod Touch breaks its BYOD flow


CSCuj26086

CSCuj80131


CSCuj26495 Restricted Characters in Policy Names carried forward after upgrade.












CSCuj49903 Downloading / viewing large logfiles from PDP causes out of memory error


CSCuj52520 Unable to login to CLI after ISE upgrade


Caveat Description


OL-27043-01






CSCuj62239 Rollback in case of upgrade failure is not cleaning temp tables, indexes


CSCuj63053 Cfg.xml,CM download doesn't happen if CP rule is Win8.1 Specific

CSCuj63516 Denial of Service Vulnerability exists in OpenSSH version

CSCuj65306 Cisco ISE 1.2 upgrade fails due to shared memory allocation failure

CSCuj65586 Need to optimize the way records are displayed in RADIUS Drop counters



CSCuj71439 Cisco ISE REST API - changing username returns password error

CSCuj72022 Cannot use "Ends With" operator in a Posture condition on ISE

CSCuj82378 Downloaded captured TCP dump file for remote node is not of proper size

CSCuj82836 Manual CoA - Re-authorization is not working

CSCuj84194 Cisco ISE sometimes does not send DACL in authorization profile

CSCuj84427 Cisco ISE 1.2 Admin password alerts not functioning properly

CSCuj86717 Dot1x endpoint fails authentication with Reject Requests After Detection

CSCuj88222 Upgrade should check for CA certificates corruption

CSCuj88888 ISE 1.1.4 patches fail machine authentications in disjointed ActiveDirectory namespaces



CSCuj91461 ISE 1.2 backup on host A, restore on same version on host B breaks database listener

CSCuj91764 Pre-upgrade checks

CSCuj95588 Reach context limit when multiple conversations use Tunnel attributes

CSCuj95908 Cisco ISE does not do domain stripping for Active Directory external store

CSCuj97669 DNS Resolution Failed for CNAME: "hostname" from the ISE node "hostname"

CSCuj97832 Cisco ISE hard disk filling up


CSCuj99951 Avaya Phones profiled as unknown






Caveat Description


OL-27043-01




CSCul06937 Do Sync check before upgrade of secondary PAP

CSCul09815 Upgrade should not proceed if node role type cannot be detected













CSCul20850 Port Patch 5 Guest changes to Patch 4


CSCul23070

CSCul23252



CSCul25956 Upgrade from 1.2 to 1.2.1 timeout and fail when previous upgrade fails


CSCul29647 Cisco ISE 1.2 upgrade disables Cisco Root certs if they were installed before Cisco ISE 1.2



CSCul42307 Upgrade fails when local disk fills up due to core dumps







CSCul55934 Cisco ISE 1.2 Cannot Delete Guest Users Created Using Unavailable Timezone Setting


Caveat Description


OL-27043-01


CSCul57506 Restore process breaks Report functionality and UI Purge


CSCul58895 Cisco ISE 1.2 Patch 3 StartEnd time profiles do not work for guest import


CSCul62723 Mobile Guest Portal: Success page redirects to http://10.86.149.92




CSCul69350 Cisco ISE 1.2.0 CFG database restore in Cisco ISE 1.2.1 fails


CSCul71245 ISE Authorization with certificate serial number broken in 1.2 patch 2




CSCul80050 Upgrade failed from Cisco ISE 1.1.3 to Cisco ISE 1.2.1




CSCul87279 ISE 1.2 Patch 5 through GUI not pushed to secondary nodes in the deployment


CSCul96698 Observed NullPExc intermittently while accessing create Guest Rest API

CSCul96763 Guest users are getting created with special characters through Rest API

CSCul97050 Issue with input validation for language Notification tag - Guest REST API








CSCum37742 Randomly generated guest users allowed to log in after getting expired





Caveat Description


OL-27043-01


CSCum60054 Unable to download catalina.out logs from GUI

CSCum60501 Undefined is displaying in GUI instead of Log file name




CSCum79002 Upgrade Validation check to PKIX path building failed

CSCum82400 ISE 1.2 Posture upgrade failure



CSCum85487 Data Purging audit report is not exporting






CSCum96035 Guest custom portal password change does not have error handling


CSCun00427 ISE 1.2 match operator return true when LHS is NULL and RHS is constant

CSCun02007 iPEP exhibits slow data transfer rate and packet loss with traffic bursts when using iPEP routed mode.






