 Feedback
|
Table Of Contents
Release Notes for Cisco Identity Services Engine, Release 1.0.4
Cisco Identity Services Engine Releases
Node Types, Personas, Roles, and Services
Cisco ISE Deployment Terminology
Supported Virtual Environments
Additional Support Information
Cisco Secure ACS to Cisco ISE Migration
Key Features in Maintenance Release 1.0.4
Cisco ISE Installation and Upgrade Process Updates
Cisco ISE Upgrade and Backup and Restore Enhancements
Administrator Lockout and Administrator Password Reset
Windows IE 9 and Firefox 4.x Browsers Support
Statically Assigned Endpoint Behavior Enhancement
Correlating Endpoint IP and MAC Addresses with DHCP and RADIUS Probes
Integrating with Cisco NAC Appliance, Release 4.9
Cisco Secure ACS to Cisco ISE Migration Updates
Cisco ISE Install Files, Updates, and Client Resources
Cisco ISE Downloads from the Cisco Download Software Center
Cisco ISE Antivirus and Antispyware Support
Cisco ISE Patch Release Updates
Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 6
Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 5
Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 4
Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 3
Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 2
Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 1
Cisco ISE Release 1.0.4 Open Caveats
Cisco ISE Release 1.0.4.573 Appliance Open Caveats
Cisco ISE Release 1.0.4.573 Agent Open Caveats
Cisco ISE Release 1.0.4 Resolved Caveats
Cisco ISE Release 1.0.4.573 Appliance Resolved Caveats
Cisco ISE Release 1.0.4.573 Agent Resolved Caveats
Known Issue with Upgrade from Cisco ISE Release 1.0.3.377
Windows Internet Explorer 8 Known Issues
Known Supplicant Compatibility Issue Involving VLAN Change Operation on Windows Client Machines
Known Incompatibility Issue with WLC Firmware Version 7.0.116.0
Issues With 2k Message Size in Monitoring and Troubleshooting
Issues With More Than Three Users Accessing Monitoring and Troubleshooting Concurrently
Cisco IP phones using EAP-FAST
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco Identity Services Engine, Release 1.0.4
Revised: August 14, 2013, OL-25482-01Contents
These release notes describe the features, limitations and restrictions (caveats), and related information for Cisco Identity Services Engine (ISE) Maintenance Release 1.0.4. These release notes supplement the Cisco ISE documentation that is included with the product hardware and software release, and cover the following topics:
•
Cisco Identity Services Engine Releases
•
•
•
•
•
•
•
•
•
•
Cisco Identity Services Engine Releases
Introduction
The Cisco ISE platform is a comprehensive, next-generation, contextually-based access control solution. Cisco ISE offers authenticated network access, profiling, posture, guest management, and security group access services along with monitoring, reporting, and troubleshooting capabilities on a single physical or virtual appliance. Cisco ISE ships on a range of physical appliances with different performance characterization and also allows the addition of more appliances to a deployment for performance, scale, and resiliency. Cisco ISE has a highly available and scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. Cisco ISE also allows for configuration and management of distinct Cisco ISE personas and services. This feature gives you the ability to create and apply Cisco ISE services where they are needed in the network, but still operate the Cisco ISE deployment as a complete and coordinated system.
Node Types, Personas, Roles, and Services
Cisco Cisco ISE provides a highly available and scalable architecture that supports both standalone and distributed deployments. In a distributed environment, you configure one primary Administration node and the rest are secondary nodes. The topics in this section provide information about Cisco ISE terminology, supported node types, distributed deployment, and the basic architecture.
Cisco ISE Deployment Terminology
Table 1-1 describes some of the common terms used in Cisco Cisco ISE deployment scenarios.
Types of Nodes
A Cisco ISE network has only two types of nodes:
•
–
–
Note
–
A node with this persona aggregates and correlates the data that it collects to provide you with meaningful information in the form of reports. Cisco Cisco ISE allows you to have a maximum of two nodes with this persona that can take on primary or secondary roles for high availability. Both the primary and secondary Monitoring personas collect log messages. In case the primary Monitoring persona goes down, the secondary Monitoring persona automatically assumes the role of the primary Monitoring persona.
Note
•
Note
Note
In a distributed deployment, you can have the following combination of nodes on your network:
•
•
•
•
You can change the persona of a node. See the "Setting Up ISE in a Distributed Environment" chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4 for information on how to configure these personas on Cisco ISE nodes.
Hardware Requirements
This section describes the following topics:
•
•
•
Note
Supported Hardware
Cisco ISE software is packaged with your appliance or image for installation. After installation, you can configure Cisco ISE as any of the specified component personas (Administration, Policy Service, and Monitoring) or as an Inline Posture node on the platforms that are listed in Table 2.
Table 2 Supported Hardware and Personas
Cisco ISE-3315-K9 (small)
Any
•
•
•
Cisco ISE-3355-K9 (medium)
Any
•
•
•
•
•
•
Cisco ISE-3395-K9 (large)
Any
•
•
•
•
•
•
Cisco ISE-VM-K9 (VMware)
Stand-alone Administration, Monitoring, and Policy Service (no Inline Posture)
•
•
•
–
–
–
–
–
Note
•
•
–
–
Note
1 SATA = Serial Advanced Technology Attachment
2 HDD = hard disk drive
3 NIC = network interface card
4 RAID = redundant array of independent disks
5 Memory allocation of less than 4GB is not supported for any VMware appliance configuration. In the event of a Cisco ISE behavior issue, all users will be required to change allocated memory to at least 4GB prior to opening a case with the Cisco Technical Assistance Center.
If you are moving from Cisco Secure Access Control System (ACS) or Cisco NAC Appliance to Cisco ISE, the Cisco Secure ACS 1121 and Cisco NAC 3315 appliances support small deployments, Cisco NAC 3355 appliances support medium deployments, and Cisco NAC 3395 appliances support large deployments.
Supported Virtual Environments
Cisco ISE supports the following virtual environment platforms:
•
•
•
Supported Browsers
You can access the Cisco ISE administrative user interface using the following browsers:
•
•
Additional Support Information
Refer to Cisco Identity Services Engine Network Component Compatibility, Release 1.0.4 for information on supported devices and agents.
Installing Cisco ISE Software
The following steps summarize how to install new Cisco ISE Release 1.0.4 DVD software on supported hardware platforms (see Supported Hardware for support details).
With Cisco ISE Release 1.0.4, installation occurs in two phases:
1.
2.
Step 1
Step 2
Step 3
Step 4
Step 5
Table 3 Identity Services Engine Network Configuration Parameters for Setup
Hostname
Must not exceed 19 characters. Valid characters include alphanumeric (A-Z, a-z, 0-9), hyphen (-), with a requirement that the first character must be an alphabetic character.
Note
ise-node1
(eth0) Ethernet interface address
Must be a valid IPv4 address for the eth0 Ethernet interface.
10.12.13.14
Netmask
Must be a valid IPv4 address for the netmask.
255.255.255.0
Default gateway
Must be a valid IPv4 address for the default gateway.
10.12.13.1
DNS domain name
Cannot be an IP address. Valid characters include ASCII characters, any numbers, hyphen (-), and period (.).
mycompany.com
Primary name server
Must be a valid IPv4 address for the primary Name server.
10.15.20.25
Add/Edit another name server
Must be a valid IPv4 address for an additional Name server.
(Optional) Allows you to configure multiple Name servers. To do so, enter y to continue.
Primary NTP server
Must be a valid NTP server in a domain reachable from Cisco ISE.1
clock.nist.gov
Add/Edit another NTP server
Must be a valid NTP server in a domain reachable from Cisco ISE.1
(Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue.
System Time Zone
Must be a valid time zone. Refer to the Cisco Identity Services Engine CLI Reference Guide, Release 1.0.4 for a table of time zones that Cisco ISE supports. The default value is UTC.2
Note
UTC
Username
Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default, you must create a new username, which must be from 3 to 8 characters in length, and be composed of valid alphanumeric characters (A-Z, a-z, or 0-9).
admin (default)
Password
Identifies the administrative password used for CLI access to the Cisco ISE system. You must create this password (there is no default). The password must be a minimum of six characters in length and include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9).
