Release Notes for Cisco Identity Services Engine, Release 1.2.x Contents

Transcription

Release Notes for Cisco Identity Services Engine,
Release 1.2.x
Revised: November 5, 2014, OL-27043-01
Contents
These release notes describe the features, limitations and restrictions (caveats), and related information
for Cisco Identity Services Engine (ISE), Release 1.2.0 and 1.2.1. These release notes supplement the
Cisco ISE documentation that is included with the product hardware and software release, and cover the
following topics:
•
Introduction, page 2
•
Deployment Terminology, Node Types, and Personas, page 2
•
System Requirements, page 4
•
Installing Cisco ISE Software, page 7
•
Upgrading Cisco ISE Software, page 9
•
Cisco Secure ACS to Cisco ISE Migration, page 11
•
Cisco ISE License Information, page 11
•
Requirements for CA to Interoperate with Cisco ISE, page 12
•
New Features in Cisco ISE, Release 1.2.1, page 12
•
New Features in Cisco ISE, Release 1.2.0, page 14
•
Known Issues in Cisco ISE, Release 1.2.x, page 21
•
Cisco ISE Installation Files, Updates, and Client Resources, page 24
•
Using the Bug Search Tool, page 28
•
Cisco ISE, Release 1.2.0.899 Patch Updates, page 38
•
Cisco ISE, Release 1.2.x, Open Caveats, page 91
•
Cisco ISE, Release 1.2.1, Resolved Caveats, page 117
•
Cisco ISE, Release 1.2.0, Resolved Caveats, page 127
Cisco Systems, Inc.
www.cisco.com
Introduction
•
Documentation Updates, page 139
•
Related Documentation, page 140
Introduction
The Cisco ISE platform is a comprehensive, next-generation, contextually-based access control solution.
It offers authenticated network access, profiling, posture, BYOD device onboarding (native supplicant
and certificate provisioning), guest management, and security group access services along with
monitoring, reporting, and troubleshooting capabilities on a single physical or virtual appliance. Cisco
ISE is available on two physical appliances with different performance characterization, and also as a
software that can be run on a VMware server. You can add more appliances to a deployment for
performance, scale, and resiliency.
Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with
centralized configuration and management. It also allows for configuration and management of distinct
personas and services. This feature gives you the ability to create and apply services where they are
needed in the network, but still operate the Cisco ISE deployment as a complete and coordinated system.
Deployment Terminology, Node Types, and Personas
Cisco ISE provides a scalable architecture that supports both standalone and distributed deployments
.
Table 1
Cisco ISE Deployment Terminology
Term
Description
Service
Specific feature that a persona provides such as network access, profiler,
posture, security group access, and monitoring.
Node
Individual instance that runs the Cisco ISE software. Cisco ISE is available
as an appliance and also as software that can be run on a VMware server.
Each instance (either running on a Cisco ISE appliance or on a VMware
server) that runs the Cisco ISE software is called a node.
Persona
Determines the services provided by a node. A Cisco ISE node can assume
any or all of the following personas: Administration, Policy Service,
Monitoring, and Inline Posture.
Deployment Model
Determines if your deployment is a standalone, high availability in
standalone (a basic two-node deployment), or distributed deployment.
Types of Nodes and Personas
A Cisco ISE network has two types of nodes:
•
Cisco ISE node, which can assume any of the following three personas:
– Administration—Allows you to perform all administrative operations for Cisco ISE. It handles
all system-related configurations related to functionality such as authentication, authorization,
auditing, and so on. In a distributed environment, you can have one or a maximum of two nodes
Release Notes for Cisco Identity Services Engine, Release 1.2.x
2
OL-27043-01
Deployment Terminology, Node Types, and Personas
running the Administration persona and configured as a primary and secondary pair. If the
primary Administration node goes down, you have to manually promote the secondary
Administration node. There is no automatic failover for the Administration persona.
– Policy Service—Provides network access, posturing, BYOD device onboarding (native
supplicant and certificate provisioning), guest access, and profiling services. This persona
evaluates the policies and makes all the decisions. You can have more than one node assuming
this persona. Typically, there is more than one Policy Service persona in a distributed
deployment. All Policy Service personas that reside behind a load balancer can be grouped
together to form a node group. If one of the nodes in a node group fails, the other nodes in that
group process the requests of the node that has failed, thereby providing high availability.
Note
At least one node in your distributed setup should assume the Policy Service persona.
– Monitoring—Enables Cisco ISE to function as a log collector and store log messages from all
the Administration and Policy Service personas on the Cisco ISE nodes in your network. This
persona provides advanced monitoring and troubleshooting tools that you can use to effectively
manage your network and resources.
A node with this persona aggregates and correlates the data that it collects to provide
meaningful reports. Cisco ISE allows a maximum of two nodes with this persona that can
assume primary or secondary roles for high availability. Both the primary and secondary
Monitoring personas collect log messages. In case the primary Monitoring persona goes down,
the secondary Monitoring persona automatically assumes the role of the primary Monitoring
persona.
Note
•
Note
Note
At least one node in your distributed setup should assume the Monitoring persona. It is
recommended that the Monitoring persona be on a separate, designated node for higher
performance in terms of data collection and reporting.
Inline Posture node is a gatekeeping node that is positioned behind network access devices such as
wireless LAN controllers (WLCs) and VPN concentrators on the network. An Inline Posture node
enforces access policies after a user has been authenticated and granted access, and handles change
of authorization (CoA) requests that a WLC or VPN is unable to accommodate. Cisco ISE allows
up to 10,000 Inline Posture Nodes in a deployment. You can pair two Inline Posture nodes together
as a failover pair for high availability.
An Inline Posture node is dedicated solely to that service and cannot operate concurrently with
other Cisco ISE services. Likewise, due to the specialized nature of its service, an Inline Posture
node cannot assume any persona. Inline Posture nodes are not supported on VMware server
systems.
Each Cisco ISE node in a deployment can assume more than one persona (Administration, Policy
Service, or Monitoring) at a time. By contrast, each Inline Posture node operates only in a dedicated
gatekeeping role.
OL-27043-01
3
System Requirements
Table 2
Recommended Number of Nodes and Personas in a Distributed Deployment
Node / Persona
Minimum Number
in a Deployment
Maximum Number in a Deployment
Administration
1
2 (Configured as a high-availability pair)
Monitor
1
2 (Configured as a high-availability pair)
Policy Service
1
Inline Posture
0
•
2—when the Administration/Monitoring/Policy
Service personas are on the same primary/secondary
appliances
•
5—when Administration and Monitoring personas are
on same appliance
•
40—when each persona is on a dedicated appliance
10000 for maximum network access devices (NADs) per
deployment
You can change the persona of a node. See the “Setting Up Cisco ISE in a Distributed Environment”
chapter of the Cisco Identity Services Engine User Guide, Release 1.2 for information on how to
configure personas on Cisco ISE nodes.
System Requirements
Note
•
Supported Hardware, page 5
•
Supported Virtual Environments, page 6
•
Supported Browsers, page 6
•
Supported Devices and Agents, page 7
•
Supported Antivirus and Antispyware Products, page 7
For more details on Cisco ISE hardware platforms and installation, see the Cisco Identity Services
Engine Hardware Installation Guide, Release 1.2.
4
OL-27043-01
System Requirements
Supported Hardware
Cisco ISE software is packaged with your appliance or image for installation. Cisco ISE, Release 1.2.x
is shipped on the following platforms. After installation, you can configure Cisco ISE with specified
component personas (Administration, Policy Service, and Monitoring) or as an Inline Posture node on
the platforms that are listed in Table 3.
Table 3
Supported Hardware and Personas
Hardware Platform
Persona
Cisco SNS-3415-K9
Any
•
Cisco UCS 1C220 M3
•
Single socket Intel E5-2609 2.4-GHz CPU, 4 total
cores, 4 total threads
•
16-GB RAM
•
1 x 600-GB disk
•
Embedded Software RAID 0
•
4 GE network interfaces
Administration
•
Cisco UCS C220 M3
Policy Service
•
Dual socket Intel E5-2609 2.4-GHz CPU, 8 total
cores, 8 total threads
•
32-GB RAM
•
2 x 600-GB disk
•
RAID 0+1
•
4 GE network interfaces
•
1x Xeon 2.66-GHz quad-core processor
•
4 GB RAM
•
2 x 250 GB SATA3 HDD4
•
4x 1 GB NIC5
•
1x Nehalem 2.0-GHz quad-core processor
•
4 GB RAM
•
2 x 300 GB 2.5 in. SATA HDD
•
RAID6 (disabled)
•
4x 1 GB NIC
•
Redundant AC power
•
2x Nehalem 2.0-GHz quad-core processor
•
4 GB RAM
•
4 x 300 GB 2.5 in. SAS II HDD
•
RAID 1
•
4x 1 GB NIC
•
Redundant AC power
(small)
Cisco SNS-3495-K9
(large)
2
Configuration
Monitor
Cisco ISE-3315-K9
(small)
Cisco ISE-3355-K9
(medium)
Cisco ISE-3395-K9
(large)
Any
Any
Any
OL-27043-01
5
System Requirements
Table 3
Supported Hardware and Personas (continued)
Hardware Platform
Persona
Cisco ISE-VM-K9
(VMware)
Stand-alone
Administration,
Monitoring, and
Policy Service (no
Inline Posture)
Configuration
•
For CPU and memory recommendations, refer to the
“VMware Appliance Sizing Recommendations”
section in the Cisco Identity Services Engine
Hardware Installation Guide, Release 1.2.7
•
For hard disk size recommendations, refer to the
“Disk Space Requirements” section in the Cisco
Identity Services Engine Hardware Installation
Guide, Release 1.2.
•
NIC—1 GB NIC interface required (You can install
up to 4 NICs.)
•
Supported VMware versions include:
– ESX 4.x
– ESXi 4.x and 5.x
1. Cisco Unified Computing System (UCS)
2. Inline posture is a 32-bit system and is not capable of symmetric multiprocessing (SMP). Therefore, it is not available on the
SNS-3495 platform.
3. SATA = Serial Advanced Technology Attachment
4. HDD = hard disk drive
5. NIC = network interface card
6. RAID = Redundant Array of Independent Disks
7. Memory allocation of less than 4GB is not supported for any VMware appliance configuration. In the event of a Cisco ISE
behavior issue, all users will be required to change allocated memory to at least 4GB prior to opening a case with the Cisco
Technical Assistance Center.
If you are moving from Cisco Secure Access Control System (ACS) or Cisco NAC Appliance to Cisco
ISE, the Cisco Secure ACS 1121 and Cisco NAC 3315 appliances support small deployments, Cisco
NAC 3355 appliances support medium deployments, and Cisco NAC 3395 appliances support large
deployments.
Supported Virtual Environments
Cisco ISE supports the following virtual environment platforms:
•
VMware ESX 4.x
•
VMware ESXi 4.x
•
VMware ESXi 5.x
Supported Browsers
The Cisco ISE, Release 1.2.x administrative user interface supports a web interface using the following
HTTPS-enabled browsers:
•
Mozilla Firefox version 5.x and later.
•
Microsoft Internet Explorer 8.x and later.
6
OL-27043-01
Installing Cisco ISE Software
Note
The Cisco ISE user interface does not support using the Microsoft IE8 browser in IE7
compatibility mode. The Microsoft IE8 is supported in its IE8-only mode.
Adobe Flash Player 11.2.0.0 or above must be installed on the system running the client browser. The
minimum required screen resolution to view the Administration portal and for a better user experience
is 1280 x 800 pixels.
Supported Devices and Agents
Refer to Cisco Identity Services Engine Network Component Compatibility, Release 1.2 for information
on supported devices, browsers, and agents.