CSCun25815 ISE 1.2 marks DCs as 'Dead' while doing a 'CAPILdapFetch'


CSCun36350 Patch info is shown after Cisco ISE Patch 7 CLI Rollback in standalone and deployment


CSCun38402 Exception in CLI after enabling ERS


CSCun46032 Renew expired certificate




Caveat Description


OL-27043-01







CSCun70626 Locking issue after reset session database






CSCun94693 ISE upgrade to 1.2 fails with boot loader error







CSCuo31160 Support Plus licenses in ISE 1.2.x



CSCuo38618 ISE 1.2 cannot join the unit to Distributed Deployment







CSCuo73070

CSCuo76078





Caveat Description


OL-27043-01


Cisco ISE, Release 1.2.0, Resolved CaveatsThis section lists the caveats that have been resolved in this release.

• Resolved Caveats, page 169

• Resolved Agent Caveats, page 179

• Resolved SPW Caveats, page 180




















CSCuq87920 MAC Agent provisioning is not supported in MAC 10.10.

CSCur00532 ISE evaluation for CVE-2014-6271 and CVE-2014-7169 (AKA ShellShock)

CSCur09439 ISE OS X 10.9.5 Simple Certificate Enrollment Protocol (SCEP) Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) flow fails.



Caveat Description


OL-27043-01


Resolved Caveats

Table 42 Cisco ISE, Release 1.2, Resolved Caveats

Caveat Description

CSCtj81255 Two MAC addresses detected on neighboring switch of ACS 1121 Appliance.

CSCtn76441 Custom conditions are not updated under Rules in profiling policies.

CSCtn92594 Quickpicker filters are not working correctly during Client Provisioning policy configuration.

CSCto32002 The Cisco ISE MAC address authentication summary report displays IP addresses instead of MAC addresses.

CSCto87799 Guest authentication fails.

CSCtq06832 Time and Date conditions need to be updated correctly when changing time zones.

CSCtq09004 Windows 7 guest access not successful from IE8 and Chrome 10.

CSCtq53690 Scheduled Monitoring and Troubleshooting incremental backup switches off following failed backup attempt.

CSCtr58811 Need to log out and log back in to get Advanced License functionality.

CSCtr66929 Selected month and year while configuring file “Date” condition.

CSCtr88091 You may experience slow response times for some user interface elements when using Internet Explorer 8.

CSCts45441 Weird behavior with creating guest account using start-end time profile.

CSCtt17378 Failed to send notification from UTF-8 Email address.

CSCtu05540 Monitoring and Troubleshooting node does not show Active Directory External Groups following authentication failure.

CSCtv17606 Monitoring and Troubleshooting requires an appropriate error message if backup/restore process fails.

CSCtw79431 Exiting the Cisco Mac Agent while in “pending” state displays the wrong user message.

CSCtw98454 Guest accounting report filter not working.

CSCtx01136 Cisco NAC Agent is not performing posture assessment.

CSCtx03427 Create Alarm Schedule returning XSS error messages.

CSCtx07670 Profiler conditions that are edited wind up corrupting Profiler policies.

CSCtx25213 IP table entry needs cleanup after deregistering a secondary node.

CSCtx31601 Cannot add Network Access user, but able to import users.

CSCtx33747 RBAC admin cannot access deployment page and perform deployment-related functions.

CSCtx51454 Unable to retrieve administrator users list.

CSCtx59957 A warning/pop-up appears while creating a Guest Time profile.

CSCtx74574 Device Configure Deployment option selected after upgrade from software Release 1.0 to Release 1.1.

CSCtx77149 Disk space issue.


OL-27043-01


CSCtx81905 Cisco ISE returns an error message while registering one node to another.