MyIseYP@@ss
Database Administrator Password
Identifies the Cisco ISE database system-level password. You must create this password (there is no default). The password must be a minimum of 11 characters in length and include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9).
Note
ISE4adbp@ss
Database User Password
Identifies the Cisco ISE database access-level password. You must create this password (there is no default). The password must be a minimum of 11 characters in length and include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9).
Note
ISE5udbp@ss
1 Changing the NTP server specification after Cisco ISE installation will likely affect the entire deployment.
2 Changing the time zone specification after Cisco ISE installation will likely affect the entire deployment.
Note
Upgrading Cisco ISE Software
If you installed Cisco Identity Services Engine Release 1.0 or Cisco Identity Services Engine Maintenance Release 1.0.4.558 previously and are planning to upgrade to the latest Cisco ISE Maintenance Release 1.0.4, be sure to follow the upgrade instructions in the "Upgrading Cisco ISE" chapter of the Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.4.
Note
Note
Cisco Secure ACS to Cisco ISE Migration
Note
After you have moved your Cisco Secure ACS 5.1 or 5.2 database over, you will notice some differences in existing data types and elements as they appear in the new Cisco Identity Services Engine Maintenance Release 1.0.4.573 environment.
The only currently supported browser for downloading the migration tool files is Firefox version 3.6.x. Microsoft Windows Internet Explorer (IE8 and IE7) browsers are not currently supported in this release.
Complete instructions for moving your Cisco Secure ACS 5.1 or 5.2 database to Cisco Identity Services Engine Maintenance Release 1.0.4.573 are covered in the Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.0.4.
Cisco ISE License Information
Cisco ISE comes with a 90-day Base and Advanced package evaluation license already installed on the system. After you have you have installed the Cisco ISE software and initially configured the primary Administration persona, you must obtain and apply a Base, Base and Advanced, or Wireless license for your Cisco ISE. Table 4 summarizes the Cisco ISE license types. (Although the evaluation license allows you to provide support for both wired and wireless users, purchasing and applying a Wireless License option cuts off support for any wired users you may have been supporting during the evaluation period.)
Note
Licenses are centrally managed by the Administration ISE node. In a distributed deployment, where two Cisco ISE nodes assume the Administration persona (primary and secondary), upon successful installation of the license file, the licensing information from the primary Administration node is propagated to the secondary Administration node. So there is no need to install the same license on each Administration node within the deployment.
For more detailed information on license types and obtaining licenses for Cisco ISE, see "Performing Post-Installation Tasks" chapter of the Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.4.
For specific information on adding, modifying, and removing license files, see the "Managing Licenses" chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4.
For detailed information and license part numbers available for Cisco ISE, including licensing options for new installations as well as migration from an existing Cisco security product like Cisco Secure Access Control System, see the Cisco Identity Services Engine Ordering Guidelines at http://www.cisco.com/en/US/products/ps11195/prod_bulletins_list.html.
Key Features in Maintenance Release 1.0.4
Cisco ISE Maintenance Release 1.0.4 offers the following features and services:
•
•
•
•
•
•
•
•
For more information on key features of Cisco ISE, see the Overview chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4.
Cisco ISE Installation and Upgrade Process Updates
Cisco has updated the installation and upgrade processes in Cisco Identity Services Engine Maintenance Release 1.0.4. During fresh installation of the 1.0.4.573 .ISO image and upgrade from 1.0.3.377 or 1.0.4.558, Cisco ISE now asks you to specify and verify database administrator and user passwords that protect database communication access among multiple Cisco ISE nodes in a distributed deployment.
For more details, see:
•
•
Note
Wireless License Options
The new Wireless License options available in Cisco ISE Maintenance Release 1.0.4 enable the same number of endpoints on both the existing Base and Advanced license package. However, the devices that are supported with this type of license are restricted to wireless devices. It is possible to subsequently remove this restriction by installing a Wireless Upgrade license that enables the base and advanced package feature support for all types of devices.
For more information on the new Wireless License options, see the "Performing Post-Installation Tasks" chapter of the Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.4.
Cisco ISE Upgrade and Backup and Restore Enhancements
The Cisco ISE, Release 1.0.4 implements the upgrade of Cisco ISE from a previous release that has patches already installed on it or from any maintenance release. You can upgrade Cisco ISE 1.0 release to Cisco ISE Maintenance Release 1.0.4. In addition, you can also migrate from Cisco Secure Access Control System (ACS) 5.1 and 5.2 releases to Cisco ISE, Release 1.0. After you migrate to Cisco ISE, Release 1.0, you can then upgrade Cisco ISE to the latest release.
For more information on the upgrade and backup procedures, see the "Upgrading Cisco ISE" chapter of the Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.4.
Administrator Lockout and Administrator Password Reset
In Cisco ISE, Release 1.0.4, if you enter an incorrect password for your specified administrator user ID enough times, the Cisco ISE user interface "locks you out" of the system, adds a log entry in the Monitor > Reports > Catalog > Server Instance > Server Administrator Logins report, and suspends the credentials for that administrator ID until you have an opportunity to reset the password associated with that administrator ID. The number of failed attempts required to disable the administrator account is configurable according to the guidelines described in the "Configuring a Password Policy for Administrator Accounts" section of the "Administering Cisco ISE" chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4.
The instructions on how to reset the "locked" administrator password are described in the "Performing Post-Installation Tasks" chapter of the Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.4.
Windows IE 9 and Firefox 4.x Browsers Support
The Cisco ISE, Release 1.0.4 supports Windows IE 9 and Firefox 4.x browsers for the client and sponsor portals.
For more information on the supported browsers and OS, see Cisco Identity Services Engine Network Component Compatibility, Release 1.0.4.
Statically Assigned Endpoint Behavior Enhancement
The Cisco ISE, Release 1.0.4 implements a change that Cisco ISE cannot consume advanced licenses when endpoints are statically assigned to a profile. The number of endpoints that are dynamically profiled can only be compared against the limit of the advanced licenses. The endpoints that are statically assigned to a profile are now excluded from utilizing licenses included in the advanced license package, but they are still compared against the limit of base licenses. Earlier in the Cisco ISE, Release 1.0, it compares the total number of concurrent endpoints across the entire deployment against the limit of the advanced licenses.
Correlating Endpoint IP and MAC Addresses with DHCP and RADIUS Probes
The Cisco ISE, Release 1.0.4 implements an ARP cache in the profiler service so that you can reliably map IP addresses and MAC addresses of endpoints. For the ARP cache to function, you must enable either the DHCP probe or the RADIUS probe. The DHCP and RADIUS probes carry IP addresses and MAC addresses of endpoints in the payload data. The dhcp-requested address attribute in the DHCP probe and Framed-IP-address attribute in the RADIUS probe carry the IP addresses of endpoints along with their MAC addresses, which can be mapped and stored in the ARP cache.
Integrating with Cisco NAC Appliance, Release 4.9
The Cisco ISE, Release 1.0.4 now supports integration with Cisco Network Admission Control (NAC) Appliance, Release 4.9. The integration support is compatible only with the Cisco NAC Appliance, Release 4.9 and available when you have installed an advanced or wireless license on the maintenance release of Cisco ISE.
Integrating Cisco ISE, Release 1.0.4 with Cisco NAC Appliance, Release 4.9 allows you to utilize the Cisco ISE profiler services in a Cisco NAC deployment. The Cisco ISE profiler is similar to the Cisco Network Admission Control (NAC) Profiler in a Cisco NAC deployment, which manages endpoints in an enterprise network. This integration allows you to replace the existing Cisco NAC Profiler that is installed in a Cisco NAC deployment. It allows you to synchronize profile names from the Cisco ISE profiler, as well as the result of endpoint classification into the Cisco Clean Access Manager (CAM).
Cisco Secure ACS to Cisco ISE Migration Updates
Authentication and Authorization policies are not migrated. It is the responsibility of the administrator performing migration to define the policies manually.
For more information on the migration policies, see Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.0.4.