Cisco NAC Agent Interoperability
The Cisco NAC Agent versions 4.9.4.3 and later can be used on both Cisco NAC Appliance Releases
4.9(1),4.9(3), 4.9(4) and Cisco ISE Releases 1.1.3-patch 11, 1.1.4-patch 11, 1.2.0, and 1.2.1. This is the
recommended model of deploying the NAC agent in an environment where users will be roaming
between ISE and NAC deployments.
Support for Microsoft Active Directory
Cisco ISE, Release 1.2.x supports Microsoft Active Directory servers 2003, 2008, 2008 R2, 2012at all
functional levels.
Microsoft Active Directory server 2012 R2 and all updates are supported by Cisco ISE, Release 1.2.1.
Microsoft Active Directory version 2000 or its functional level is not supported by Cisco ISE.
Supported Antivirus and Antispyware Products
See the following Cisco ISE documents for specific antivirus and antispyware support details for Cisco
NAC Agent and Cisco NAC Web Agent:
•
Cisco Identity Services Engine Release 1.2 Supported Windows AV/AS Products
•
Cisco Identity Services Engine Release 1.2 Supported Mac OS X AV/AS Products
To install Cisco ISE, Release 1.2.x software on Cisco SNS-3415 and SNS-3495 hardware platforms, turn
on the new appliance and configure the Cisco Integrated Management Controller (CIMC). You can then
install Cisco ISE, Release 1.2.x over a network using CIMC or a bootable USB.
Note
When using virtual machines (VMs), we recommend that the guest VM have the correct time set using
an NTP server before installing the .ISO image on the VMs.
OL-27043-01
7
Perform Cisco ISE initial configuration according to the instructions in the Cisco Identity Services
Engine Hardware Installation Guide, Release 1.2. Before you run the setup program, ensure that you
know the configuration parameters listed in Table 4.
Table 4
Cisco ISE Network Setup Configuration Parameters
Prompt
Description
Example
Hostname
Must not exceed 19 characters. Valid characters include
alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). The
first character must be a letter.
isebeta1
(eth0) Ethernet
interface address
Must be a valid IPv4 address for the Gigabit Ethernet 0 (eth0)
interface.
10.12.13.14
Netmask
Must be a valid IPv4 netmask.
255.255.255.0
Default gateway
Must be a valid IPv4 address for the default gateway.
10.12.13.1
DNS domain name Cannot be an IP address. Valid characters include ASCII characters, mycompany.com
any numerals, the hyphen (-), and the period (.).
Primary name
server
Must be a valid IPv4 address for the primary name server.
10.15.20.25
Add/Edit another
name server
Must be a valid IPv4 address for an additional name server.
(Optional) Allows you to
configure multiple name
servers. To do so, enter y to
continue.
Primary NTP
server
Must be a valid IPv4 address or hostname of a Network Time Protocol clock.nist.gov
(NTP) server.
Add/Edit another
NTP server
Must be a valid NTP domain.
(Optional) Allows you to
configure multiple NTP
servers. To do so, enter y to
continue.
System Time Zone Must be a valid time zone. For details, see Cisco Identity Services
UTC (default)
Engine CLI Reference Guide, Release 1.2, which provides a list of
time zones that Cisco ISE supports. For example, for Pacific
Standard Time (PST), the System Time Zone is PST8PDT (or UTC-8
hours).
The time zones referenced are the most frequently used time zones.
You can run the show timezones command from the Cisco ISE CLI
for a complete list of supported time zones.
Note
We recommend that you set all Cisco ISE nodes to the UTC
time zone. This setting ensures that the reports, logs, and
posture agent log files from the various nodes in the
deployment are always synchronized with the time stamps.
8
OL-27043-01
Upgrading Cisco ISE Software
Table 4
Cisco ISE Network Setup Configuration Parameters (continued)
Prompt
Description
Username
admin (default)
Identifies the administrative username used for CLI access to the
Cisco ISE system. If you choose not to use the default (admin), you
must create a new username. The username must be three to eight
characters in length and composed of valid alphanumeric characters
(A–Z, a–z, or 0–9).
Password
Identifies the administrative password that is used for CLI access to MyIseYPass2
the Cisco ISE system. You must create this password (there is no
default). The password must be a minimum of six characters in
length and include at least one lowercase letter (a–z), one uppercase
letter (A–Z), and one numeral (0–9).
Note
Example
For additional information on configuring and managing Cisco ISE, see Release-Specific Documents,
page 140 to access other documents in the Cisco ISE documentation suite.
Cisco Identity Services Engine (ISE) supports upgrades from the CLI only. Supported upgrade paths
include:
Note
•
Cisco ISE, Release 1.1.0, with Patch 5 or later applied
•
•
•
•
•
Upgrade to Cisco ISE, Release 1.2.0.899 is not required before upgrading to Release 1.2.1.198.
Follow the upgrade instructions in the Cisco Identity Services Engine Upgrade Guide, Release 1.2 to
upgrade to Cisco ISE, Release 1.2.x.
Note
When you upgrade to Cisco ISE, Release 1.2.x, you may be required to open network ports that were not
used in previous releases of Cisco ISE. For more information, see "Appendix C, Cisco SNS-3400 Series
Appliance Ports Reference" in the Cisco Identity Services Engine Hardware Installation Guide,
Release 1.2.
Upgrade Considerations and Requirements
Read the following sections before you upgrade to Cisco ISE, Release 1.2.x:
•
No iPEP Support in Cisco ISE 1.2.x Patches, page 10
OL-27043-01
9
•
Firewall Ports That Must be Open for Communication, page 10
•
VMware Operating System to be Changed to RHEL 5 (64-bit), page 10
•
Guest Users Identity Source, page 10
•
Other Known Upgrade Considerations and Issues, page 11
iPEP Support on Cisco ISE 1.2.x
Cisco ISE, Release 1.2 and 1.2.1 can be installed on an iPEP node by using the Cisco ISE 1.2.1 version
of iPEP.
Firewall Ports That Must be Open for Communication
The replication ports have changed in Cisco ISE, Release 1.2 and if you have deployed a firewall
between the primary Administration node and any other node, the following ports must be open before
you upgrade to Release 1.2:
•
TCP 1528—For communication between the primary administration node and monitoring nodes.
•
TCP 443—For communication between the primary administration node and all other secondary
nodes.
•
TCP 12001—For global cluster replication.
For a full list of ports that Cisco ISE, Release 1.2 uses, refer to the Cisco SNS-3400 Series Appliance
Ports Reference.
VMware Operating System to be Changed to RHEL 5 (64-bit)
Cisco ISE, Release 1.2.x has a 64-bit architecture. If a Cisco ISE node is running on a virtual machine,
ensure that the virtual machine's hardware is compatible with 64-bit systems:
Note
You must power down the virtual machine before you make these changes and power it back on after the
changes are done.
•
Enable BIOS settings that are required for 64-bit systems. See the following resources for more
information:
Cisco Identity Services Engine Hardware Installation Guide, Release 1.2
http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=1003945
•
Ensure that you choose Linux as the Guest Operating System and Red Hat Enterprise Linux 5
(64-bit) as the version. See http://kb.vmware.com/selfservice/microsites/search.do?language=en
_US&cmd=displayKC&externalId=1005870 for more information.
Guest Users Identity Source
In previous releases of Cisco ISE, guest-user records were available in the Internal Users database. Cisco
ISE, Release 1.2.x introduces a Guest Users database, which is different than the Internal Users database.
If you have added the Internal Users database to the identity-source sequence, the Guest Users database
also becomes part of the identity-source sequence. If guest-user logins are not required, remove the
Guest Users database from the identity-source sequence.
10
OL-27043-01
Cisco Secure ACS to Cisco ISE Migration
Other Known Upgrade Considerations and Issues
Refer to the Cisco Identity Services Engine Upgrade Guide, Release 1.2.x for other known upgrade
considerations and issues:
•
http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter
_01.html#ID50
•
http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter
_01.html#ID244
Cisco Secure ACS to Cisco ISE Migration
Cisco ISE, Release 1.2.x supports migration from Cisco Secure ACS, Release 5.3 only. You must
upgrade the Cisco Secure ACS deployment to Release 5.3 before you attempt to perform the migration
process to Cisco ISE, Release 1.2.
Cisco ISE does not provide full parity to all the features available in ACS 5.3, especially policies. After
migration, you may notice some differences in the way existing data types and elements appear in the
new Cisco ISE environment. It is recommended to use the migration tool for migrating specific objects
like network devices, internal users, and identity store definitions from ACS. Once the migration is
complete, you can manually define the policies for relevant features that are appropriate to Cisco ISE.
The migration tool only supports Mozilla Firefox, versions 3.6, 6, 7, 8, 9, and 10. Microsoft Windows
Internet Explorer (IE8 and IE7) browsers are not currently supported in this release.
Complete instructions for moving a Cisco Secure ACS 5.3 database to Cisco ISE Release 1.2.x are
available in the Cisco Identity Services Engine, Release 1.2 Migration Tool Guide.
Cisco ISE License Information
Cisco ISE comes with a 90-day Base and Advanced Package Evaluation License already installed on the
system. After you have installed the Cisco ISE software and initially configured the primary
Administration persona, you must obtain and apply a Base, Plus, Advanced, or Wireless license.
Cisco ISE, Release 1.2 Patch 8 and 1.2.1 includes the new Plus license. The Plus license provides the
following services:
•
Bring Your Own Device (BYOD)
•
Profiling
•
Endpoint Protection Service (EPS)
•
TrustSec SGT
The Advanced license provides access to the same features as the Plus license, as well as additional
services. The Plus license does not include Base services.
Note
Some of the validation messages and alarms may report in terms of Advanced license instead of the Plus
license. For example, attempting to install a Plus license without a Base license results in ISE incorrectly
report it as an attempt to install an Advanced license without a Base license. Similarly, ISE will report
the expiration of a Plus license as the expiration of an Advanced license.
OL-27043-01
11
Requirements for CA to Interoperate with Cisco ISE
For more detailed information on license types and obtaining licenses for Cisco ISE, see Cisco Identity
Service Engine Hardware Installation Guide, Release 1.2.
Cisco ISE, Release 1.2.x, supports licenses with two hardware IDs. You can obtain a license based on
the hardware IDs of both the primary and secondary Administration nodes. For more information on
Cisco ISE, Release 1.2.x licenses, see the Cisco Identity Services Engine Licensing Note.
Requirements for CA to Interoperate with Cisco ISE
While using a CA server with Cisco ISE, make sure that the following requirements are met:
•
Key size should be 1024, 2048, or higher. In CA server, the key size is defined using certificate
template. You can define the key size on Cisco ISE using the supplicant profile.
•
Key usage should allow signing and encryption in extension.
•
While using GetCACapabilities through the SCEP protocol, cryptography algorithm and request
hash should be supported. It is recommended to use RSA + SHA1.
•
Online Certificate Status Protocol (OCSP) is supported. This is not directly used in BYOD, but a
CA which can act as an OCSP server can be used for certificate revocation.
New Features in Cisco ISE, Release 1.2.1
Cisco ISE, Release 1.2.1 offers the following features and services:
•
New Plus License, page 12
•
Certificate Renewal, page 12
•
Upgrade Enhancements, page 13
New Plus License
Cisco ISE, Release 1.2.1 includes the new Plus license. The Plus license provides the following services:
•
•
Profiling
•
•
TrustSec SGT
The Advanced license provides access to the same features as the Plus license, as well as additional
services. The Plus license does not include Base services.
For more information, refer to the “Cisco ISE Licenses” chapter in the Cisco Identity Services Engine
User Guide, Release 1.2.