CSCtx90696 Cisco ISE does not work after updating the IP address.


CSCtx94839 Clicking on logout link on the AUP page of Device Registration Webauth flow appears to do nothing.

CSCtx95251 Deployment page load exceeds six minutes when two or more nodes are unreachable.

CSCtx97190 Cisco 3750 switch is profiled as “Generic Cisco Router”.

CSCty00899 LiveLog Reports cannot be opened.

CSCty01787 Error in Generating XML Output for EndPointIPAddress API.

CSCty02379 Cisco ISE runs out of space due to a backlog of pending messages in the replication queue.

CSCty05157 The Cisco ISE dashboard is not working for administrator user names with more than 15 non-English characters contained in the username.

CSCty10461 Cannot register a Cisco ISE node with UTF-8 characters in administrator name.

CSCty10692 Requirement is used by Policy-Need tooltip on OS.

CSCty15646 Monitoring and Troubleshooting debug log alert settings get reset to WARN.

CSCty16603 Administrator ISE node promotion fails, resulting in disabled replication status.

CSCty19010 Editing Cisco ISE failure reason information returns error message.

CSCty23790 Internet Explorer 8 is unable to import endpoints from LDAP.

CSCty40077 Shared Secret Key for Inline Posture node Network Access Device is not created or updated.

CSCty51260 Active Directory "dn" attribute does not work for authorization policies.

CSCty59165 SNMPQuery Probe events queue runs out of memory.

CSCty80451 Failed to authenticate external admin (AD user) when configured user to change password at the next log in.


CSCty98551 Race condition between CoA event and persistence event during initial endpoint login.

CSCtz13306 Monitoring and Troubleshooting collector cannot collect posture audit logs to generate report.

CSCtz28057 After upgrade to Release 1.1, Cisco ISE is still in “initializing” state.

CSCtz41262 Authorization policy does not match when the MAC address uses the colon delimiter (00:00:00:00:00:00).

CSCtz41452 Evaluation license counter incrementing when wireless license installed.

CSCtz49846 Cisco ISE does not contain the ASA attribute 146 Tunnel Group Name that is sent on the Access Request.

CSCtz55815 Default Gateway is not changed if the new value is a part of old value.

Table 42 Cisco ISE, Release 1.2, Resolved Caveats (continued)

Caveat Description


OL-27043-01


CSCtz56691 Research In Motion (Blackberry) devices no longer work after upgrade to Cisco ISE, Release 1.1.1.

CSCtz67814 Replication disabled for secondary node.

CSCua00821 Error messages appear when you configure Active Directory via the CLI.

CSCua03889 Guest users are asked to accept the Acceptable Use Policy twice when first logging into Cisco ISE with password change.

CSCua05003 Service status is not correct if the ARP port number changes.

CSCua05433 The endpoint identity import function does not maintain correct identity group membership.

CSCua25187 Employees whose user names are 41 digits long will not see their devices.


CSCuc49317 When you have more than 60 authorization policy rules, creating a new rule takes about 4 minutes.

CSCuc61075 With the RADIUS probe disabled, if you indicate a device as lost or reinstate in the My Devices portal, CoA fails.

CSCuc63052 Policy Service node fails to load client certificate for secure syslog configuration.

CSCuc71592 In policy sets, authorization simple condition cannot be used in authorization policy rules.

CSCuc82453 Monitoring data exported in a .csv file from the primary Administration node is empty.

CSCuc87242 If you disable a sponsor user who has logged in to the sponsor portal, the sponsor user’s account is not disabled until the end of the session.

CSCuc92010 Sponsor users who create guest user accounts cannot delete those accounts from the Sponsor Portal.

CSCuc96884 Profiler Feed Service edit and save operations do not work in Internet Explorer 8.

CSCuc97133 Profiler log throws exceptions when you enable FIPS mode on the primary Administration node and FIPS mode is not enabled on the secondary nodes until they are restarted.

CSCud19143 Endpoint filtering does not work for the BYOD Registration and Device Registration Status fields.