Cisco ISE Install Files, Updates, and Client Resources
There are three resources you can use to download installation packages, update packages, and other client resources necessary to provision and provide policy service in Cisco ISE:
•
Cisco ISE Downloads from the Cisco Download Software Center
In addition to the .ISO installation package required to perform a fresh installation of Cisco ISE on your appliance as described in Installing Cisco ISE Software, you can use the same software download location to retrieve other vital Cisco ISE software elements, like Windows and Mac OS X agent installers and AV/AS compliance modules. Use this portal to get your first software packages prior to configuring your Cisco ISE deployment.
Note
To access the Cisco Download Software Center and download the necessary software from Cisco:
Step 1
Step 2
Choose from the following Cisco ISE installers and software packages available for download:
•
•
•
•
Step 3
Cisco ISE Live Updates
Cisco ISE Live Update locations allow you to automatically download agent, AV/AS support, and agent installer helper packages that support the client provisioning and posture policy services. These live update portals should be configured in ISE upon initial deployment to retrieve the latest client provisioning and posture software directly from Cisco.com to the ISE appliance.
Prerequisite:
If the default Update Feed URL is not reachable and your network requires a proxy server, you may need to configure the proxy settings in the Administration > System > Settings > Proxy before you are able to access the Live Update locations. For more information on proxy settings, see the "Specifying Proxy Settings in Cisco ISE" section in the "Configuring Client Provisioning Policies" chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4.
Client Provisioning and Posture Live Update portals:
•
The following software elements are available at this URL:
–
–
–
For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the "Downloading Client Provisioning Resources Automatically" section of the "Configuring Client Provisioning Policies" chapter in the Cisco Identity Services Engine User Guide, Release 1.0.4.
•
The following software elements are available at this URL:
–
–
–
For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the "Dynamic Posture Updates" section of the "Configuring Client Posture Policies" chapter in the Cisco Identity Services Engine User Guide, Release 1.0.4.
If you do not enable the automatic download capabilities described above in Cisco ISE, you can choose offline updates. See Cisco ISE Offline Updates.
Cisco ISE Offline Updates
Cisco ISE offline updates allow you to manually download agent, AV/AS support, and agent installer helper packages that support the client provisioning and posture policy services. This option allows you to upload client provisioning and posture updates in environments where direct Internet access to Cisco.com from the ISE appliance is not available or not permitted by security policy.
To upload offline client provisioning resources, complete the following steps:
Step 1
Step 2
Choose from the following Off-Line Installation Packages available for download:
•
•
•
•
Step 3
For more information on adding the downloaded Installation Packages to Cisco ISE, refer to "Adding Client Provisioning Resources from a Local Machine" section of the "Configuring Client Posture Policies" chapter in the Cisco Identity Services Engine User Guide, Release 1.0.4.
You can update the checks, rules, antivirus and antispyware support charts for both the Windows and Macintosh operating systems, and operating systems information offline from an archive on your local system using the posture updates.
For offline updates, you need to ensure that the versions of the archive files match the version in the configuration file. Use this portal once you have configured Cisco ISE and want to enable dynamic updates for the posture policy service.
To upload offline posture updates, complete the following steps:
Step 1
The File Download window appears. From the File Download window, you can choose to save the posture-offline.zip file to your local system. This file is used to update the checks, rules, antivirus and antispyware support charts for both the Windows and Macintosh operating systems, and operating systems information.
Step 2
Step 3
Step 4
Step 5
Step 6
Note
Step 7
Once updated, the Posture Updates page displays the current Cisco updates version information as a verification of an update under Update Information.
Cisco ISE Antivirus and Antispyware Support
See the following Cisco ISE documents for specific antivirus and antispyware support details:
•
•
Cisco ISE Patch Release Updates
•
•
•
•
•
•
Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 6
Table 5 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 6.
You must deploy this patch on Cisco Identity Services Engine Maintenance Release 1.0.4.573, otherwise the patch install will fail and Cisco ISE will return an error message stating, "This patch is intended to be installed on ISE 1.0.4.573." Since patch 6 is a cumulative patch. you can apply it to any of the following maintenance release versions:
•
•
•
•
•
•
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
Then refer to the "Installing a Software Patch" section of the "Administering Cisco ISE" chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 5
Table 6 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 5.
You must deploy this patch on Cisco Identity Services Engine Maintenance Release 1.0.4.573, otherwise the patch install will fail and Cisco ISE will return an error message stating, "This patch is intended to be installed on ISE 1.0.4.573." Since patch 5 is a cumulative patch. you can apply it to any of the following maintenance release versions:
•
•
•
•
•
To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.0.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.
Then refer to the "Installing a Software Patch" section of the "Administering Cisco ISE" chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4. for instructions on how to apply the patch to your system.
Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 4
Table 7 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 4.
You must deploy this patch on Cisco Identity Services Engine Maintenance Release 1.0.4.573, otherwise the patch install will fail and Cisco ISE will return an error message stating, "This patch is intended to be installed on ISE 1.0.4.573." Since patch 4 is a cumulative patch. you can apply it to any of the following maintenance release versions:
•
•
•
•
To obtain this patch, please contact Cisco Technical Assistance Center and then refer to the "Installing a Software Patch" section of the "Administering Cisco ISE" chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4. for instructions on how to apply the patch to your system.
Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 3
Table 8 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 3.
You must deploy this patch on Cisco Identity Services Engine Maintenance Release 1.0.4.573, otherwise the patch install will fail and Cisco ISE will return an error message stating, "This patch is intended to be installed on ISE 1.0.4.573." Since patch 3 is a cumulative patch. you can apply it to any of the following maintenance release versions:
•
•
•
To obtain this patch, please contact Cisco Technical Assistance Center and then refer to the "Installing a Software Patch" section of the "Administering Cisco ISE" chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4. for instructions on how to apply the patch to your system.
Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 2
Table 9 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 2.
To obtain this patch, please contact Cisco Technical Assistance Center and then refer to the "Installing a Software Patch" section of the "Administering Cisco ISE" chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4. for instructions on how to apply the patch to your system.
Note
Resolved Issues in Cisco ISE Version 1.0.4.573—Cumulative Patch 1
Table 10 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.0.4.573 cumulative patch 1.
To obtain this patch, please contact Cisco Technical Assistance Center and then refer to the "Installing a Software Patch" section of the "Administering Cisco ISE" chapter of the Cisco Identity Services Engine User Guide, Release 1.0.4. for instructions on how to apply the patch to your system.
Cisco ISE Release 1.0.4 Open Caveats
•
•
Cisco ISE Release 1.0.4.573 Appliance Open Caveats
Table 11 Cisco ISE Release 1.0.4.573 Appliance Open Caveats
CSCtc70053
Browser "Back" button not working properly
This issue has been observed in the Cisco ISE list page when switching from the list view to edit view (i.e., when you click the Create or Edit button).
Workaround
CSCtj00178
Group QuickFilters not working as designed
After the administrator runs and saves an advanced filter, Cisco ISE does not display the "Successful Save" pop-up after the filter is saved.
This issue has been observed using the Admin Groups, User Identity Groups, Endpoint Identity Groups, and Guest Sponsor Groups filter options.
Workaround
CSCtj25158
Exported admin should not be imported back as Network Access User
This problem occurs when Cisco ISE promote Network Access Users to Administrators, and then export those users. When you re-import those users, they appear as Network Access Users only. Cisco ISE does not import the promoted users as Administrators.
Workaround
CSCtj37325
Profiler Attribute value exceeds maximum 4000 character length
Endpoints are not profiled nor are new attributes updated when at least one Profiler Endpoint Attribute is greater than 4000 characters in length.
CSCtj76835
Unable to retrieve a saved Authentication Trend report
Symptom Two steps are necessary to save an Authentication Trend report:
1.
2.
If you do not select a folder from the list that is presented, the report should be saved in the root folder and should appear in the Reports tab. You can observe that the files are saved, but they do not appear in the left side pane and there is no option to retrieve the files.
Conditions
Workaround
CSCtj81255
Two MAC addresses detected on neighboring switch of ACS 1121 Appliance.