Certificate Renewal
This release of Cisco ISE allows users to renew certificates that have expired or are about to expire on
their personal devices.
12
OL-27043-01
By default, Cisco ISE rejects a request that comes from a device whose certificate has expired. However,
you can change this default behavior and configure ISE to process such requests and prompt the user to
renew the certificate.
If you choose to allow the user to renew the certificate, Cisco recommends that you configure an
authorization policy rule which checks if the certificate has been renewed before processing the request
any further. Processing a request from a device whose certificate has expired may pose a potential
security threat. Hence, you must configure appropriate authorization profiles and rules to ensure that
your organization’s security is not compromised.
Some devices allow you to renew the certificates before and after their expiry. But on Windows devices,
you can renew the certificates only before it expires. Apple iOS, Mac OSX, and Android devices allow
you to renew the certificates before or after their expiry.
Newly Added Dictionary Attributes
The following attributes are added to the Cisco ISE certificate dictionary and are used in policy
conditions to allow a user to renew the certificate:
•
Days to Expiry: This attribute provides the number of days for which the certificate is valid. You
can use this attribute to create a condition that can be used in authorization policy. This attribute can
take a value from 0 to 15. A value of 0 indicates that the certificate has already expired. A value of
1 indicates that the certificate has less than 1 day before it expires.
•
Is Expired: This Boolean attribute indicates whether a certificate has expired or not.
Newly Added Authorization Policy Simple Condition
A new simple condition is now added that should be used in authorization policy to ensure that a
certificate (expired or about to expire) is renewed before Cisco ISE processes the request further. This
simple condition is called CertRenewalRequired.
CWA Redirect To Renew Certificates
If a user certificate is revoked before its expiry, Cisco ISE checks the CRL published by the CA and
rejects the authentication request. In case, if a revoked certificate has expired, the CA may not publish
this certificate in its CRL. In this scenario, it is possible for Cisco ISE to renew a certificate that has been
revoked. To avoid this, before you renew a certificate, ensure that the request gets redirected to Central
Web Authentication (CWA) for a full authentication. You must create an authorization profile to redirect
the user for CWA.
Upgrade Enhancements
Cisco ISE, Release 1.2.1 includes the following upgrade enhancements for a seamless upgrade
experience.
Virtual Machine Resource Checks
The upgrade software now checks if the virtual machine’s hardware (such as hard disk size, CPU speed,
etc.) meets the recommended specifications before it begins the upgrade. If the VM resources do not
meet the recommended specification, the upgrade will fail without making any changes to the existing
OL-27043-01
13
ISE installation. The console will display a message stating the minimum resource requirements and that
the upgrade can be retried after the virtual machine’s hardware has been updated to meet those
requirements.
Upgrade Bundle SHA-256 Checksum Verification
The upgrade software verifies the SHA-256 checksum of the upgrade bundle before starting the upgrade
process. This check ensures that upgrade does not fail because of corrupt upgrade software leaving the
system in a corrupt state. If the upgrade bundle is corrupted, the console displays a message asking the
administrator to re-download the upgrade bundle and try the upgrade again.
Monitoring Database Object Checks
In earlier releases, Cisco ISE upgrade has failed because of missing Monitoring database objects. In this
release, the upgrade software checks for the Monitoring database objects to ensure that they are present
before the upgrade begins. In the rare cases where the database objects are still missing, the administrator
must restore from a backup taken before the upgrade.
Enhanced Show Tech Support Command Output
The show tech-support command is enhanced and now includes the database health report, alert log
errors, processes that consume resources, database memory usage, and so on. This output is readable and
is also available in the Support Bundle. You can run the show tech-support command on demand to look
for the health of the database. The output can help the administrator with troubleshooting, if needed..
Database Enhancements
This release includes several database enhancements that improve Cisco ISE performance. Index entries
and corrupt data blocks are identified before the upgrade begins. This release also includes several
database enhancements that improve Cisco ISE performance.
Cisco ISE, Release 1.2 offers the following features and services:
•
Support for UCS Hardware, page 15
•
Improved Performance and Scalability, page 15
•
Mobile Device Management Interoperability with Cisco ISE, page 15
•
MAB from Non-Cisco Switches, page 16
•
Support for Universal Certificates, page 16
•
Policy Sets, page 16
•
Profiler Feed Service, page 16
•
Logical Profiles, page 17
•
Enhanced Guest and Sponsor Pages, page 17
•
RADIUS Authentication Suppression, page 17
•
Collection Filters, page 17
14
OL-27043-01
•
Support for Secure Syslogs, page 17
•
Support for Windows 2012 Active Directory, page 18
•
Global Search, page 18
•
Session Trace, page 18
•
Enhancement to Client Provisioning, page 18
•
Enhanced Reports and Alarms, page 18
•
Enhancements to Live Authentications Page, page 20
•
Enhancements to Cisco NAC Agent, page 20
•
External RESTful Services, page 21
For more information on key features of Cisco ISE, see the “Overview” chapter in the Cisco Identity
Services Engine User Guide, Release 1.2.
Support for UCS Hardware
Cisco ISE, Release 1.2.0, supports Cisco Unified Computing System (UCS) C220 hardware, which is
shipped on the following platforms:
•
SNS-3415 (small)
•
SNS-3495 (large)
Refer to Table 3 for other platforms supported by Cisco ISE.
For more information, refer to the Cisco Identity Service Engine Hardware Installation Guide, Release
1.2.
Improved Performance and Scalability
Cisco ISE, Release 1.2.0 offers better performance and scale compared to previous versions. Cisco ISE
1.2 has moved from a 32-bit architecture to a 64-bit architecture, improving the overall performance
from 100,000 concurrent endpoints per ISE deployment in ISE 1.1.x to 250,000 concurrent endpoints in
ISE 1.2
Mobile Device Management Interoperability with Cisco ISE
This release of Cisco ISE can interoperate with Mobile Device Management (MDM) servers to secure,
monitor, and support mobile devices that are deployed across mobile operators, service providers, and
enterprises.
Cisco ISE, Release 1.2.0 supports MDM servers from the following vendors:
•
Airwatch, Inc.
•
Good Technology
•
MobileIron, Inc.
•
Zenprise, Inc.
•
SAP Afaria
•
FiberLink Maas360
OL-27043-01
15
•
Cisco Mobile Collaboration Management Services (MCMS)
For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2.
MAB from Non-Cisco Switches
Cisco ISE, Release 1.2.0 supports Machine Authentication Bypass (MAB) from non-Cisco switches
using the Cisco ISE endpoints database.
Support for Universal Certificates
Cisco ISE, Release 1.2.0 supports the use of wildcard server certificates for HTTPS (web-based
services) and EAP protocols that use SSL/TLS tunneling. With the use of universal certificates, you no
longer have to generate a unique certificate for each Cisco ISE node. Also, you no longer have to
populate the SAN field with multiple FQDN values to prevent certificate warnings. Using an asterisk (*)
in the SAN field allows you to share a single certificate across multiple nodes in a deployment and helps
prevent certificate-name mismatch warnings.
Note
The universal certificates are referred as wildcard certificates in the user guide.
Policy Sets
This release of Cisco ISE allows you to create a set of authentication and authorization policy for various
use cases. Policy sets are similar to access services in Cisco Secure ACS 5.x releases.
Profiler Feed Service
Cisco ISE, Release 1.2.x provides a profiler feed service for publishing new profile definitions, updated
profile definitions, and new OUI databases posted from IEEE.
With the introduction of the profiler feed service, the profiler conditions, exception actions, and NMAP
scan actions are classified as Cisco provided or administrator created (see the System Type attribute) in
Cisco ISE. Also, endpoint profiling policies are classified as Cisco provided, administrator created, or
administrator modified (see the System Type attribute). You can perform different operations on the
profiler conditions, exception actions, NMAP scan actions, and endpoint profiling policies depending on
the System Type attribute.
You can retrieve new and updated endpoint profiling policies and the updated OUI database as a feed
from a designated Cisco feed server through a subscription in Cisco ISE. You can also receive email
notifications at an administrator email address that is configured for applied, success, and failure
messages. You can also provide additional subscriber information to receive notifications. You can send
the subscriber information back to Cisco to maintain the records and they are treated as privileged and
confidential.
16
OL-27043-01
Note
To ensure that the most up-to-date OUI database is installed, run the feed service after any Cisco ISE
patch or maintenance installation.
Logical Profiles
Cisco ISE profiles can be grouped in logical profiles. A logical profile is a container for a category of
profiles or associated profiles, irrespective of Cisco-provided or administrator-created endpoint profiling
policies. An endpoint-profiling policy can be associated with multiple logical profiles.
You can use the logical profile in an authorization-policy condition to help create an overall
network-access policy for a category of profiles.
Enhanced Guest and Sponsor Pages
This release of Cisco ISE provides new default themes for the Guest and Sponsor portal pages. You can
customize the pages by uploading logos and editing the color schemes.
When guests access the Guest portal using a mobile device, they are routed automatically to a
mobile-optimized version of the Guest portal.
RADIUS Authentication Suppression
This release of Cisco ISE allows you to configure RADIUS settings to detect the clients that fail to
authenticate and to suppress the repeated reporting of successful authentications.
Collection Filters
You can configure collection filters to suppress syslog messages being sent to the monitoring and
external servers. The suppression can be performed at the Policy Service Node level based on different
attribute types.
Support for Secure Syslogs
Cisco ISE, Release 1.2.0 can be configured to send secure syslogs to Monitoring nodes and between
Cisco ISE nodes, by enabling TLS-protected syslog collectors.
OL-27043-01
17
Support for Windows 2012 Active Directory
Cisco ISE, Release 1.2.0 supports Microsoft Windows 2012 Active Directory.
Global Search
Cisco ISE, Release 1.2.0 provides a system-wide endpoint search box that you can use to quickly find
and filter endpoints and users on a network. The search result includes detailed session information
about each of the matching results, such as the type of access, location, endpoint MAC and IP address,
and authorization profile. You can also export these results for further analysis.
Session Trace
Cisco ISE, Release 1.2.0 provides a more efficient troubleshooting functionality. After search results are
displayed, you can click the “play” button for more details. A new detailed screen with full session
information for the endpoint is displayed.
Enhancement to Client Provisioning
Starting from Cisco ISE Release 1.2.0, it is mandatory to include the client provisioning URL in
authorization policy, to enable the NAC Agent to popup in the client machines. This prevents request
from any random clients and ensures that only clients with proper redirect URL can request for posture
assessment.
Enhanced Reports and Alarms
Cisco ISE, Release 1.2.0 reports are enhanced to have a new look and feel that is more simple and easy
to use. The reports are grouped into logical categories for information related to authentication, session
traffic, device administration, configuration and administration, and troubleshooting. A new scheduling
service that allows you to queue reports and receive notification when they are available.
Table 5
Changes to Reports in Cisco ISE, Release 1.2
Report Name
Change
Endpoint Time to Profiler
Removed
Authentication Failure Code Lookup
Removed
Network Device Log Message
Removed
PAC Provisioning
Removed
Policy CoA
Removed
Posture Trend
Removed
Endpoint Operations History
Removed
18
OL-27043-01
Table 5
Changes to Reports in Cisco ISE, Release 1.2
Report Name
Change
AAA Down Summary
Removed. If a AAA server is down, you can see it on
the dashboard and in the Health Summary report.
TOP N AAA Down by Network Device
Removed. If a AAA server is down, you can see it on
the dashboard and in the Health Summary report.
Authentication Trend
Renamed as Authentication Summary report.
TOP N Authentication by Allowed Protocol
Moved to the Authentication Summary report. You can
filter the report by Allowed Protocols.
Server Authentication Summary
filter the report by Server.
TOP N Authentication by Server
Moved to the Top N Authentication report. You can
filter the report by Server.