CSCud22608 The minimum length of admin and user passwords in the password policy by default becomes four characters, instead of six.

CSCud31778 Policy set page takes a long time to load and save.

CSCud32310 Current Active Sessions report displays an error when the Monitor persona runs on remote node.

CSCud32485 Cannot log in to the sponsor portal after reinstating guest users and accepted the Acceptable Use Policy (AUP).

CSCud38499 Replication of authorization policy fails in a distributed deployment setup if the policy set name includes an underscore (_) character.

CSCud38623 MDM server’s Active status does not reflect the connectivity status.


Caveat Description


OL-27043-01


CSCud38634 Guest sponsor details shows wrong sponsor name.

CSCud39871 Cannot save profiler configuration for a secondary node.

CSCud42216 Authentication request from Apple MAC systems that use the EAP-FAST protocol with inner method GTC or TLS fails.

CSCud43467 Posture reassessment check functionality is not working when you enable posture reassessment for a group of users. If a user moves to the compliant state, the user gains access to the network, but posture reassessment does not happen, and the user’s session gets terminated after a time interval.

CSCud70219 Log.xml files are not cleaned out regularly.



CSCuf03318 The Network Setup Assistant fails when the user tries to “Cancel” the Configure Profile Tool.

CSCuf24898 ISE repository max password length 16 characters.

CSCuf47491 Timestamp of core files not preserved in support bundle.

CSCuf76821 .trc and .trm files are not cleaned out regularly.

CSCug20065 Unable to enforce RBAC as desired to a custom administrator.

CSCug59579 Windows 8 not included in Client Provisioning

CSCug59644 Trying dot1X authentication in an Activated Guest with “First Login” time profile fails.

CSCug69311 Not able to connect to SFTP, which is required for secure backups.

CSCug82539 While moving the policies from one profiled node to another, the profiler does not contain the policies in the policy cache.

CSCug90502 ISE Blind SQL Injection Vulnerability.

CSCug91963 Java process crashes when configuring host alias.

CSCug96069 Replication status update fails for all nodes if the network is restored on PAP.

CSCuh02759 While creating a support bundle, an error message appears as “node not reachable”.

CSCuh05950 Certificate missed and node disconnected after PAP promotion failed.

CSCuh07534 While downloading the debug logs from Administration node, an error appears as “Node is not reachable. Please check the node's status”.

CSCuh13582 ISE applies wrong Authorization rule/ profile









Caveat Description


OL-27043-01



CSCuh56278 Local Web Authentication (LWA) Guest access by iOS 6 devices on ISE 1.2 fails

CSCuh65084 Scroll issue for small screens on Live Log page


CSCuh84099 ISE should verify non-printable characters in x.509 certs

CSCuh95845 After internal password change policies using NA conditions match default Policy.

CSCui02984 Sponsor authentication failed for Active Directory user with Sponsor_Portal_Sequence.







CSCui21839 “Export Endpoints” Creates Empty File When Quick Filter is On


CSCui26708 ISE node to node HTTP Basic Authentication username and password logged


CSCui30275 Component of the administration page of the Cisco Identity Services Engine (ISE) was vulnerable to a cross-site scripting (XSS) attack

CSCui34389 RADIUS accounting drop is not suppressed, flooding live log.

CSCui35514 'show tech' script in support bundle needs fixing


CSCui36643 ISE Editing schedule report complains of existing report name in use.

CSCui40950 Guest login takes long time and times out.



CSCui46739 Guest applet fails after update to Java 7 update 25.

CSCui48779 Clicking ‘Undo Latest’ on Feed Service page does not clean up rules in some conditions.


CSCui57100 EAP-TLS auth fails with two sets of CRLs because CRL signature decrypt failed

CSCui57152 Endpoint Policy not updated for endpoints added using ERS API



CSCui57961 When editing an expired guest account that cannot be deleted, logs out.

CSCui58390 Multiple names in SAN Field and ISE choose value randomly.