Symptom Two MAC addresses are detected on the switch interface connected to an ACS 1121 Appliance although only one interface is connected on the ACS 1121 Server eth0.
Conditions
Workaround
Caution
CSCtj94813
Left side administrator user interface pane "Search Result" option is not working as expected
1.
2.
3.
In addition, you are not able to go back to previous menu.
Workaround
CSCtk17648
IE8—Network Device Management missing from the Cisco ISE Administrator Tab
This issue has been observed when changing the zoom setting in Internet Explorer 8 using the control and plus (+)/minus (-) keys.
Workaround
CSCtk32480
Local certificate export failed after deleting trusted certificate
After you delete a trusted certificate, local certificate export operation fails. Administration > System > Certificates > Local Certificates > Export. Instead of being prompted for the export file destination, nothing happens.
Workaround
CSCtk37360
Administrator is not able to customize report in Internet Explorer 8
Monitoring and troubleshooting reporting functions related to column selection and entry deletion/aggregation, etc. are not working as designed.
This issue can come up using the following versions of Internet Explorer 8:
•
•
Workaround
CSCtk46958
Cisco ISE does not display a warning when navigating away from a modified page without saving
When a user changes configuration context, there is no warning indicating that the information configured on the current page is not saved, nor is there a warning indicating that all configuration changes will be lost when the user completes that context change.
Workaround
CSCtk82864
AAA Servers incorrectly filter with "Contains" option
When AAA servers are added to the AAA servers list (for example: a, ab) and a filter is added which includes regular expressions, Cisco ISE generates an incorrect filtered list.
Workaround
CSCtl56724
Network access users display filter sorted by status does not work
An issue exists in the Administration > Identity Management > Identities > Users page where Cisco ISE does not appropriately filter Network Access User entries when you click on the filter and try to specify "sort by status."
Workaround
CSCtl70056
"Today" is not validated against the Cisco ISE Monitoring node End Date
Reports run with a custom time range (where "today" is the specified End Date) does not work and the Monitoring node returns a validation error. This issue has been observed where the time on the client machine (where a browser session is active) is earlier than that of the Cisco ISE node (for example, where the client is on PST and the Cisco ISE node is on UTC time zone).
Workaround
CSCtl77592
Unable to create authorization policy with RadiusCallingStation ID condition
When the administrator uses a MAC address with a xx-xx-xx-xx-xx-xx format as the right hand side (RHS) of a condition with RADIUS "Calling station ID" dictionary attribute, it fails to match the policy decision.
Cisco ISE does not perform validation on the string value that is entreated on the RHS when constructing a condition.
Workaround
CSCtl78424
Blank right hand Network Devices pane with vertical scroll
The Network Device page contains the navigation pane on the left of the page and the network devices table on the right of the page. If there are more than 500 devices configured and the following steps have been taken, the devices table does not appear as it should:
1.
2.
3.
Workaround
CSCtn42397
The Network Access Users "Delete All" function when used on a filtered list should only delete filtered (displayed) Network Access Users
The "Delete All" function in the Administration > Identity Management > Identities > Users page deletes all the users, regardless of whether they are filtered or existing (non-filtered) users.
Workaround
CSCtn44427
No progress indicator is displayed when importing collections of random or CSV guests
Workaround
CSCtn53084
Incorrect export of DER imported server and trusted certificate authority certificates
When exporting a local certificate using the Administration > System > Certificates > Local Certificates > Export page, the administrator may find that the certificate is in Distinguished Encoding Rules (DER) format when another format like Privacy Enhanced Mail (PEM) is desired.
The certificate export function exports a certificate using the same format it had when imported. In CIsco ISE, there is no format conversion option available.
Note
CSCtn59529
Network Access User filters do not work on the Status or Admin columns using the Quick and Advanced filters
Cisco ISE search functions are not supported on columns which have images or icons. The Status and Admin columns use images and icons instead of text, therefore filtering does not work.
Workaround
CSCtn62141
A script on the Administration > Identity Management > Groups page causes Internet Explorer 8 to run slowly. If it continues to run indefinitely, your computer could become unresponsive. (This problem has not been observed using Mozilla Firefox.)
Workaround
1.
2.
a.
b.
3.
CSCtn65437
Report timestamp incorrect with Asia/Kolkata time zone
This behavior has been observed only using the Asia/Kolkata time zone. The result is minus 5.30 hours when compared to the actual record in the Cisco ISE database.
Workaround
CSCtn73422
Network Access User filters filtering correctly
The filter display does not conform to the expected alphanumeric order. For example, create four users with the following IDs:
•
•
•
•
Use either the Quick/Advanced Filter with a "Name: Contains _2" attribute. The resulting list is returned as follows:
•
•
•
•
CSCtn78676
When a user name has a space between words and another similar name contains two or more spaces, Cisco ISE displays the same user name for both users.
Workaround
CSCtn78899
When a user group name has a space between words and another similar user group name contains two or more spaces, Cisco ISE displays the same user group name for both groups.
Workaround
CSCtn83738
Session status summary report failing for Wireless LAN Controllers
It appears that Cisco ISE may not be appropriately handling public/private community stings.
Workaround
CSCtn92594
Quickpicker filters are not working correctly during Client Provisioning policy configuration
This issue has been observed with the following three filter options:
•
•
•
Workaround
CSCtn92602
Filters are not working under QuickPickers during Posture Policy configuration
The following QuickPicker filters are not working during Posture Policy configuration:
•
•
•
When using any of these QuickPickers to search for text, Cisco ISE returns invalid search results.
Workaround
CSCtn95127
Client provisioning report does not show the policy matched
The report shows which agent is downloaded, but it does not indicate which policy has been applied.
This happens if a network access request has been redirected to the client provisioning portal and the client provisioning service applies a policy that determines which agent needs to be installed on the client machine.
Workaround
CSCtn95548
Filter behaving case sensitive for Network Device groups
The results for network device group filtering in the network device group (NDG) page are incorrect. This is because the filtering in the network device group page is case sensitive.
Workaround
CSCtn99145
An authorization policy matching multiple rules does not appropriately match the existing ACCESS_ACCEPT rule
When an authorization policy use the "multiple rule match" option, and any of the matched policy rules contain ACCESS_REJECT, the ACCESS_REJECT rule overrides the ACCESS_ACCEPT rule, regardless of where the two rules appear in relation to one another.
Workaround
CSCto03813
No "Cisco ISE Config Changes" alarm generated using Authentication > Simple Condition > Edit/Add/Delete
Workaround
CSCto05172
The Profiler detail log does not display some attributes.
"Certainty Matrix," "Matched Rule," and "Endpoint Action" name values are not updated in the Profiler endpoint detail log.
Workaround
CSCto06361
Changing the User Identity Group name case should not return error upon search
After you Create a User Identity Group called "mickeymousegroup," edit the name to be "MickeyMouseGroup." Cisco ISE displays the following error:
"Identity Group with name `NAC Group:NAC:IdentityGroups:User Identity Groups:MickeyMouseGroup' already exists."
Workaround
CSCto09989
Cisco ISE browser session redirects to Monitoring login page using Internet Explorer 8
As soon as you login to Cisco ISE via IE8 the page gets redirected to a Monitoring node administrator login page (even before the initial page displays completely).
Note
Workaround
For more information, see Issue Accessing the Cisco ISE Administrator User Interface.
CSCto10678
Administrator user should not be able to delete self policy
If self-policies get deleted, the administrator cannot log in.
Workaround
CSCto10855
IE8 with default option settings is not working
This issue arises when the default URL has been specified in Administration > System > Setting > Posture Updates.
Workaround
Note
CSCto13102
No "Cisco ISE Configuration Changes" message dialogs are displayed for certain guest/sponsor configuration
Certain dialogs are missing for guest and sponsor configuration changes, hence, Cisco ISE does not confirm when changes have been made and accepted.
CSCto13235
File Condition Advanced Filter does not return correct result
This issue has been observed in the Advanced Filter function of the Posture Simple Condition and Remediation pages. The "Match All/Any of the Following Rules" selection is not working as expected.