TOP N Authentication by Machine
Renamed as Top N Authentication by Endpoint.
Failure Reason Authentication Summary
filter the report by Failure Reason.
TOP N Authentication by Network Device
filter the report by Network Device.
Session Status Summary
Renamed as Network Device Session Status report.
User Authentication Summary
filter the report by User.
Radius Terminated Sessions
Moved to the Session View report. You can filter the
report by Terminated Sessions.
In Cisco ISE, Release 1.2.0, a new dashlet is on the dashboard that allows you to enable and disable
alarms and make minor configuration changes. The following is a list of alarms that are removed in Cisco
ISE, Release 1.2:
•
Administrator Account Disabled
•
Max Administrator Sessions Exceeded
•
Restore Successful
•
Purge Backup Success
•
Replication Syn Failure
•
High CPU Utilization
•
Purge Failure
•
Purge Success
•
Application Exceeded Maximum Disk space
•
Base License count
•
Advanced License count
•
Admin Account Lockout
•
NTP Server not Reachable
•
Disk Cleanup
OL-27043-01
19
•
Successful Node Registration
•
Successful Patch Install
•
Successful Patch RollBack
•
Successful Node Deregistration
•
Successful Update Node
•
UnSuccessful Add Node
•
UnSuccessful Patch Install
•
UnSuccessful Patch Roll Back
•
UnSuccessful Remove Node
•
UnSuccessful Update Node
Enhancements to Live Authentications Page
The Live Authentications page on the Cisco ISE dashboard shows the details corresponding to
authentication entries. In addition to these live authentication entries, the Live Authentications page is
enhanced to show the live-session entries. You can also get a detailed report on a session.
For more information on the enhancements to the Authentications page, see Cisco Identity Services
Engine User Guide, Release 1.2.
Enhancements to Cisco NAC Agent
The following enhancements have been added to Cisco NAC Agent in Cisco ISE, Release 1.2.0.
Cisco NAC Agent for Windows
•
Support for the Polish Language.
•
Support for the Microsoft Windows 8 Operating System. In Windows 8, Internet Explorer 10 has
two modes: Desktop and Metro. In Metro mode, the ActiveX plugins are restricted. You cannot
download the Cisco NAC Agent in Metro mode. You must switch to Desktop mode, ensure ActiveX
controls are enabled, and then launch Internet Explorer to download the Cisco NAC Agent. If users
are still not able to download Cisco NAC agent, check and enable “compatibility mode.”
•
Support for the Log Packager option in the Agent Icon to collect support logs.
•
New for Cisco ISE 1.2.0 patch 3: support for Microsoft Windows 8.1.
Cisco NAC Agent for Mac OS X
•
Support for the Collect Support Logs option in the Agent Icon to collect Agent logs and support
information.
•
Notification screen appears automatically when the Agent window is buried by other windows.
•
Support for the Acceptable Use Policy (AUP).
•
New for Cisco ISE 1.2.0 patch 3: support for Mac OS X 10.9.
20
OL-27043-01
Known Issues in Cisco ISE, Release 1.2.x
External RESTful Services
External RESTful Services (ERS) is a new Cisco ISE component that allows you to perform Create,
Read, Update, and Delete (CRUD) operations on Cisco ISE resources. ERS also allows you to run
advanced queries against the Cisco ISE database and perform bulk operations such as mass updates or
deletions.
ERS is based on HTTPS and REST methodology. These APIs provide an interface to the ISE
configuration data by enabling internal user identities, endpoints, endpoint groups, identity groups,
SGTs, and profiler policies to perform CRUD operations on the ISE data.
Refer to the Cisco Identity Services Engine API Reference Guide, Release 1.2 for more information.
•
Mobile Devices Without VLAN, page 21
•
Web Portal Customization for the Russian Language, page 22
•
Device Registration Portal, page 22
•
Cisco ISE Hostname Character Length Limitation with Active Directory, page 22
•
Windows Internet Explorer 8 Known Issues, page 22
– Issue Accessing the Cisco ISE Administrator User Interface
– User Identity Groups Issue
•
Known Supplicant Compatibility Issue Involving VLAN Change Operation on Windows Client
Machines, page 23
•
Issues with Message Size in Monitoring and Troubleshooting, page 23
•
Issues with Accessing Monitoring and Troubleshooting, page 23
•
Inline Posture Restrictions, page 23
•
Custom Language Templates, page 23
•
Issues with Monitoring and Troubleshooting Restores, page 23
•
Issue with Network Device Session Status Report, page 24
•
BYOD Connectivity Issue with Devices running Windows 7, page 24
•
Issue with Converged Access Switches, page 24
•
Issue with Cisco ISE Mapping to OUI, page 24
Mobile Devices Without VLAN
When a mobile device completes the guest flow without VLAN/IP refresh enabled in the Guest Portal,
it matches the permit access authorization policy, followed by a CoA termination that deletes the session.
The device then goes through the guest flow again and forms a loop.
OL-27043-01
21
Web Portal Customization for the Russian Language
When you want to customize a web portal to use the Russian language template, the Browser Locale
Mapping for the Russian template is “ru-ru.” However, this default mapping does not work on iPhones.
If you encounter this issue, you can create a duplicate template with the Browser Locale Mapping set to
“ru.”
Device Registration Portal
When a guest user registers a device using its MAC address, the device does not appear in the Device
Registration Portal under the list of Registered Devices. This issue is seen in secondary Policy Service
nodes in a distributed deployment and occurs because of replication latency issues.
As a workaround click the Refresh button to view the newly registered device.
Cisco ISE Hostname Character Length Limitation with Active Directory
It is important that Cisco ISE hostnames be limited to 15 characters or less, if you use Microsoft Active
Directory on the network. Active Directory does not validate hostnames larger than 15 characters. This
can cause a problem if you have multiple Cisco ISE hosts in your deployment that have hostnames longer
than 15 characters. If the first 15 characters are identical, Active Directory will not be able to distinguish
them.
Windows Internet Explorer 8 Known Issues
•
Issue Accessing the Cisco ISE Administrator User Interface
•
User Identity Groups Issue
Issue Accessing the Cisco ISE Administrator User Interface
When you access the Cisco ISE administrator user interface using the host IP address as the destination
in the Internet Explorer 8 address bar, the browser automatically redirects the session to a different
location. This situation occurs when you install a real SSL certificate issued by a certificate authority
like VeriSign.
If possible, we recommend using the Cisco ISE hostname or fully qualified domain name (FQDN) that
was used to create the trusted SSL certificate to access the administrator user interface via Internet
Explorer 8.
User Identity Groups Issue
If you create and operate 100 or more User Identity Groups, a script in the Cisco ISE administrator user
interface can cause Internet Explorer 8 to run slowly, looping until a pop-up appears asking you if you
want to cancel the running script. (If the script continues to run, your computer might become
unresponsive.)
22
OL-27043-01
Known Supplicant Compatibility Issue Involving VLAN Change Operation on
Windows Client Machines
There is a known issue with the Intel Supplicant version 12.4.x for Windows client machines with regard
to a VLAN change for wireless deployments. The client machine has no connectivity because the NIC
IP address is in the compliant/non compliant VLAN when it should be in the pre posture/pending VLAN.
Note
This issue affects any supplicant that cannot perform an IP address refresh on a VLAN change in a
wireless environment. This issue is related to the VLAN detect (Access VLAN to Authentication VLAN
change) functionality, where the Cisco NAC Agent is not working correctly with wireless adapters.
Issues with Message Size in Monitoring and Troubleshooting
Cisco ISE monitoring and troubleshooting functions are designed to optimize data collection
performance messages of 8k in size. As a result, you may notice a slightly different message
performance rate when compiling 2 k message sizes regularly.
Issues with Accessing Monitoring and Troubleshooting
Although more than three concurrent users can log into Cisco ISE and view monitoring and
troubleshooting statistics and reports, more than three concurrent users accessing Cisco ISE can result
in unexpected behavior like (but not limited to) monitoring and troubleshooting reports and other pages
taking excessive amounts of time to launch, and the application sever restarting on its own.
Inline Posture Restrictions
•
Inline Posture is not supported in a virtual environment, such as VMware.
•
The Simple Network Management Protocol (SNMP) Agent is not supported by Inline Posture.
•
The Cisco Discovery Protocol (formerly known as CDP) is not supported by Inline Posture.
Custom Language Templates
If you create a custom-language template with a name that conflicts with a default template name, the
template is automatically renamed after an upgrade and restore. After an upgrade and restore, default
templates revert back to their default settings, and any templates with names that conflict with the default
names are renamed as follows: user_{LANG_TEMP_NAME}.
Issues with Monitoring and Troubleshooting Restores
During a Monitoring and Troubleshooting restore, the Cisco ISE application on the Monitoring node
restarts and the GUI is unavailable until the restore completes.
OL-27043-01
23
Cisco ISE Installation Files, Updates, and Client Resources
Issue with Network Device Session Status Report
Network Device Session Status report hangs during report generation. If the Network device is not
configured with SNMP and SNMP community string is not provided, then the report generation hangs
and never completes.
Workaround for this issue is to enter the SNMP credentials while launching the Network Device Session
Status report. If there is a large number of network devices configured in ISE, then it is recommended
to provide snmpCommunity value along with the networkDeviceIP.
BYOD Connectivity Issue with Devices running Windows 7
Devices running Windows 7 operating system do not connect by default if "invalid" security certificate
is presented from the server side. This issue is seen if self-signed certificates are in use, or if the
certificate is signed by a root CA, which is not in the trusted list of the client.
Workaround for this issue is to create a PEAP network profile before connecting to the Single SSID
BYOD network. After a PEAP network profile is created, Windows 7 displays a user prompt.
Issue with Converged Access Switches
The current available IOS releases for converged access switches, such as 3850 or 3650, may not send
Calling-Station-ID in the RADIUS accounting requests, which may result in incorrect session states and
endpoint profiles in ISE. Enter the following commands in the switch to ensure that the ISE data is
updated appropriately.
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
See Also CSCuo46999.
Issue with Cisco ISE Mapping to OUI
After installing or upgrading to Cisco ISE 1.2.1, the OUI entries may be missing in the database, which
might result in the endpoints matching incorrect authorization policies. You need to run the feed service
to update the OUI. It is recommended to run the feed service after the patch installation to ensure that
the latest OUIs are installed.
There are three resources you can use to download to provision and provide policy service updates:
•
Cisco ISE Downloads from the Download Software Center, page 25
•
Cisco ISE Live Updates, page 25
•
Cisco ISE Offline Updates, page 26
24
OL-27043-01
Cisco ISE Downloads from the Download Software Center
In addition to the .ISO installation package required to perform a fresh installation of Cisco ISE as
described in Installing Cisco ISE Software, page 7, you can use the Download software web page to
retrieve other Cisco ISE software elements, like Windows and Mac OS X agent installers and AV/AS
compliance modules.
Downloaded agent files may be used for manual installation on a supported endpoint or used with
third-party software distribution packages for mass deployment.
To access the Cisco Download Software center and download the necessary software:
Step 1
Go to the Download Software web page at
http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You may need to provide login
credentials.
Step 2
Navigate to Products > Security > Access Control and Policy > Cisco Identity Services Engine >
Cisco Identity Services Engine Software.
Choose from the following Cisco ISE installers and software packages available for download:
Step 3
•
Cisco ISE installer .ISO image
•
Supplicant Provisioning Wizards for Windows and Mac OS X Native Supplicants
•
Windows client machine agent installation files (including MST and MSI versions for manual
provisioning)
•
Mac OS X client machine agent installation files
•
AV/AS compliance modules
Click Download or Add to Cart.