Caveat Description


OL-27043-01





CSCui72269 ISE unable to understand SNMP attribute coming from Switch.

CSCui72658 Guest Portal cookies not set as Secure or HTTP Only.

CSCui75335 ISE 1.2 NAC agent fails posture due to 'NAC Server not available.'

CSCui77336 Customized URL ISE self registration not working.



CSCui83009 Unable to push compliance module to NAC agent on Macs.

CSCui89741 ISE ERS API creates endpoint with invalid format MAC address.

CSCui94488 MyDevice Portal allows endpoints with static endpoint ID group other than RegisteredDevices.


CSCui96960 MNT Livelog/Dashboard performance.




CSCuj03697 Allow Tunnel* attributes in policies

CSCuj05295 ISE App server crashed and stuck in initialized state with "null" in collection filter



CSCuj11040

CSCum97337








CSCuj26086

CSCuj80131







Caveat Description


OL-27043-01









CSCuj49903 Downloading / viewing large logfiles from PDP causes out of memory error






CSCuj62435 ISE 1.2 TrendMicro not listed for AV Remediation




CSCuj72022 Cannot use "Ends With" operator in a Posture condition on ISE

CSCuj82836 Manual CoA - Re-authorization is not working

CSCuj84194 ISE sometimes does not send DACL in authorization profile

CSCuj84427 ISE 1.2 Admin password alerts not functioning properly



CSCuj95908 ISE does not do domain stripping for Active Directory external store

CSCuj97669 DNS Resolution Failed for CNAME:"hostname" from the ISE node "hostname"













Caveat Description


OL-27043-01











CSCul23070

CSCul23252




CSCul29344 ISE 1.2 HTML Custom Pages for Different Portals Not Working.








CSCul55934 ISE 1.2 Cannot Delete Guest Users Created Using Unavailable Timezone Setting

CSCul58758 Redirecting to 'null' page in the browser after LWA flow with WLC-5500


CSCul58895 ISE 1.2 Patch 3 StartEnd time profiles do not work for guest import











Caveat Description


OL-27043-01










CSCum37237 ISE No Sufficient Permission Error with Bulk Import of Guest Account















CSCum96035 Guest Custom Portal Password Change Does Not Have Error Handling












Caveat Description


OL-27043-01
























CSCuo73070

CSCuo76078












Caveat Description


OL-27043-01


Resolved Agent Caveats




CSCuq26320 EAP-FAST authenticated provisioning with Android does not work.

Table 43 Cisco ISE, Release 1.2, Resolved Agent Caveats

Caveat Description Agent Version

CSCto03644 Tray icon flickers click focus if user changes applications from login successfully.

Mac OS X Agent 4.9.0.656

CSCto19507 Mac OS X agent does not prompt for upgrade when coming out of sleep mode.


CSCto97422 Auto Popup does not happen after clicking Cancel during remediation failure.


CSCug26558 Live Authentications: Posture links redirect to wrong MAC address and empty report.


CSCue41912 Posture: Cisco NAC Agent not triggering on Windows 8. NAC Agent 4.9.0.52

CSCue98661 Cisco ISE NAC Agent on Windows 8 checks for AV that is not selected.

NAC Agent 4.9.3.5

CSCud48606 NAC Agent does not validate the HTTPS connections after the initial one.

NAC Agent 4.9.5.7

CSCuq52821 NAC Agent 4.9.4.3 takes about an hour to complete posture. NAC Agent 4.9.5.7

CSCur95891 NAC Agent should not communicate using the cached discovery IP address.

NAC Agent 4.9.5.7

CSCup69321 The following error message is displayed, if a PSN goes down after the NAC Agent has started posture with the PSN:

Clean Access Server is not available on the network. Please contact our administrator if the problem persists.

NAC Agent 4.9.5.7


Caveat Description


OL-27043-01


Resolved SPW Caveats

CSCup75697 If the discovery via Discovery Host and Default Gateway fails, Agent will try discovery via previously connected server. If the discovery via known server also fails, Agent goes into a loop of 30 retries. Agent does not exit this loop even if there is a network change event.