Workaround
CSCto13986
IE8—Error when clicking the "Action" button on the Requirement page
Go to Policy > Policy Elements > Results > Posture > Remediation Action and click on the Requirement in the left hand navigation pane. Once the page loads, then click on the "Action" button. A Java script error is returned when accessing the page via Internet Explorer 8.
Note
CSCto15508
Filter in Security Group Access Egress Policy is not working correctly
Workaround
CSCto17461
Invalid Simple Condition error message in Guest configuration
If you duplicate, but do not rename a new Simple Condition in the Policy Elements > Conditions > Guest > Simple Condition page, Cisco ISE returns an error message indicating that the condition has not been saved.
Workaround
CSCto22671
HTTPS communication fails if the certificate is deleted from the primary Administration ISE node
The following operations on the primary Administration ISE node fail unexpectedly:
- Restoration of a backup
- Manual sync
- Node deregistration
If the certificate(s) required to validate the HTTPS certificate of a registered node have been removed from the primary Administration ISE node trust store, they must be reimported in to the trust store before attempting restore database material, perform manual sync, or deregister other policy service nodes.
CSCto24105
A Network Access User can be created with a name longer than 25 characters via network access user import, but Cisco ISE cannot reliably handle user names that long.
Workaround
CSCto24430
Details of guest RADIUS authentication failure are not available when searching via the guest username
This issue has been observed where the guest user has logged in with space appended to the beginning or end of the user name.
Workaround
CSCto27568
Cannot enable checkboxes in the right hand Filtered Network Devices pane
The administrator is not able to select a checkbox under the following conditions:
1.
2.
Workaround
CSCto29479
Cisco NAC Web Agent fails to validate Registry Condition
Registry condition check does not work correctly on 64-bit Windows operating systems.
Workaround
CSCto33037
Allowed character sets between policy conditions and element conditions are different
When conditions are created inside policies, the allowed character sets are not the same. Condition policies allow alphanumeric, hyphen(-), underscore(_), or period(.), The condition page itself allows letters, numbers and "_".
Workaround
CSCto33973
Joining Cisco ISE to an Active Directory domain locks up when the Global Catalog is down or unreachable
Having a Global Catalog active is essential for Cisco ISE operation with Active Directory. If there is no Global Catalogs available, the Cisco ISE user interface locks up for a long time in certain operations. This issue applies to a single domain environment.
CSCto41078
Cannot create an Identity Group using the gear icon during Client Provisioning policy configuration
Workaround
CSCto41340
Authentication Policy replication failure from Primary to Secondary if the time zone changes after installation
CSCto42182
Profiling HTTP requests for 802.1X scenarios may not include agent
This issue occurs when the initial HTTP request for 802.1X authentication and posture services are redirected to the gateway via HTTPS.
Workaround
CSCto43825
Synchronization fails with time zones other than UTC
During installation, if you specify a time zone other than UTC, replication fails during registration and Synchronization status shows "OUT OF SYNC."
Workaround
CSCto45372
Default Sponsor Groups do not allow the Sponsor to create users or view passwords.
Workaround
CSCto48657
Profiled endpoints are not all deleted
If you delete endpoints that have recently been imported (before Cisco ISE can finish Profiling all of the new endpoints), Cisco ISE does not delete them all.
Workaround
CSCto49359
Filters not working correctly on Guest conditions page
Filters are not getting saved in the Policy Elements > Conditions > Guest > Simple Conditions page.
Workaround
CSCto54536
Local certificates disappear on the secondary node following "application reset-config ise" command in CLI
When displaying the local certificates on the Administration > System > Certificates > Local Certificates page of a deregistered node that is now in Standalone mode.
The administrator should not reset the configuration of a node prior to de-registering it. The correct process is as follows:
1.
2.
3.
Workaround
•
•
CSCto59976
Sync with NTP server during initial set-up shows failure although NTP server is reachable.
This issue occurs if an invalid or unreachable NTP server was first specified during initial installation and is then corrected (reconfigured) with an NTP server which has less characters than the initial invalid NTP server entry.
Workaround
CSCto60148
Java crashes during high posture load
This issue has been observed under extreme load condition where Cisco ISE is hit with large number of concurrent users for posture.
Workaround
CSCto60636
Favorite reports are not preserved after executing "application reset-config ise" in the Cisco ISE CLI
After the reset-config operation is complete, you can manually add the corresponding reports to favorites again.
CSCto63749
The Cisco ISE dashboard does not display endpoints entered via the Administrator user interface
Endpoint display behavior works as designed for imported or detected Endpoints.
Workaround
CSCto64028
"Fail to receive server response..." seen when deleting profiling policy
A "Fail to receive server response due to the network error (ex. HTTP timeout)" error message may appear when deleting Profiling policies, and some of the policies may not be deleted.
Workaround
CSCto68519
Sorting / Filtering Does Not Work in Egress Table
Can not filter or sort Egress policy table data
Workaround
Note
CSCto70968
Fast reconnect is not working for PEAP-TLS protocol
When the supplicant is eligible for PEAP-TLS fast reconnect after establishing a PEAP tunnel, Cisco ISE does not allow the fast reconnect function and falls back to the standard inner method.
The following messages appear in the customer log:
•
•
Workaround
CSCto72521
Save failed for child group assignment during Client Provisioning policy configuration
An exception dialog box appears, displaying a "Invalid identity group in policy <policy name>. There were errors in the save" message.
Workaround
Note
CSCto72594
Cisco ISE cannot save a Posture Policy when the Identity Group is the child of one or more other Identity Groups
Cisco ISE returns a "Policy Policy_Check_For_AV_Installation_Win: Error - class com.cisco.cpm.posture.exceptions.PostureValidationException: invalid role" message and does not save the Posture Policy in question.
Workaround
CSCto73439
Restart required upon completion of Monitoring node database restoration
This issue has been observed with both scheduled and incremental backup and restore functionality.
After completing a Monitoring node database restoration, manually synchronizing a Secondary node from the Primary node does not work because the Secondary Administration ISE node data has been changed by the Monitoring node restoration operation.
Workaround
•
a.
b.
•
CSCto74356
Self-registered Guest role does not appear associated with the Guest account
If the administrator creates a new Identity Group (group role) and specifies this role as the default group role on the Guest Portal Policy page for self registration, the newly created Identity Group is not added to the identity group list for a sponsor group.
This issue can occur in both standalone and distributed deployment.
Workaround
CSCto82519
Saving your Active Directory configuration while the DNS is down takes a very long time
Cisco ISE requires connectivity to Active Directory (including DNS) when saving the configuration. If the DNS is not reachable, then the save function may time out before it can complete.
Workaround
CSCto82631
Clicking the "Name" field in the Cisco ISE User Identity Group page yields unexpected download behavior
Workaround
CSCto83897
Client machine authentication shift to user authentication not updating Active Directory groups
During a Wireless LAN Controller (WLC) login session, the client machine authenticates with Cisco ISE correctly and the corresponding authorization profile is picked up. During user authentication, however, (although system log entries indicate that user authentication has happened correctly) the previous authorization profile (for machine authentication) is applied to the user session again.
This issue has been observed during wireless login scenarios where the WLC is running firmware version 7.0.116.0.
Workaround
For more information, see Known Incompatibility Issue with WLC Firmware Version 7.0.116.0.
CSCto87755
Guest accounting report appears only once, even though Guest logs in multiple times
This issue has been observed when Guest users have logged in using the same endpoint multiple times. The report shows only the user's first login details, not the most recent login.
Workaround
CSCto87799
Guest authentication failing
Guest authentication fails and the LiveLogs on Cisco ISE show the reason as "session cache entry missing." The most common explanation for this issue is that the browser is using old session information.
Workaround
CSCtq00096
Compound condition from a Sponsor Group Policy has a different name after it is saved
This new name can erase the existing condition in the Cisco ISE configuration and the administrator must assign the condition again.
Workaround
CSCtq07776
In Posture Policy, Click Save Symbol getting error message.