Cisco ISE Live Updates
Cisco ISE Live Update locations allow you to automatically download Supplicant Provisioning Wizard,
Cisco NAC Agent for Windows and Mac OS X, AV/AS support (Compliance Module), and agent
installer packages that support client provisioning and posture policy services. These live update portals
should be configured in Cisco ISE upon initial deployment to retrieve the latest client provisioning and
posture software directly from Cisco.com to the Cisco ISE appliance.
Prerequisite:
If the default Update Feed URL is not reachable and your network requires a proxy server, you may need
to configure the proxy settings in Administration > System > Settings > Proxy before you are able to
access the Live Update locations. If proxy settings are enabled to allow access to the profiler and
posture/client provisioning feeds, then it will break access to the internal MDM server as Cisco ISE
cannot bypass proxy services for MDM communication. To resolve this, you can configure the proxy
service to allow internal communication to the MDM servers.
For more information on proxy settings, see the “Specifying Proxy Settings in Cisco ISE” section in the
“Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2.
OL-27043-01
25
Client Provisioning and Posture Live Update portals:
•
Client Provisioning portal—https://www.cisco.com/web/secure/pmbu/provisioning-update.xml
The following software elements are available at this URL:
– Supplicant Provisioning Wizards for Windows and Mac OS X Native Supplicants
– Windows versions of the latest Cisco ISE persistent and temporal agents
– Mac OS X versions of the latest Cisco ISE persistent agents
– ActiveX and Java Applet installer helpers
– AV/AS compliance module files
For more information on automatically downloading the software packages that become available at
this portal to Cisco ISE, see the “Downloading Client Provisioning Resources Automatically”
section of the “Configuring Client Provisioning” chapter in the Cisco Identity Services Engine User
Guide, Release 1.2.
•
Posture portal—https://www.cisco.com/web/secure/pmbu/posture-update.xml
The following software elements are available at this URL:
– Cisco predefined checks and rules
– Windows and Mac OS X AV/AS support charts
– Cisco ISE operating system support
For more information on automatically downloading the software packages that become available at
this portal to Cisco ISE, see the “Downloading Posture Updates Automatically ” section of the
“Configuring Client Posture Policies” chapter in the Cisco Identity Services Engine User Guide,
Release 1.2.
If you do not enable the automatic download capabilities described above, you can choose to download
updates offline. See Cisco ISE Offline Updates, page 26.
Cisco ISE Offline Updates
Cisco ISE offline updates allow you to manually download Supplicant Provisioning Wizard, agent,
AV/AS support, compliance modules, and agent installer packages that support client provisioning and
posture policy services. This option allows you to upload client provisioning and posture updates when
direct Internet access to Cisco.com from a Cisco ISE appliance is not available or not permitted by a
security policy.
Offline updates are not available for Profiler Feed Service.
To upload offline client provisioning resources, complete the following steps:
Step 1
Go to the Download Software web page at
http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You may need to provide login
credentials.
Step 2
Navigate to Products > Security > Access Control and Policy > Cisco Identity Services Engine >
Cisco Identity Services Engine Software.
Choose from the following Off-Line Installation Packages available for download:
•
win_spw-<version>-isebundle.zip— Off-Line SPW Installation Package for Windows
•
mac-spw-<version>.zip — Off-Line SPW Installation Package for Mac OS X
26
OL-27043-01
Step 3
•
compliancemodule-<version>-isebundle.zip — Off-Line Compliance Module Installation
Package
•
macagent-<version>-isebundle.zip — Off-Line Mac Agent Installation Package
•
nacagent-<version>-isebundle.zip — Off-Line NAC Agent Installation Package
•
webagent-<version>-isebundle.zip — Off-Line Web Agent Installation Package
Click Download or Add to Cart.
For more information on adding the downloaded installation packages to Cisco ISE, refer to the “Adding
Client-Provisioning Resources from a Local Machine” section of the “Configuring Client Provisioning”
chapter in the Cisco Identity Services Engine User Guide, Release 1.2.
You can update the checks, operating system information, and antivirus and antispyware support charts
for Windows and Macintosh operating systems offline from an archive on your local system using
posture updates.
For offline updates, you need to ensure that the versions of the archive files match the version in the
configuration file. Use offline posture updates when you have configured Cisco ISE and want to enable
dynamic updates for the posture policy service.
To upload offline posture updates, complete the following steps:
Step 1
Go to https://www.cisco.com/web/secure/pmbu/posture-offline.html.
Save the posture-offline.zip file to your local system. This file is used to update the operating system
information, checks, rules, and antivirus and antispyware support charts for Windows and Macintosh
operating systems.
Step 2
Access the Cisco ISE administrator user interface and choose Administration > System > Settings >
Posture.
Step 3
Click the arrow to view the settings for posture.
Step 4
Choose Updates. The Posture Updates page appears.
Step 5
From the Posture Updates page, choose the Offline option.
Step 6
From the File to update field, click Browse to locate the single archive file (posture-offline.zip) from the
local folder on your system.
Note
Step 7
The File to update field is a required field. You can only select a single archive file (.zip) that
contains the appropriate files. Archive files other than .zip (like .tar, and .gz) are not allowed.
Click the Update Now button.
Once updated, the Posture Updates page displays the current Cisco updates version information under
Update Information.
OL-27043-01
27
Using the Bug Search Tool
Using the Bug Search Tool
This section explains how to use the Bug Search Tool to search for a specific bug or to search for all bugs
in a release.
•
Search Bugs Using the Bug Search Tool
•
Export to Spreadsheet
Search Bugs Using the Bug Search Tool
In Cisco ISE, use the Bug Search Tool to view the list of outstanding and resolved bugs in a release. This
section explains how to use the Bug Search Tool to search for a specific bug or to search for all the bugs
in a specified release.
Step 1
Go to https://tools.cisco.com/bugsearch/search.
Step 2
At the Log In screen, enter your registered Cisco.com username and password; then, click Log In. The
Bug Toolkit page opens.
Note
If you do not have a Cisco.com username and password, you can register for them at
http://tools.cisco.com/RPF/register/register.do.
Step 3
To search for a specific bug, enter the bug ID in the Search For field and press Enter.
Step 4
To search for bugs in the current release:
a.
Click Select from list link. The Select Product page is displayed.
b.
Choose Security > Access Control and Policy > Cisco Identity Services Engine.
c.
Click OK.
d.
When the search results are displayed, use the filter tools to find the types of bugs you are looking
for. You can search for bugs based on different criteria such as status, severity, and modified date.
Export to Spreadsheet
The Bug Search Tool provides the following option to export bugs to an Excel spreadsheet:
•
Click Export Results to Excel link in the Search Results page under the Search Bugs tab to export
all the bug details from your search to the Excel spreadsheet. Presently, up to 10000 bugs can be
exported at a time to an Excel spreadsheet.
If you are unable to export the spreadsheet, log into the Technical Support Website at
http://www.cisco.com/cisco/web/support/index.html for more information or call Cisco TAC
(1-800-553-2447).
28
OL-27043-01
Cisco ISE, Release 1.2.1.198 Patch Updates
The following patch releases apply to Cisco ISE release 1.2.1:
Resolved Issues in Cisco ISE Version 1.2.1.198—Cumulative Patch 1, page 35
Resolved Issues in Cisco ISE Version 1.2.1.198—Cumulative Patch 3
Table 6 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.1.198 cumulative
patch 3.
To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2.1, log into the Cisco
Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might
be required to provide your Cisco.com login credentials), navigate to Security > Access Control and
Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the
Cisco Identity Services Engine User Guide, Release 1.2. for instructions on how to apply the patch to
your system.
Table 6
Cisco ISE Patch Version 1.2.1.198-Patch 3 Resolved Caveats
Caveat
Description
CSCuq01548
ISE posture dropped during Change of Authorization (CoA) due to invalid HTTP
User-Agent [Trident 7.0].
This fix addresses an issue where a third-party User-Agent does not allow the
download of the NAC agent.
CSCuq02222
The Simple Network Management Protocol (SNMP) Query probe failed to
discover endpoints using periodic polling.
This fix addresses an issue where the ARP table failed to discover the MAC
addresses of endpoints that were connected to a Catalyst switch using the SNMP
Query probe.
CSCup88315
Apple iOS 8 beta failing External Web Authentication (WebAuth) with ISE.
This fix addresses an issue where Apple devices running iOS 8 beta software
failed to complete external web authentication.
CSCum41138
NAS IP Address showing MnT address in ISE live logs after CoA REST API.
This fix addresses an issue in the Operations > Authentications > Show Live
Authentications page. The NAS IP Address field failed to display the IP address
of the network device, when Change of Authorization (CoA) was triggered via
the Rest API.
CSCun74636
OSX Mavericks is profiled as Apple device based on incorrect User-Agent.
This fix addresses an issue where Cisco ISE failed to identify OSX Mavericks
device based on the endpoint profiling policies.
OL-27043-01
29
Table 6
Cisco ISE Patch Version 1.2.1.198-Patch 3 Resolved Caveats (continued)
Caveat
Description
CSCun00427
ISE 1.2 match operator returns true when LHS is NULL and RHS is constant.
This fix addresses an issue that occurred when there was a MATCHES operator
in a rule/policy: if the LeftHandSide of the rule/policy was returning NULL value
and the RightHandSide was CONSTANT, the operator was getting evaluated as
TRUE. The operator is now evaluated as FALSE.
CSCui08084
Guest user is not terminated on the switch when suspended via Edit Account.
This fix addresses an issue with the Guest Account created using the Sponsor
Portal. When suspending the Guest Account, the Account was suspended but the
wired session on the switch was not terminated.
CSCuq26320
EAP-FAST authenticated provisioning with Android doesn't work
This fix addresses an issue where EAP-FAST authentication for specific Android
versions was not working.
CSCun75458
ISE Apache Struts 2 vulnerabilities.
Previous versions of Cisco ISE included a version of Apache Struts2 that is
affected by the vulnerabilities identified by the following Common Vulnerability
and Exposures (CVE) IDs:
CVE-2014-0050,CVE-2014-0094
CSCuo63900
ISE Apache Struts 1 vulnerabilities.
This product includes a version of third-party software that is affected by the
vulnerabilities identified by the following Common Vulnerability and Exposures
(CVE) IDs:
CVE-2014-0112,CVE-2014-0114
Cisco has analyzed these vulnerabilities and concluded that the product is not
impacted.
30
OL-27043-01
Table 6
Caveat
Description
CSCur00532
ISE evaluation for CVE-2014-6271 and CVE-2014-7169 (AKA ShellShock).
This fix addresses an issue in ISE nodes that are SSH enabled. If SSH is enabled,
a remote user with ISE CLI credentials will be able to exploit the vulnerability
and run generic Linux commands.
PSIRT Evaluation
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The
Base and Temporal CVSS scores as of the time of evaluation are 7.5/7.5:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch
=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from
multiple sources. This includes the CVSS score assigned by the third-party
vendor when available. The CVSS score assigned may not reflect the actual
impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at
the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.ht
ml
Workaround Disable SSH and reload ISE node as follows:
ise1/admin# configure terminal
ise1/admin(config)# no service sshd enable
ise1/admin(config)# end
ise1/admin# reload
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Continue with reboot? [y/n] y
CSCul28451
RADIUS Accounting Report “Account Session Time” blank.
This fix addresses an issue in the Operations > Reports > Auth Services Status >
Radius Accounting page. In the click here for Accounting detail report option for
the Stop Account Status Type, the Account Session field did not display the
difference between a session’ start and stop time.
CSCup79399
Cisco ISE-related reports return blank page while launching from PI.
This fix addresses an issue where all Cisco ISE reports opened from Cisco Prime
Infrastructure resulted in a “Web page not available” error.