NAC Agent 4.9.5.7

Table 43 Cisco ISE, Release 1.2, Resolved Agent Caveats (continued)

Caveat Description Agent Version

Table 44 Cisco ISE, Release 1.2, Resolved SPW Caveats for Windows

Caveat Description SPW Version

CSCug95980 Cisco ISE NSP does not support SDIO based wireless adapters. 1.0.0.31

CSCug66885 Windows SPW-Trusted Root CA not set in network profile. 1.0.0.30

CSCud65260 DualSSID_Win7_PEAP_AutoLogin NSP not connecting to Closed SSID.

1.0.0.29

CSCud01247 BYOD: Messages are not localized. 1.0.0.27

CSCud56448 PEAP Supplicant Provisioning does not set Validate Server Certificate.

1.0.0.27

CSCue38943 BYOD: Characters corrupted. A vertical line appears at the end of the Applying Configuration screen.

1.0.0.28

CSCue43405 Windows 8- Dual SSID is broken (MAB + PEAP), if wrong networking password is entered in SPW.

1.0.0.28

CSCue43413 Login failure message displayed in dual SSID (MAB + PEAP). 1.0.0.28

CSCue47503 Win SPW v1.0.0.27 fails with Wired dual SSID (MAB > PEAP). 1.0.0.28

CSCud05296 NSP installation on Windows 8 failed. 1.0.0.26

CSCuq79723 LAT1-ISE-NL-BYOD - Checkin translations for new strings added for no Java support

1.0.0.43

CSCuq07723 Set credentials again for wired to make sure prompt does not appear again

1.0.0.42

CSCuq47345 Delete certificate popup should be suppressed while installing SPW. Reverted to 1.2 version. If cancel/no is clicked on 'Deleted certificate' popup, continue with the flow

1.0.0.41

CSCuq05572 BYOD:NSA still runs after profiles are installed on client. Added manifest file indicating supported OS.

1.0.0.41

CSCuj11855 ISE gives little debugs when SCEP fails for Windows-related reasons

1.0.0.41

CSCuo81140 Failed to download profile configuration on Windows 8 Enterprise N Updated the version# to 1.0.0.41

1.0.0.41

CSCun64760 Upgrade third party to latest version. 1.0.0.41

CSCuo72465 BOYD flow failed with a new BOYD portal. 1.0.0.40


OL-27043-01


CSCuo65083 BYOD: SPW crashes on WIN 7 Machine. 1.0.0.39

CSCuo37011 Internal CA certificate issued to end point reflects incorrect data. 1.0.0.39

CSCun60478 Implement Windows NSP updates for Telstra (and others). 1.0.0.38

CSCun14753 Failed to get the certificate when SCEP template created is greater than 1024.

1.0.0.37

CSCul16354 US8684: SPW for MAC And Windows without Java. 1.0.0.36 & ISE 1.2.1 Patch 3 and ISE 1.2.0 Patch 11

CSCuh24715 Win 8: SPW1.0.0.31 fails for dual/Single SSID. 1.0.0.33

CSCuc42511 Localization for NSP wizards - support for additional languages. 1.0.0.24

Table 44 Cisco ISE, Release 1.2, Resolved SPW Caveats for Windows


Table 45 Cisco ISE, Release 1.2, Resolved SPW Caveats for Mac OS X


CSCuf61159 Wired MAC10.8.3-Fails to auto re-connect to network using new profile.

1.0.0.21

CSCug16632 BYOD CR: SPW configures the profile and succeeds even when PDP is down.

1.0.0.20

CSCug18081 NSP page does not show status of Mac SPW consistently. 1.0.0.19

CSCuf03318 Network Setup Assistant fails, if user clicks ‘Cancel’ in the Config profile Tool.

1.0.0.19

CSCue53450 Cisco Network Setup Assistant copy right year should be changed. 1.0.0.19

CSCue62005 Macintosh SPW 1.0.0.17 is not able to configure wired adapters. 1.0.0.18

CSCud00349 Translation property file has new line character in the JA translation property file.