When you attempt to configure Dictionary Compound Condition using Posture Policy configuration, Cisco ISE returns a "configured dictionary compound condition already exists" error message, even though the specified Dictionary Compound Condition does not yet actually exist.
Workaround
CSCtq09004
Windows 7 guest access not successful from IE8 and Chrome 10
Guest access fails over a wireless LAN controller connection. The login session does not appropriately redirect the user authentication request. This is likely due to IE8 and Chrome10 browsers on Windows 7 being unable to redirect the RADIUS authentication request to the controller.
Note
Workaround
CSCtq09655
Dictionary Attribute duplication is not happening as designed during Authentication Policy configuration
Dictionary Attributes are not being duplicated appropriately within a rule during Authentication Policy configuration. Only the "operator" and "condition" values are getting duplicated.
Workaround
CSCtq11650
The primary Administration ISE node has database links to Inline Posture nodes following promotion from secondary to primary
The newly-promoted primary node attempts to replicate with Inline Posture nodes and saves the undeliverable messages in its local database. This issue has been observed in a distributed deployment with Inline Posture nodes associated with an Administration ISE node that has been promoted from secondary to primary.
Workaround
CSCtq17744
Exception policy not getting created first time in Authorization policy
When you create the first new exception policy under an Authorization Policy, an error pops up indicating that the operation has failed.
This issue has been observed when there are no items in the exception policy pane and the user clicks Create New. After the user submits the change, an error message comes up.
Workaround
1.
2.
CSCtq22779
Cisco ISE allows saving authorization compound conditions with the same names
If you create two authorization compound conditions called "C1" and "C2," then change the name of "C2" to "C1," Cisco ISE does not return an error and you end up with two compound conditions called "C1." This happens only for authorization compound conditions.
The potential impact of this problem is that the contents of the original "C1" compound condition is always picked up and enforced in authorization policies that use "C2."
Workaround
CSCtq53690
Scheduled Monitoring and Troubleshooting incremental backup switches off following failed backup attempt
Workaround
CSCtq80912
Issues with Guest accounting report functions
After at least one full day of traffic, round trip Guest sessions include non-guest events in the logs.
Note
CSCtr09694
MAC address search at Reports > Query and Run should not be case sensitive
While launching reports, the MAC address search is case sensitive, but should not be.
Note
CSCtr24825
Numerous Alarms entitled "ISE Alarm (CRITICAL): Alarm caused by ISE - System Health threshold" with high numbers in "CPU Utilization (%)"
The same alert message is being used for both real system resource overloads and normal operations like system backup and restore.
Note
CSCtr29490
Endpoint does not get profiled correctly with HTTP traffic following posture assessment
Following a VLAN change, traffic may not be mapped to the endpoint due to a missing IP address in the RADIUS accounting message.
Workaround
CSCtr38300
"Admin" login account is disabled and cannot be unlocked
After you enter the wrong password for the administrator user ID at least 5 times (though the actual value is configurable), the administrator cannot use the "admin" login credentials to access the user interface and Cisco ISE displays the following message:
"Your account has been locked after too many consecutive unsuccessful attempts. Please contact your system administrator for assistance."
Workaround
Note
CSCtr39545
Endpoint update function may execute before endpoint creation
Alarms generated on replication failures; DEBUG entries from Profiler show endpoint update failures due to absent record.
Note
CSCtr51053
Back button use is not working correctly under compound conditions after upgrade
When you add a new compound condition in the Policy > Conditions > Posture > Compound Condition configuration page and then navigate through the condition list, the back button will lead to the Cisco ISE home (Monitoring) page instead of the previous level.
CSCtr53954
Configure ISE for MAB + Posture flow
After successful MAB Authentication, the client endpoint is moved to its assigned VLAN. Then the posture function initiates and the endpoint sends a "compliant" report back to Cisco ISE, which triggers CoA for that session and sends an new VLAN assignment back to the associated NAD. The problem is that the endpoint fails to re-fresh its IP address. (Make sure the Endpoint is put in to different VLAN after moving to compliant/noncompliant state.)
Note
Workaround
CSCtr57280
IP-to-MAC address binding fails in wireless environment with RADIUS and HTTP probe
RADIUS accounting messages from a WLC do not send the endpoint IP address. This is different from the RADIUS accounting messages from wired infrastructure. This makes the RADIUS method ineffective for IP-to-MAC address binding on Cisco ISE.
CSCtr58604
Cisco Administration ISE node backup size exceeds 8 GB
Backup files are very large and at times larger than 8 GB each. This has been observed performing both scheduled and on-demand full backups from CLI or administrator user interface.
Note
CSCtr58811
Need to log out and log back in to get Advanced License functionality
After installing an Advanced License on top of an existing Base license, the administrator is not able to view advanced feature pages such as Posture, Profiler, and Security Group Access.
Workaround
CSCtr59589
Exception Actions are triggering multiple CoA reauthentication events
An exception action experienced under high traffic volume may be triggering multiple times and issuing multiple CoA events on the same session. By design, only the first CoA event will be acted upon—the subsequent ones are ignored by the infrastructure.
CSCtr60200
Error while editing predefined AV/AS compound conditions
After you update Cisco ISE to release 1.0.4 and edit a pre-existing Av/AS compound condition, the configuration will be saved, but when you try to go back and view or edit the same compound condition, the "Allow virus definition checks to be..." option becomes disabled (unchecked).
Although there is no impact when generating the XML file with the modified data for the pre-defined AS compound condition, this issue leads to confusion.
CSCtr66122
Policy could not be saved
Cisco ISE can return an error message when you try to save a policy where the same identity group appears more than once.
Workaround
CSCtr66929
Selected month and year while configuring file "Date" condition
If you specify either just the year or month in the "Date" field of the Policy > Policy Element > Conditions > File Condition configuration window, the date does not get saved along with the policy.
Workaround
CSCtr68491
Windows Internet Explorer 8 Info button on compound condition format is empty
When you hover over the "Info" button in the Go to Policy > Policy Elements > Conditions > Posture > Compound Condition page, the pop-up bubble remains empty.
This issue has been observed using IE8, but the text appears as designed in Mozilla Firefox.
CSCtr79440
Authorization policy not matched when condition to match parent device group location used
This issue can come up when you define an authorization rule which has a condition containing the operand "DEVICE:Location equal AllLocation#<group name>."
Note
CSCtr82311
Administrator user interface password reset failed upon first login attempt
This condition is only seen if the first default credentials ("admin"/"cisco") have not yet been changed. After the admin user gets disabled, the password reset function may fail on the first attempt.
Workaround
CSCtr84378
Guest role text box can be removed in sponsor group object
When only one group role exists, the Guest Role can still be removed when configuring the sponsor group, which prevents the user from selecting any Guest Role at all. (If the administrator clicks on the minus (-) operator on the Guest Role tab in the sponsor group configuration with only one existing group role, then the field is removed.)
Workaround
CSCtr84493
Cisco ISE inaccurately reports that a specified policy name already exists
This issue arises when you try to create a sponsor group policy name containing regular spaces (like "xx yyy zzz 1") that is identical to an existing name using underscores (like "xx_yyy_zzz_1"). The resulting error message form ISE reads: "Policy with name xx_yyy_zzz_1 already exists."
Workaround
1.
2.
The error message should not appear.
CSCtr94724
Browser becomes inaccessible after creating Authorization profile
This occasional issue has been observed when scrolling down the page before the page loads completely
Workaround
CSCtr96694
SGA Security Group column is empty following SGA authentication
When performing CTS authentication, the unparsed CTS security tag is returned in the authentication response and is displayed in the CTS authentication report viewer.
Note
CSCts03935
Need to recreate the Support Bundle if the Admin session times out
If the administrator is creating a Support Bundle and their login session times out, the Support Bundle is not created correctly and the administrator must produce a new one after logging back in again.
Workaround
CSCts08980
The Cisco ISE posture report dashlet returns an error code
After clicking a sparkline from the Posture Compliance dashlet, the Cisco ISE Monitoring page returns the following:
"Cannot execute the statement.
SQL statement does not return a ResultSet object.