CSCul16354
Supplicant Provisioning Wizard (SPW) cannot be set up for MAC And Windows
without Java.
The fix addresses an issue where SPW did not install on MAC and Windows
without the support of Java.
OL-27043-01
31
Table 6
Caveat
Description
CSCuj64206
Parent Endpoint Identity Group cannot be created in Windows 7, Internet
Explorer 10.
This fix addresses an issue when an Endpoint Identity Group could not be created
without a Parent Group in Windows 7 Internet Explorer 10. The following error
message was displayed: “Invalid group name. Please select a parent group from
the list displayed.”
Workaround Use Internet Explorer 8.
CSCuq11441
ISE posture was dropped via Change of Authorization (CoA) due to invalid
HTTP User-Agent [Trident 5.0]
This fix addresses an issue where the posture validation was dropped via CoA
terminate because of an unknown User-Agent.
patch 2.
your system.
32
OL-27043-01
Table 7
Caveat
Description
CSCul21337
The Posture Troubleshooting tool was vulnerable to blind SQL injection.
This fix addresses an issue where a vulnerability in the web framework of Cisco ISE
may allow an attacker to impact the integrity by executing arbitrary SQL queries.
PSIRT Evaluation
https://intellishield.cisco.com/security/alertmanager/
cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:P/I:P/A:P/
E:F/RL:OF/RC:C
CVE ID CVE-2014-3275 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/
CVE-2014-3275
Additional information on Cisco's security vulnerability policy can be found at the
following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
CSCul39011
The Mobile Device Management (MDM) client failed to reject queries when MDM
server was not responding.
This fix addresses an issue where timeouts were caused when the MDM server was
not reachable during authorization policy evaluation.
CSCul58758
Redirected to null page in the browser after Local Web Authentication (LWA) flow
with WLC-5500 series.
This fix addresses an issue where a guest user enters the username and password in
the Guest Login page, but is not redirected to the specified URL.
CSCul86970
GUI does not display the Allow only listed IP addresses option to connect.
This fix addresses an issue in the Admin Access settings page, where the following
option was not displayed in the UI: Allow only listed IP addresses to connect.
CSCum37237
Insufficient permission error with bulk import of guest account.
This fix addresses an issue where an error message was encountered when sponsors
imported and printed guest usernames, formed from the guests email addresses.
CSCum57372
NAS identifier does not appear the authentication details in the web UI.
This fix addresses an issue where the Network Access Server (NAS) Identifier
information did not appear in the Authentication Details page.
CSCun28502
Sponsor, My Devices, and Guest portals does not have a defined character limit.
This fix addresses an issue in the Administration > Web Portal Management >
Settings page. The Sponsor, My Devices, and Guest portals contain the Language
Template option. The Language Template option contains a list of configurations.
The text fields in each configuration allow any one of the following character count:
128,512, 256, or 4000. An error message was displayed for specific fields, such as
AUP and Notifications, when the character limit was above 4000 characters.
OL-27043-01
33
Table 7
Caveat
Description
CSCun74285
ISE safe mode did not bypass admin portal certificate authentication.
This fix addresses an issue where ISE safe mode did not bypass user certificate
authentication and did not enable local admin credentials.
CSCun74460
Incorrect Daylight Saving Time (DST) time zone offset in ISE affects remote syslog
targets.
This fix addresses an issue where the DST time zone offset was incorrect in the prrt
log.
CSCun84251
Error after application ise reset-config on 1.2.0.899 Patch 6.
This fix addresses an issue where an error was found when the application
reset-config ise command was run.
CSCun94304
ISE RSA server configuration may fail to replicate to PSNs.
This fix addresses an issue where the RSA configuration (sdconf.rec) did not load
properly and data did not replicate from the PAP node to other nodes.
CSCuo13099
ISE Sponsor, email ID used as username with space in it, throws an error.
This fix addresses an issue where the guest user email IDs with spaces encountered
an error when used in usernames.
CSCuo39442
ISE 1.2 does not validate remote log target names.
This fix addresses an issue where the Remote Logging Target names displayed in the
Administration > System > Logging > Remote Logging Targets page reported the
following error message: Name should not contain space(s) or any of the following
characters: ! % ^ : ; , [ { | } ] \ ` " = ?. The above error message was displayed even
though hyphen or period was used.
CSCuo58919
Endpoint static group assignment toggles between true or false option every 55
seconds.
This fix addresses an issue where the Static Group Assignment check box in the
Administration > Identity Management > Identities > Endpoints page toggled
between true or false value every 55 seconds.
CSCuo63448
Modifying the ISE parent profile disables child profile.
This fix addresses an issue where in the Profiling Policies page, on modifying a
parent profile, endpoints failed to reach the correct profile policy.
CSCuo75506
ISE authorization profile with Central WebAuth (CWA) and custom guest portal
does not redirect to default settings.
This fix addresses an issue where a CWA authorization profile was configured and
if the CWA authorization profile was edited again, the changes were displayed only
in the UI, but failed to reflect in the attributes.
CSCuo88571
The IP release renew operation was not performed on Mac OSX devices.
This fix addresses an issue where a user logged into the guest portal was unable to
renew the IP address after clicking Accept in the Acceptable Use Policy (AUP) page.
CSCup33018
Apple iOS 8 beta fails Native Supplicant Provisioning flow.
This fix addresses an issue where with single or dual SSIDs, Apple devices running
iOS 8 beta software failed to complete provisioning.
34
OL-27043-01
Table 7
Caveat
Description
CSCup50216
ISE 1.2+ API update was overwritten by the profiler.
This fix addresses an issue where the ERS API failed to update existing endpoints in
static groups.
CSCup51902
Exporting active endpoints does not work from the admin node.
This fix addresses an issue where exporting active endpoints from a Cisco ISE server
Administration node did not work.
CSCup63424
Downloading software to effect release or renew of guest virtual LAN (VLAN) was
not accomplished.
This fix addresses an issue where the IP address release or renew operation in the
VLAN release or renew page, was nonfunctional when it was not the latest version
of the Java Applet.
CSCup99806
Custom data access permissions were not working as expected.
This fix addresses an issue where Custom data access permission did not work
according to the mapped RBAC policy in the Network Device page.
patch 1.
your system.
Table 8
Caveat
Description
CSCty01787
Error in Generating XML Output for EndPointIPAddress API
This fix addresses an issue where an internal error was displayed in the XML when
calling the EndPointByIPAddress API for a given IP address appearing in the
AuthSessionList.
CSCul25066
ISE Wireless Upgrade License Type Doesn't include Profiler Feed Service
This fix addresses an issue where customers upgrading to ISE 1.2 who had the
Wireless Upgrade license to add advanced license functionality to their deployment
received the following alert: “Feed Service error : The Advance License installed on
the ISE nodes have been expired.”
OL-27043-01
35
Table 8
Caveat
Description
CSCul29344
ISE 1.2 HTML Custom Pages for Different Portals Not Working
This fix addresses an issue where the sample HTML for custom Guest Portal pages
provided in the user guide did not work correctly.
CSCum29186
With Account Creation Time Zone Change Not Reflecting New Updated Allowed
Time
This fix addresses an issue where changing the time zone during Guest account
creation was not reflected with the newly updated allowed time to login.
CSCum54099
ISE Does Not Send Sponsor-related syslog Message to External syslog Server
This fix addresses an issue where ISE did not send messages like 86008 or 86006 to
the external syslog server. It only sent the 86028 messages.
CSCum69410
ISE 1.2 CWA with DRW Included Doesn't Register Endpoint
This fix addresses an issue where the endpoint DB didn’t indicate that an endpoint
was registered after a CWA user entered their MAC address on the Guest Device
Registration screen.
CSCum85930
ISE 1.2 Custom Guest Portal Images and CSS Broken on Final Redirect
This fix addresses an issue where custom CWA portal may not have loaded images
or CSS as expected.
CSCum88817
ISE 1.2 Logs Filled with Unnecessary License Validity Info
This fix addresses an issue where ISE was logging license checks in INFO mode,
which caused massive output in the log files.
CSCum96035
This fix addresses an issue that occurred when a user typed in a password that
violated the password policy on the default custom portal password-change page and
the page refreshes instead of displaying an error message.
CSCun15601
Invalid Text Message Template Error Shown if Sponsor is CC'ed in Guest Mail
This fix addresses an issue where the message “This is an invalid text message
template. Contact your system administrator for assistance.” was shown while
sending Guest account through Mail/SMS if the sponsor is CC’ed.
CSCun36594
ISE 1.2 Endpoint Identity Group is Lost When Importing From CSV
This fix addresses an issue that occurred after importing endpoints from a CSV file
where the “Endpoint Identity Group” was changed from the one specified in the file
to Profiled.
CSCun41732
Cisco ISE Certificate Trusted List is Not Fully Read When a Corrupted Certificate
is Present
This fix addresses an issue where Cisco ISE could not load the complete Trusted
certificate list when a corrupted certificate was present in the list.
CSCun51094
Bulk Import of Guests by Sponsor Falls in Wrong Guest Role
This fix addresses an issue where imported guest users always get the role of default
Guest during a bulk import from the Sponsor portal.
CSCun67719
Guest Portal: Error Message When Password Expired Confusing
The Cisco ISE Guest portal provides a generic error for events such as guest user
account expired and gives no information on the cause of the issue.
36
OL-27043-01
Table 8
Caveat
Description
CSCun68637
SNMP Query Fails to Complete during NMAP-triggered Probe
This fix addresses an issue where an SNMP query failed to execute when it was
triggered by an NMAP probe.
CSCun93673
ISE 1.2 Endpoint Export Results in Empty File if Using Lower Case Letter
This fix addresses an issue where exporting endpoints results in an empty file if you
search using lower case letters.
CSCun97606
ISE Roaming Authentication Failing
This fix addresses an issue that occurred when attributes about endpoints differed
from one PSN to another when using multiple PSNs for profiling or authentication.
CSCuo32987
Endpoint Register Broken
This fix addresses an issue where attempts at ERS API endpoint register end in
HTTP 500 Internal Server Error.
CSCuo34449
ISE Posture Dropped via CoA Terminate Due to Invalid HTTP User-Agent
This fix addresses an issue where a client application that initiated HTTP using
User-Agent was not recognized by ISE, and triggered ISE to clear that session and
send a Radius CoA Terminate command to NAD.
CSCuo56780
ISE RADIUS Service Denial of Service Vulnerability
This fix addresses an issue where the RADIUS service may become unresponsive
when receiving accounting packets from two different Network Access Servers
(NASs).
PSIRT Evaluation
Base and Temporal CVSS scores as of the time of evaluation are 4/3.8:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1
&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:U/RC:C
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-327
6
following URL:
OL-27043-01
37
Table 8
Caveat
Description
CSCuo63892
CIAM: ISE-commons-fileupload-1-0
This fix addresses third-party software vulnerabilities.
PSIRT Evaluation
highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as
of the time of evaluation are 7.8:
&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
multiple sources. This includes the CVSS score assigned by the third-party vendor
when available. The CVSS score assigned may not reflect the actual impact on the
Cisco Product.
CVE ID CVE-2014-0050 have been assigned to document this issue.
following URL:
CSCuo73070
ISE 1.2 GUI Elements Missing Due to No Advanced License
CSCuo76078
This fix addresses an issue where the error “No valid system license exists” appeared
for the sponsor portal and guest portal after the installation of a Cisco ISE Patch.