1.0.0.17

CSCud64592 MAC OS X 10.6.8: Fails to connect to Closed SSID using the TSL Profile.

1.0.0.16

CSCub29212 In MAC OS X 10.8, modify system network configuration needs confirmation from system administrator.

1.0.0.15

CSCub27769 Cisco ISE does not block both wired and wireless interface MAC addresses for lost devices.

1.0.0.18

CSCub65963 Certificate Enrollment is vulnerable to session Hija. 1.0.0.11

CSCub29185 MAC 10.8: Agent and SPW fails to install, when “MAC App Store and identified developers” is selected in the Security & Privacy Preference Pane.

1.0.0.15

CSCur27820 Codesign verification issue with MAC 10.10 Preview 5, 10.9.5 & above

1.0.0.30

CSCur09439 ISE OS X 10.9.5 SCEP EAP-TLS flow fails, but actually fails in MAC 10.10, 10.9.5 and 10.8.5. Fix is common for all version

1.0.0.29


OL-27043-01


CSCuq07723 Mac OS X SPW launches redirect url if found in profile 1.0.0.28

CSCuq59006 Fix for SPW stale redirect callback blocking wired provisioning 1.0.0.27

CSCup82816 Modified CSR generation to follow RFC for both interfaces, fix conflict with 1.3 internal CA.

1.0.0.26

CSCuq23078 SPW Wizard fails to discover ISE on OSX 10.7. 1.0.0.26

CSCuo73168 Native Supplicant Profile (NSP) fails on MAC due to mismatch in cert key size between csr req & int CATmp.

1.0.0.24

CSCul08339 Update MAC SPW. 1.0.0.23

CSCul16354 US8684: SPW for MAC And Windows without Java. 1.0.0.22 and ISE 1.2.1 Patch 3 and ISE 1.2.0 Patch 11

Table 45 Cisco ISE, Release 1.2, Resolved SPW Caveats for Mac OS X


Table 46 Cisco ISE, Release 1.2, Resolved SPW Caveats for Android1


CSCut25212 Android 4.3 and above, NSP does not store certificates in the keystore

1.2.422

CSCuq07723 BYOD Success page should be shown for Windows/OS X, if it fails Retry button should be shown

1.2.39

CSCup41088 Provisioning issues for Android less then 4.3 devices 1.2.38

CSCur02271 Tilting Android mobile crashes Android SPW 1.2.41

CSCum58571 Android: BYOD single SSID flow for android device is broken 1.2.38

CSCul80706 Day-0 - Unable to connect Nexus 4 running Android 4.4 to the closed SSID

1.2.37

CSCuj28044 Android 4.3 - SPW fails to apply network configuration profile in a few cases

1.2.36

CSCui42655 Day0 - Network Setup Assistant fails to configure on Android 4.3 1.2.35

CSCuh34133 NSP: Google Play store taking to the books site for Android 1.2.33

CSCug94013 HTTPS Clients fail to do HostnameVerify when hostname is available. RFC 2818

1.2.33

1. You can download the SPW from the Google Play Store. SPW 1.2.42 is the latest version.

2. On Android 4.3 and later devices, you will be prompted to install certificates, similar to the certificate installation warning that you see on earlier versions of Android devices.


OL-27043-01

Documentation Updates

Documentation Updates

Table 47 Updates to Release Notes for Cisco Identity Services Engine, Release 1.2.x

Date Description

10/24/2014 • Added Open Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 12, page 80

• Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 12, page 90

9/17/2014 Added Resolved Issues in Cisco ISE Version 1.2.1.198—Cumulative Patch 2, page 56


8/7/2014 Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 10, page 96.