SQL error #1: ORA-06502: PL/SQL: numveric or value error: character string buffer too small.
ORA-06512: at "MNT.FILTER", line 27
ORA-06512: at "MNT.GETPOSTUREDATA", line 17
posturereport contains some special characters."
Workaround
CSCts10036
Issue with Inline Posture static route configuration
Certain static address settings at Inline Posture static route configuration page result in the Cisco ISE user interface returning an error and admin not being able to remove the erroneous route.
Note
This issue can occur when you configure an invalid static route where the static route's destination network address overlaps with the network address (based on the IP Address / Subnet Mask combination) of the Inline Posture node's trusted or untrusted interface.
Workaround
CSCts10323
Internet Explorer running slow during client provisioning
Internet Explorer has an option where you can turn the "check for revocation lists" function on or off.
When this option is enabled and the dACL simultaneously does not allow access to CDP servers, Internet Explorer "freezes up" for about a minute while it tires to access the requisite CDPs.
CSCts19211
After backup/restore, the administrator not able to access the Service Policy node
After restoring the database from prior version of the software, one or more of the nodes in the deployment becomes inaccessible from the administrator user interface.
The issue is related to restoring a backup image from one version onto a deployment running a newer version of Cisco ISE.
Workaround
Note
CSCts20529
Authorization profile getting saved with incomplete information
This issue occurs when using the "auto-smart-port," "Filter_ID," "wireless lan controller," or "Posture Discovery" fields in the configuration page.
Note
Workaround
CSCts22154
RBAC menus on secondary nodes are incorrect immediately after upgrade
This issue can occur when the upgrade process on a secondary node is delayed and there is a large number of pending messages in Primary node queued up for replication to the secondary node.
Workaround
Note
CSCts25521
Cisco ISE repeatedly returns an error when a Dictionary Compound Condition is added during posture policy configuration
When you attempt to configure Dictionary Compound Condition using Posture Policy configuration, Cisco ISE returns a "configured dictionary compound condition already exists" error message, even though the specified Dictionary Compound Condition does not yet actually exist.
Workaround
CSCts78093
Active Directory attributes are not inherited from Cisco ACS 5.1/5.2 to Cisco ISE 1.0 or Cisco ISE 1.0.4 during migration
This issue has been observed for Active Directory attributes that are not of the data type "String." (Cisco ISE supports only "String" Active Directory attributes. Other data types, such as integers, are not moved over.)
Note
CSCts99778
Posture configuration options not available with Advanced License
After installing or upgrading to Cisco Identity Services Engine Maintenance Release 1.0.4.573, posture config options on Policy > Policy Elements > Conditions, Policy > Policy Elements > Results, and the Posture tab of the Policy > Posture page are not shown.
Workaround
CSCts57010
File system runs out of available space
When logging in via the CLI, the administrator sees a "% Error: Unable to launch ADE-OS shell. Disk full." message. This could be caused by an "undo_tablespace" function automatically extending without any imposed limit.
Note
CSCtr95156
The guest account password was reset after the user changed their password and the Sponsor subsequently modified the account
Workaround
CSCts45591
Unable to collect info from interface with no IP address
Cisco ISE is unable to collect TCP dump information on interfaces with no IP address configured.
Note
CSCts57027
Newly added network interface for VMware ISE appears as "__tmpXXXXX"
This issue has been observed when viewing the newly-added network interface using the "show interface" CLI command on a VMWare machine.
Workaround
CSCts59228
Internet Explorer 8 fails to Generate a CSV Template when importing endpoints
Workaround
CSCts77187
No Alarm activates when replication fails due to database communication errors
This issue has been observed when the primary administration or monitoring node is unable to communicate with the secondary node for Oracle database replications.
Note
CSCts45441
Unexpected behavior when creating a guest account using start and end time settings
This issue has been observed where the sponsor is trying to create a guest account that includes the time profile type "STARTEND." (During test, Cisco used the current date for the "start date" and the next day as the end date.
Workaround
CSCts45547
Administrator user interface does not display an appropriate error msg during node registration
Note
CSCtw67841
Debug logs bundle is not getting downloaded in Mozilla Firefox version 3.6.24
When the administrator tries to download an individual log via the Operations > Download Logs > Node > Debug Logs page, Cisco ISE prompts the administrator to enter their credentials in the browser. After entering the username and password, no download dialog pops up, and the requested log file cannot be downloaded. This issue has been observed using Mozilla Firefox version 3.6.24.
Workaround
Note
Cisco ISE Release 1.0.4.573 Agent Open Caveats
Table 12 Cisco ISE Release 1.0.4.573 Agent Open Caveats
CSCti60114
The Mac OS X agent 4.9.0.x install is allowing downgrade
The Mac OS X NAC Agent is allowing downgrades without warnings.
Note
CSCti71658
The Mac OS X Agent shows user as "logged-in" during remediation
The menu item icon for Mac OS X Agent might appear logged-in before getting full network accesses
The client endpoints are connecting to an ISE 1.0 network or NAC using device-filter/check with Mac OS X Agent 4.9.0.x.
Workaround
CSCtj22050
Certificate dialog seen multiple times when certificate is not valid
When the certificate used by the agent to communicate with the server is not trusted, the error message can be seen multiple times.
Workaround
Note
CSCtj31552
Pop-up Login windows option not used with 4.9 Agent and Cisco ISE
When right clicking on the Windows taskbar tray icon, the Login option is still present, but is not used for Cisco ISE. The login option should be removed or greyed out.
Workaround
CSCtj39429
No posture on Mac OS X Agent in multi-NIC setup
This issue has been observed on Mac OS 10.6 clients in a multi-NIC setup where the wired NIC is connected to a switch and the wireless NIC connects to an Inline Posture node in bridged mode.
Note
Workaround
CSCtj59635
Cisco NAC agent pops up even when popup login window is unchecked
Workaround
CSCtk34851
XML parameters passed down from server are not using the mode capability
The Cisco ISE Agent Profile editor can set parameter modes to merge or overwrite. Mac OS X agent is not processing the mode correctly. Instead, the complete file is overwritten each time.
Workaround
CSCtl53966
Agent icon stuck on Windows taskbar
The taskbar icon should appear when the user is already logged in.
Workaround
CSCtn39974
An IP configuration error during logout may keep agent from appearing to the user
The agent login processing does not start after the IP refresh error occurs during the logout processing in an Out-of-Band environment.
Workaround
CSCto03644
Tray icon flickers click focus if user changes applications from login OK
Following successful login, when the Agent login dialog goes away, click focus appears in the Windows taskbar tray. (It may flicker fast so that you are not able to see it.) If the user clicks on the icon when this happens, the "please wait" dialog appears, and at this time, the Agent icon options are available for use.
This issue has been observed if the user changes to a different application while the successful login OK button is displayed.
Workaround
CSCto19507
Mac OS X agent does not prompt for upgrade when coming out of sleep mode
Workaround
CSCto33933
Login Success display does not disappear when user clicks OK
This can occur if the network has not yet settled following a network change.
Workaround
CSCto45199
"Failed to obtain a valid network IP" message does not go away after the user clicks OK
This issue has been observed in a wired NAC network with IP address change that is taking longer then normal. (So far, this issue has only been only seen on Windows XP machines.)
Workaround
CSCto48555
Mac OS X agent does not rediscover the network after switch from one SSID to another in the same subnet
Agent does not rediscover until the temporary role (remediation timer) expires.
Workaround
CSCto63069
The nacagentui.exe application memory usage doubles when using "ad-aware"
This issue has been observed where the nacagentui.exe memory usage changes from 54 to 101MB and stays there.
Workaround
CSCto84932
The Cisco NAC Agent takes too long to complete IP refresh following VLAN change
The Cisco NAC agent is taking longer than normal to refresh IP address due to double IP refresh by supplicant and NAC agent.
Workaround
CSCto97422
Auto Popup does not happen after clicking Cancel during remediation failure
Workaround
CSCto97486
The Mac OS X VLAN detect function runs between discovery, causing a delay
VLAN detect should refresh the client IP address after a VLAN detect interval (5) X retry detect (3) which is ~ 30 sec, however it is taking an additional 30 sec.