The following patch releases apply to Cisco ISE release 1.2.0:
•
Open Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 12, page 39
•
•
•
•
•
•
Enhancements in Cisco ISE Version 1.2.0.899—Cumulative Patch 8, page 62
•
•
•
•
•
•
Enhancements in Cisco ISE Version 1.2.0.899—Cumulative Patch 4, page 79
•
38
OL-27043-01
•
Support for Windows 8.1 and Mac OS X 10.9 in Cisco ISE Version 1.2.0.899—Cumulative Patch 3,
page 81
•
•
New Features in Cisco ISE Version 1.2.0.899—Cumulative Patch 2, page 86
•
Support for Apple iOS 7 in Cisco ISE Version 1.2.0.899—Cumulative Patch 2, page 89
•
•
Open Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 12
Table 9 lists the open issues in Cisco ISE 1.2.0 Patch 12 that may be resolved in other releases.
Table 9
Cisco ISE Patch Version 1.2.0.899-Patch 12 Open Caveats
Caveat
Description
CSCty46687
The Cisco Identity Services Engine (ISE) is affected by a cross-site scripting (XSS)
vulnerability.
CSCty46691
The Cisco Identity Services Engine (ISE) is vulnerable to SQL injection.
CSCty60811
Clients are not redirected to the Posture Remediation page to download the NAC
agent.
CSCtz29311
SecPAP promotion is slow with FCS 1.1(alpha data) to 1.1.1.183 upgrades.
CSCtz99443
Node replication status in the deployment page always shows 'IN-PROGRESS'
message to the Secondary nodes that are deployed over WAN.
CSCua10173
Changing or disabling alert rules or criteria triggers HTTP Status 400 - Request not
processed message.
CSCub19047
Characters such as Hyphen (-) and dot (.) are not supported as part of the VLAN
ID\Name.
CSCub35768
ISE Upgrade from 1.0 to 1.1 failed because data access permission to the user is
denied.
CSCub64247
Cisco Application Deployment Engine (ADE) OS does not accept users with
passwords containing front slash.
CSCub87687
Language templates in the guest portal sets a limit of 4000 characters.
CSCub99130
Corruption of database results in the loss of ISE certificates and keys.
CSCuc26772
Network devices are not displayed in the navigation pane when the Network Device
Group is selected.
CSCud20339
Onboarding a device using single/dual SSID with Transport Layer Security (TLS)
profiles fails.
CSCud46215
Detailed authentication failure message is not displayed for sponsor user group.
CSCud52161
Active Directory (AD) operation failure because of an unspecified error in ISE.
CSCud79538
ISE fails with two active certificates.
CSCud86135
During initialization failure ISE sends wrong alarms.
CSCud92384
Incorrect error messages displayed when ISE application server is down.
OL-27043-01
39
Table 9
Caveat
Description
CSCue14481
“Internal error” message displayed when the number of guest user accounts created
is 100,000.
CSCue23875
The monitoring database stops adding new entries for operating system strings that
exceed the maximum value of 100 characters.
CSCue27949
The reset-passwd command does not allow the usage of special characters.
CSCue30432
Launch program remediation does not allow the usage of double quotes.
CSCue33447
Editing authorization profile by adding static Internal Protocol (IP) address or host
name changes the redirect back to 'Default' and the 'Value' is empty.
CSCue46758
Identity Services Engine (ISE): 86107-Session cache entry missing during guest
authentication.
CSCuf33854
Nessus 53491 - Secure Sockets Layer (SSL)/ Transport Layer Security (TLS)
renegotiation DoS OpenSSL reported medium vulnerabilities.
CSCuf60933
Slow GUI with large Cisco Telepresence System (CTS) Egress Matrix.
CSCuf84159
Identity Services Engine (ISE) admin access does not work with External RSA
authentication.
CSCug20348
Machine authentication with Active Directory (AD) fail with MNT error “24485
Machine authentication against Active Directory has failed because of wrong
password” and does not reflect the issue.
CSCug27409
Import of comma-separated value (CSV) file for Network Devices failed in ISE
1.1.3.
CSCug34679
Identity Services Engine (ISE) drops keep alive authentications coming from
wireless LAN controller (WLC) marking ISE as dead.
CSCug51137
User authentication over 3 days failed with Uncaught exception.
CSCug51530
Failed to send message: Socket closed, MsgType: 901.
CSCug90087
Database lock not removed after execution of reset monitoring database command.
CSCuh23877
“Identity Store Unavailable” alarm not getting triggered after authentication failed.
CSCuh41473
Active Directory (AD) group not saved as external admin group if containing a "!"
character.
CSCuh47459
Connection error on Backup and Restore page after successful restore and backup.
CSCuh50486
Identity Services Engine (ISE) validates only if Domain Name Server (DNS) entry
for the host exists, but not for Internet Protocol (IP) address.
CSCuh54734
Acknowledgment of alarms does not work when the instances are over 1000
occurrences.
CSCuh57033
Error message not displayed to mobile users in Central WebAuth (cwa) with invalid
credentials.
CSCuh79430
Machine Access Restriction (MAR) Cache on Access Control Server (ACS) not
corrected when Machine removed from Active Directory (AD).
CSCuh79607
Identity Services Engine (ISE) Active Directory (AD) group matching fails due to
forward slash in AD group name.
CSCuh86591
Identity Services Engine (ISE) Simple Network Management Protocol (SNMP)
profiling failed when connected to 48 ports stacked under 24 ports switch master.
40
OL-27043-01
Table 9
Caveat
Description
CSCuh87451
Browser redirected to the guest portal when declining acceptable use policy (AUP)
through a Device Registration Web Authentication (DRW).
CSCuh89530
404 Error on MnT GUI and wrong persona in deployment page after customer
database restore.
CSCuh96440
Could not determine prior Cisco Agent Installation on Windows or MAC OS X
machines in pre-posture state.
CSCui01605
Admin cannot duplicate and save policy-set if existing policy set has user defined
simple condition.
CSCui09203
Identity Services Engine (ISE) fails When accounting message with long class
string.
CSCui15711
Internal error encountered while creating guest user with a time profile that was
deleted and recreated with the same name.
CSCui16843
Operational backup or restore failed when primary monitoring node is not reachable
due to power down or inner shut down.
CSCui25164
Identity Services Engine (ISE) sponsors cannot view accounts that it created after
change of group.
CSCui48401
Spaces in email when creating user in sponsor portal caused error in Identity
Services Engine (ISE).
CSCui53920
Identity Services Engine (ISE) 1.2 dashboard metric % posture compliance is
wrongly calculated for posture status other than “Complaint” or “Not Applicable”.
CSCui63474
Dynamic Host Configuration Protocol (DHCP) Switched Port Analyzer (SPAN) not
starting unless Internet Protocol (IP) is assigned to the interface.
CSCui65057
Current iso-to-usb.sh script does not set the proper path for syslinux when used on
CentOS 6.4.
CSCui65835
Devices in the network device list is not visible when customer logs in with Active
Directory (AD) credentials in to Web GUI.
CSCui72087
Default access restrictions not securely enforced on several pages existing within the
Inbox, Alarms, and Schedule pages.
CSCui82602
Guest Cache Issues for Identity Groups.
CSCui82615
Guest account cache issues for time profiles set by the sponsor.
CSCuj19173
MemberOf attribute fails with regular expression if group belong to an
Organizational Unit (OU) in Active Directory (AD).
CSCuj20969
Network Device Session status report fails for a switch with message “SNMP
information is not configured for this device in ISE.”
CSCuj30442
ISE Application Deployment Engine (ADE) does not allow the deletion of certain
files from local repository.
CSCuj30585
ISE Client Provisioning Portal (CPP) allows MAC configuration for WebAgent.
CSCuj42566
ISE guest reporting does not identify the sponsor who effects changes to a guest
account.
CSCuj58037
iPEP ISE 1.2 in routed mode does not use service Internet Protocol (IP) for RADIUS
packets.
OL-27043-01
41
Table 9
Caveat
Description
CSCuj61976
Admin Graphical User Interface (GUI) fails to display certain GUI pages when using
Firefox 25.
CSCuj63421
Creating ISE shared reports via interactive viewer is broken.
CSCuj64008
Profiler feed service policy for Amazon Kindle Fire tablet to be devised.
CSCuj68540
Monitoring (MnT) schema upgrade script is logging INFO messages as ERROR and
WARNING.
CSCuj71399
Performing backup through the GUI or CLI throws “A backup or restore is already
in progress” error.
CSCuj71819
Accented characters in guest username displayed in HEX format in ISE GUI.
CSCuj76383
Admin user receives two email notifications for password expiry.
CSCuj88351
Loading a corrupted Certificate Authority (CA) certificate on startup causes config
rollback with related problems.
CSCuj99801
External RESTful Services (ERS) error codes are not consistent for the same action
pertaining to different categories.
CSCuj99912
ISE 1.2 External RESTful Services (ERS) filter by name for Security Group Tag
(SGT) category fails.
CSCul00148
Start and end time profiles display according to ISE timezone instead of Guest
timezone.
CSCul00743
The Operation > Authentication page is blank for invalid characters in username.
CSCul00985
Ubuntu laptop users without posture checks are redirected to the Client Provisioning
Portal (CPP) page after Centralized Web Authentication (CWA).
CSCul02830
Active Directory (AD) test connection fails for domain\user-ID.
CSCul05429
Authorization rule does not match CVPN3000/ASA/PIX7x-Tunnel-Group-Name.
CSCul05764
Incorrect references when Certificate Authority (CA) ID Store Name is changed.
CSCul08673
Export of custom report for a date range failed.
CSCul30358
Active Base license count exceeds the allowed license count.
CSCul37463
Scheduled backup does not work on upgrading from previous version to 1.2.
CSCul45573
Network Access Device (NAD) config does not accept % in RADIUS shared
secret/SNMP community string.
CSCul47387
Character limit should be increased for policy rule name.
CSCul53156
Device Registration page is blank when used with AddTrust certificates.
CSCul56940
Endpoint profiling is incorrect when two Cisco or Linksys routers are connected to
a Multi-Domain Authentication (MDA) port.
CSCul65329
ADclient cache is not cleared via the application configure ise command.
CSCul82600
Unable to delete custom attribute even after deleting the linked authentication
policy.
CSCul86934
On executing the reset-config command, ISE Secure Shell (SSH) sessions are
allowed only from allowed Internet Protocol (IP) access subnets.
CSCul88799
Cisco Integrated Management Controller (CIMC) KVM console displays “Out of
Range” against a green background, on entering the “terminal length X” command.
42
OL-27043-01
Table 9
Caveat
Description
CSCul92356
Devices registered by Guest users fall into the Unknown group.
CSCul94611
ISE Dashboard fails to display live consolidated and correlated statistical data.
CSCul94858
Certificate Revocation List (CRL) retrieval does not use globally configured proxy
server.
CSCul95195
Custom Supplicant Provisioning Wizard (SPW) for Telstra RADIUS proxy with
differentUserName and nonBroadCast options unchecked.
CSCul96935
An hour difference between Graphical User Interface (GUI) and Command Line
Interface (CLI) during daylight savings time.
CSCum05014
ISE does not display endpoint profiling policies in the Graphical User Interface
(GUI)
CSCum41336
ISE reports fail on Network Control System (NCS) platform cross launch.
CSCum41378
Static profile assignments to an endpoint Identity group for some devices are
removed resulting in device reprofiling.
CSCum46269
Active endpoints count on the dashboard does not match the actual active endpoints,
when there is a surge of endpoints.
CSCum48676
ISE 1.2 does not display information in the System Summary Applet on the
dashboard if the Logging Category is set to a severity level other than INFO.
CSCum49249
External RESTful Services (ERS) Application Programming Interface (API) does
not list all endpoints as specified in the Software Development Kit (SDK) guide.
CSCum53319
Diagnostics for failure to download the Certificate Revocation List (CRL) should be
precise.
CSCum58581
MAC OSX 10.9 device is not redirected to the Bring Your Own Device (BYOD) flow
when using the guest device registration page.