6/20/2014 • Updated Upgrading Cisco ISE Software, page 9

• Added Enhancements in Cisco ISE Version 1.2.0.899—Cumulative Patch 8

6/2/2014 Updated Support for Microsoft Active Directory, page 7

5/30/2014 • Cisco Identity Services Engine, Release 1.2.1

• Added New Features in Cisco ISE, Release 1.2.1, page 13

• Added Cisco ISE, Release 1.2.1, Resolved Caveats, page 158

3/26/2014 • Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 7, page 106

• Updated Open Caveats, page 132







• Updated Open Agent Caveats, page 155


OL-27043-01

Related Documentation

Related Documentation

Release-Specific Documents

General product information for Cisco ISE is available at http://www.cisco.com/go/ise. End-user documentation is available on Cisco.com at http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html.

10/29/2013 • Added Support for Windows 8.1 and Mac OS X 10.9 in Cisco ISE Version 1.2.0.899—Cumulative Patch 3, page 122

• Updated Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 3, page 122


9/19/2013 • Added New Features in Cisco ISE Version 1.2.0.899—Cumulative Patch 2, page 127

• Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 2, page 130


7/25/2013 Cisco Identity Services Engine, Release 1.2

Table 47 Updates to Release Notes for Cisco Identity Services Engine, Release 1.2.x

Date Description

Table 48 Product Documentation for Cisco Identity Services Engine

Document Title Location

Release Notes for the Cisco Identity Services Engine, Release 1.2

http://www.cisco.com/en/US/products/ps11640/prod_release_notes_list.html

Cisco Identity Services Engine Network Component Compatibility, Release 1.2

http://www.cisco.com/en/US/products/ps11640/products_device_support_tables_list.html

Cisco Identity Services Engine User Guide, Release 1.2

http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.html

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html

Cisco Identity Services Engine Upgrade Guide, Release 1.2


Cisco Identity Services Engine, Release 1.2 Migration Tool Guide


Cisco Identity Services Engine Sponsor Portal User Guide, Release 1.2


Cisco Identity Services Engine CLI Reference Guide, Release 1.2



OL-27043-01

http://www.cisco.com/en/US/products/ps11640/prod_release_notes_list.html

http://www.cisco.com/en/US/products/ps11640/products_device_support_tables_list.html




http://www.cisco.com/go/ise



http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html


Obtaining Documentation and Submitting a Service Request

Platform-Specific Documents

Links to other platform-specific documentation are available at the following locations:

• Cisco ISEhttp://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html

• Cisco UCS C-Series Servers

http://www.cisco.com/en/US/docs/unified_computing/ucs/overview/guide/UCS_rack_roadmap.html

• Cisco Secure ACShttp://www.cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html

• Cisco NAC Appliancehttp://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html

• Cisco NAC Profilerhttp://www.cisco.com/en/US/products/ps8464/tsd_products_support_series_home.html

• Cisco NAC Guest Serverhttp://www.cisco.com/en/US/products/ps10160/tsd_products_support_series_home.html

Obtaining Documentation and Submitting a Service RequestFor information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

Cisco Identity Services Engine API Reference Guide, Release 1.2


Cisco Identity Services Engine Troubleshooting Guide, Release 1.2

http://www.cisco.com/en/US/products/ps11640/prod_troubleshooting_guides_list.html

Regulatory Compliance and Safety Information for Cisco Identity Services Engine 3300 Series Appliance, Cisco Secure Access Control System 1121 Appliance, Cisco NAC Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler


Cisco ISE In-Box Documentation and China RoHS Pointer Card

http://www.cisco.com/en/US/products/ps11640/products_documentation_roadmaps_list.html

Table 48 Product Documentation for Cisco Identity Services Engine (continued)

Document Title Location


OL-27043-01

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html


http://www.cisco.com/en/US/products/ps11640/prod_troubleshooting_guides_list.html






http://www.cisco.com/en/US/docs/unified_computing/ucs/overview/guide/UCS_rack_roadmap.html


http://www.cisco.com/en/US/products/ps11640/products_documentation_roadmaps_list.html

Obtaining Documentation and Submitting a Service Request

This document is to be used in conjunction with the documents listed in the “Related Documentation” section.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2014 Cisco Systems, Inc. All rights reserved.


OL-27043-01

http://www.cisco.com/go/trademarks