This issue has been observed in both a wired and wireless deployment where the Cisco NAC agent changes the client IP address in compliant or non-compliant state since Mac OS X supplicant cannot.
An example scenario involves the user getting a "non-compliant" posture state where the Cisco ISE authorization profile is set to Radius Reauthentication (default) and session timer of 10 min (600 sec). After 10 min the session terminates and a new session is created in the pre-posture VLAN. The result is that the client machine still has post-posture VLAN IP assignment and requires VLAN detect to move user back to the pre-posture IP address.
Workaround
CSCtq02332
Windows agent does not display IP refresh during non-compliant posture status
The IP refresh is happening on the client machine as designed, but the Agent interface does not display the change appropriately (for example, following a move from preposture (non-compliant) to postposture (compliant) status).
Workaround
CSCtq02533
The Cisco NAC Agent takes too long to complete IP refresh following VLAN change
The Cisco NAC agent is taking longer than normal to refresh IP address due to double IP refresh by supplicant and Cisco NAC agent.
Workaround
CSCtq15958
Windows Agent VPN tunnel dropping after initial connection
Workaround
CSCtq16716
Windows wireless move from post-posture to pre-posture VLAN detect IP not refreshed
The client machine has no connectivity because the NIC's IP address is in the complaint/non-compliant VLAN when it should be in the pre-posture/pending VLAN.
This issue has been observed using a wireless supplicant that does not support IP address change when the client machine relies on the Cisco NAC Agent to change the IP address.
Workaround
For more information, see Known Supplicant Compatibility Issue Involving VLAN Change Operation on Windows Client Machines.
CSCts80116
OPSWAT SDK 3.4.27.1 causes memory leak on some PCs
Client machines that have version 8.2.0 of Avira AntiVir Premium or Personal may experience excessive memory usage.
Note
Workaround
Cisco ISE Release 1.0.4 Resolved Caveats
•
•
Cisco ISE Release 1.0.4.573 Appliance Resolved Caveats
Cisco ISE Release 1.0.4.573 Agent Resolved Caveats
Known Issues
•
•
–
–
–
•
•
•
•
•
Known Issue with Upgrade from Cisco ISE Release 1.0.3.377
This issue can affect Cisco ISE customers who have not changed their default "admin" account password for administrator user interface login since first installing Cisco Identity Services Engine Release 1.0.3.377. Upon upgrading to Cisco Identity Services Engine Maintenance Release 1.0.4.573, administrators can be "locked out" of the Cisco ISE administrator user interface when logging in via the default "admin" account where the password has not yet been updated from the original default value.
To avoid this issue, Cisco recommends you do one or more of the following:
1.
2.
3.
Note
Windows Internet Explorer 8 Known Issues
•
•
•
Issue Accessing the Cisco ISE Administrator User Interface
When you access the Cisco ISE administrator user interface using the host IP address as the destination in the Internet Explorer 8 address bar, the browser automatically redirects your session to a different location. This situation occurs when you install a real SSL certificate issued by a Certificate Authority like VeriSign.
If possible, Cisco recommends using the Cisco ISE hostname or fully qualified domain name (FQDN) you used to create the trusted SSL certificate to access the administrator user interface via Internet Explorer 8.
For more information see CSCto09989.
Cisco Secure ACS-to-Cisco ISE Migration User Interface Issue Using IE8
There is a known migration consideration that affects successful migration of Cisco Secure ACS 5.1/5.2 data to the Cisco ISE appliance using the Cisco Secure ACS 5.1/5.2-ISE 1.0 Migration Tool.
The only currently supported browser for downloading the migration tool files is Firefox version 3.6.x. Microsoft Windows Internet Explorer (IE8 and IE7) browsers are not currently supported for this function.
For more information, see the Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.0.4.
User Identity Groups User Interface Issue With IE 8
If you create and operate 100 User Identity Groups or more, a script in the Cisco ISE administrator user interface Administration > Identity Management > User Identity Groups page can cause Internet Explorer 8 to run slowly, looping until a pop-up appears asking you if you want to cancel the running script. (If the script continues to run, your computer might become unresponsive.)
Known Supplicant Compatibility Issue Involving VLAN Change Operation on Windows Client Machines
There is a known issue with the Intel Supplicant version 12.4.x for Windows client machines with regard to VLAN change for wireless deployments. The client machine has no connectivity because the NIC's IP address is in the complaint/non-compliant VLAN when it should be in the pre-posture/pending VLAN.
Note
For more information, see CSCtq16716.
Known Incompatibility Issue with WLC Firmware Version 7.0.116.0
Cisco has discovered a known issue that can occur during a Wireless LAN Controller (WLC) login session, where the client machine authenticates with Cisco ISE correctly and the corresponding authorization profile is picked up, but during user authentication the previous authorization profile (for machine authentication) is applied to the user session again.
This issue has been observed during wireless login scenarios where the WLC is running firmware version 7.0.116.0, and unless you require new features available only in version 7.0.116.0, Cisco recommends returning your WLC firmware version to 7.0.98.218 until Cisco releases an up-to-date firmware version later in 2011.
For more information see CSCto83897.
Issues With 2k Message Size in Monitoring and Troubleshooting
Cisco ISE monitoring and troubleshooting functions are designed to optimize data collection performance messages of 8k in size. As a result, you may notice a slightly different message performance rate when compiling 2k message sizes regularly.
Issues With More Than Three Users Accessing Monitoring and Troubleshooting Concurrently
Although more than three concurrent users can log into Cisco ISE and view monitoring and troubleshooting statistics and reports, more than three concurrent users accessing Cisco ISE can result in unexpected behavior like (but not limited to) monitoring and troubleshooting reports and other pages taking excessive amounts of time to launch, and the application sever restarting on its own.
Inline Posture Restrictions
•
•
•
Cisco IP phones using EAP-FAST
Cisco ISE, Release 1.0 does not support Cisco IP phones that are using EAP-FAST with certificates. Cisco recommends using EAP-TLS with IP phones in your network.
Documentation Updates
Related Documentation
Release-Specific Documents
General product information for Cisco ISE is available at http://www.cisco.com/go/ise. End-user documentation is available on Cisco.com at http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html.
Table 16 Product Documentation for Cisco Identity Services Engine
Release Notes for the Cisco Identity Services Engine, Release 1.0.4
http://www.cisco.com/en/US/products/ps11640/prod_release_notes_list.html
Cisco Identity Services Engine Network Component Compatibility, Release 1.0.4
http://www.cisco.com/en/US/products/ps11640/products_device_support_tables_list.html
Cisco Identity Services Engine User Guide, Release 1.0.4
http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.html
Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.4
http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html
Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.0.4
http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html
Cisco Identity Services Engine Sponsor Portal User Guide, Release 1.0.4
http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.html
Cisco Identity Services Engine CLI Reference Guide, Release 1.0.4
http://www.cisco.com/en/US/products/ps11640/prod_command_reference_list.html
Cisco Identity Services Engine API Reference Guide, Release 1.0.4
http://www.cisco.com/en/US/products/ps11640/prod_command_reference_list.html
Cisco Identity Services Engine Troubleshooting Guide, Release 1.0.4
http://www.cisco.com/en/US/products/ps11640/prod_troubleshooting_guides_list.html
Regulatory Compliance and Safety Information for Cisco Identity Services Engine, Cisco 1121 Secure Access Control System, Cisco NAC Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler
http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html
Cisco Identity Services Engine In-Box Documentation and China RoHS Pointer Card
http://www.cisco.com/en/US/products/ps11640/products_documentation_roadmaps_list.html
Platform-Specific Documents
Links to Policy Management Business Unit documentation are available at the following locations:
•
http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html•
http://www.cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html•
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html•
http://www.cisco.com/en/US/products/ps8464/tsd_products_support_series_home.html•
http://www.cisco.com/en/US/products/ps10160/tsd_products_support_series_home.htmlObtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2011 Cisco Systems, Inc. All rights reserved.