CSCum60924
Extensible Authentication Protocol (EAP) chaining mode does not allow more than
one value for the EapAuthentication attribute.
CSCum68149
The Live Authentication Report page does not display the accurate currenttime and
currentdate attributes.
CSCum69229
Create Random Accounts setting using Google Chrome does not display the desired
results.
CSCum70441
Incorrect value is displayed for the GET request sent to find the total internal users
in ISE External RESTful Services (ERS) Application Programming Interface (API).
CSCum72386
Endpoints delete all confirmation messages when “No” button is deactivated.
CSCum73765
Profiling with SNMP v3 Query fails when triggered by SNMP trap/RADIUS
Accounting probe.
CSCum86183
Notifications for license expiry alarm are received from deregistered nodes.
CSCum86331
ISE does not allow comma in Organizational unit name (OU) or Organization name
(O) fields when creating a Certificate Signing Request (CSR).
CSCum95069
Inline Posture Node (IPN) sends only username for authorization when Extensible
Authentication Protocol (EAP) chaining is configured.
CSCun00882
ISE does not create logs of erroneous usernames in the sponsored guest portal.
OL-27043-01
43
Table 9
Caveat
Description
CSCun21197
In a simple authentication condition, if the operator “Ends with” or “Not ends with”
is used, it is not saved properly.
CSCun23340
Randomly created guest users are not displayed in Firefox.
CSCun23357
Uploaded guest users are not displayed in Firefox.
CSCun25832
Unable to activate expired guest accounts.
CSCun28218
ISE: Java Memory Leak outside of Heap space.
CSCun31175
Registered endpoint report does not include manually added devices.
CSCun33755
Unable to create the required number of Guest accounts from the sponsor portal.
CSCun33774
The status of a new guest user account that is created in the sponsor portal is Active
instead of Awaiting Initial Login.
CSCun42967
ISE 1.2: The SNMP process stops randomly.
CSCun45607
ISE incorrectly authenticates users based on the authorization PAC file.
CSCun46242
Deletion of the Thawte Primary Root CA from ISE results in failure of provisioning
and posture updates.
CSCun48940
ISE Radius authentication over Gig1 stops if Gig0 down.
CSCun53951
ISE presents self-signed certificate instead of CA-signed certificate.
CSCun57304
The KRON command is not working for backup logs.
CSCun59740
ISE 1.2: Only 5000 entries are displayed when viewing Guest Live reports.
CSCun81620
Editing a guest condition in PAN applies the same changes to the previously
condition.
CSCun89615
ISE duplicate attributes cause failure to locate network devices.
CSCun89771
Running ISE reports for 30 days generates only up to 100 pages.
CSCun92193
In Certificate Authentication Profile (CAP), ISE selects incorrect information from
the SAN field for multiple entries.
CSCun94882
ISE 1.2: Change of Network Device Group name does not reflect in CSV export.
CSCun95554
The monitoring node stops logging for email notification configured on ISE.
CSCun96746
ISE self registering guest users do not inherit specified time profile.
CSCun97251
ISE 1.1.4: Cannot find machine with DNS suffix which does not exist on the Domain
Controller Group List.
CSCun98217
Cross-Domain referer leakage in Admin portal.
CSCuo00404
ISE 1.2: ACL syntax checker is incorrect.
CSCuo05180
Cannot authorize external certificate authenticated users by using the device's
identity group as an “other condition”.
CSCuo05345
Cannot match an Authorization policy rule configured with an “other condition” of
IdentityGroup:Name.
CSCuo14398
ISE 1.2: ISE disregards the current password policy when editing an internal user.
CSCuo14953
ISE: MobileIron MDM test connection passes but Save fails.
CSCuo16506
Internal users cannot change their password in the guest portal.
44
OL-27043-01
Table 9
Caveat
Description
CSCuo19521
Repository in the WebGUI with special characters fails.
CSCuo24274
SNMP should run in all interfaces not only in Gig0.
CSCuo24384
ISE: Guest:Mobile Portal in Custom portals does not follow browser local language.
CSCuo39832
ISE takes IP address from same subnet and has incorrect ARP entries.
CSCuo41482
GUI admin Active Directory (AD) login fails with HTTP error 500.
CSCuo41713
Identity Services Engine (ISE) 1.2: Installation of patch 5 in distributed deployment
caused first time login users to go active.
CSCuo54987
Identity Services Engine (ISE) does not drop Radius packet if value is too large for
database.
CSCuo58786
Authentication, authorization, and accounting (AAA) services not available during
purging of guest users.
CSCuo60767
Identity Services Engine (ISE) UTF-8 character encoding displayed garbage
characters on screen for profiler attribute.
CSCuo62245
Failed to purge data from the operations database.
CSCuo63358
Incorrect success message being displayed, when provisioning Apple iOS Device
through supplicant portal in Bring Your Own Device (BYOD) SSID.
CSCuo64251
Unable to manage ISE AD user device as it does not show up in “My Devices”
portal.
CSCuo66847
When a user edits a saved scheduled report, it ceases to exist.
CSCuo67423
Reconfiguring the IP address of an iPEP node with the service IP that was previously
used results in missing tabs in high availability configuration.
CSCuo68012
ISE services fail to start when time zone is set to Asia/Riyadh89.
CSCuo78051
A custom portal setting is saved but the configured setting fails to reflect in the GUI.
CSCuo78457
An SNMP probe that is configured to match a profile using the “CONTAINS”
operator fails.
CSCuo78949
Changing the password policy in the GUI of Primary PAP server does not change the
password policy in the iPEP server.
CSCuo79012
Unable to support SNMP triggered queries with NAD using iOS version with
deprecated STACK-MIB.
CSCuo80929
An “value too large” error message is displayed for guest usernames with special
characters.
CSCuo93398
Unable to integrate the Active Directory (AD) with ISE using the admin GUI.
CSCuo94313
Unable to pull Lightweight Directory Access Protocol (LDAP) groups for
admin/service accounts containing the “+” sign in the password.
CSCuo95635
Change of Endpoint Device Group name appears correctly in the Identity Group
Assignment option but fails in the Identity Group.
CSCuo95660
Endpoints exported to comma-separated values (CSV) file displays an incorrect
endpoint device group name.
CSCuo97007
Failed to start database during initial setup for Identity Services Engine (ISE).
OL-27043-01
45
Table 9
Caveat
Description
CSCuo99160
Identity Services Engine (ISE) 1.2: Failed registration and GUI error thrown when
Policy Service Node (PSN) failed to ping Primary Administration Node (PAN)
during registration.
CSCup03116
Identity Services Engine (ISE) 1.2: Editing NDG does not update AuthC/AuthZ
conditions.
CSCup05013
Identity Services Engine (ISE) 1.2: p8 IOS-XE switch profiled as unknown
endpoint.
CSCup08017
Accidental Ctrl + C should not break Restore/Upgrade during important operations.
CSCup15453
Identity Services Engine (ISE) Guest Sponsor Mapping Report causes CPU on
primary MnT node to increase dramatically.
CSCup16700
Reset password does not check for valid user before asking for new password.
CSCup17245
“Value our of range” error displayed when editing a guest account.
CSCup20844
Identity Services Engine (ISE) NAC agent does not popup if machine and user
authentication is connected to switch sw: 15.2(1)E.
CSCup22534
Multiple vulnerabilities in OpenSSL/CiscoSSL released during June 2014.
CSCup27305
Identity Services Engine (ISE) 1.2: DACL Validator does not enforce source must
be “any”.
CSCup32455
Identity Services Engine (ISE) 1.2: Password for admin user detected in clear text in
the file support\dbexport\ise-dbimport.sh.
CSCup38457
Importing guest account using comma-separated value (CSV) failed through
sponsor portal.
CSCup42129
Swiss/posture INFO logs filling ise-psc.log and not moving to DEBUG level.
CSCup45530
Identity Services Engine (ISE) External RESTful Services (ERS): Cannot modify
staticProfileAssignment field without specifying the endpoint's current profileId.
CSCup45594
Identity Services Engine (ISE): External RADIUS server is not persistent after
failover.
CSCup47501
Identity Services Engine (ISE) 1.2.1: Inline Posture Enforcement (iPEP) node
interface driver booting out of order with no response when cable remains plugged
into interface Gig Etho.
CSCup47873
Identity Services Engine (ISE) upgrade failed due to LOB corruption. (Please check
on this LOB term)
CSCup55211
Identity Services Engine (ISE) 1.2: Mobile Device Management (MDM) input
Validation with % in password cannot login.
CSCup57288
Bring Your Own Device (BYOD) DUAL SSID with native supplicant provisioning
results in a second entry in the live authentication log.
CSCup57871
ERS cannot filter by username, if it is a number.
CSCup60155
Guest users are deleted when upgrading or restoring a backup from ISE 1.1.x to ISE
1.2.1.
CSCup64698
On IPN ISE 1.2, latency is caused by HDPARM process for every 10 minutes.
CSCup67195
While upgrading from ISE 1.2 to ISE 1.2.1, upgrade failure occurs in Step 3 due to
invalid certificate.
46
OL-27043-01
Table 9
Caveat
Description
CSCup69753
After deleting a profile in Simple Certificate Enrollment Protocol (SCEP), an error
message is displayed when the associated Registration Authority (RA) certificate is
removed.
CSCup69985
ISE VM on which DB is restored is not accessible via SSH and GUI. Only ping and
console are available.
CSCup72664
In ISE 1.2, the guest account time profile is reset to one day.
CSCup80194
ISE deletes VLAN to SGT mappings while deploying IP-to-SGT mapping.
CSCup88564
Use a different name for a newly created time profile.
When the old time profile is deleted, you cannot reuse the same time profile name
for a newly created time profile.
CSCup89812
Upgrade from ISE 1.1.2 to ISE 1.2 fails because of posture rules.
CSCuq11966
Multi-nested custom profiles cannot be created.
CSCuq14441
Replication fails on deployment when custom portal is deleted.
CSCuq17787
ISE crashes when the value of Type Field Length is set to 2.
CSCuq22514
In ISE 1.2, when the authorization and authentication policies are set to Monitor
Only mode, the details of the policy names are not displayed.
CSCuq22636
ISE does not ask for LLDP attributes for triggered RADIUS or SNMP traps.
CSCuq24719
When upgrading to ISE 1.2 Patch 9, account start time is not updated in Sponsor
portal.
CSCuq32696
ISE Policy Service Node (PSN) removes proxy-state attributes from Inline Posture
Node (IPN/IPEP).
CSCuq35206
In ISE 1.2, the shutdown command is present in the running configuration of the
interface while the interface is operational.
CSCuq35663
Attribute retrieval for a user fails when AD sends back photo thumbnail.
CSCuq39743
Import guest users on ISE using sponsor bypass mandatory fields.
CSCuq40153
Quick filter option does not work when it is used to search endpoint profiles using a
MAC address.
CSCuq43889
IP address learned from SNMP query should trigger DNS probe.
CSCuq45219
Renewing Ticket Granting Ticket (TGT) fails if there are Read Only (RO) domain
controllers.
CSCuq48588
Replace cross-signed thawte Primary Root CA with its normal version.
CSCuq52277
Error occurs when there are too many node entries in Subject Alternative Name
(SAN) field in CA certificate.
CSCuq53846
A user logging in with an expired guest account is redirected to the default Cisco
branded portal without displaying an error message.
CSCuq64817
DB import fails in ISE 1.2.
CSCuq83249
After upgrade from ISE 1.2 Patch 8 to ISE 1.2.1 Patch 1, guest user authentication
fails if they login after the time profile validity time.
CSCuq85679
Change of Authorization (CoA) is not sent from ISE to Wireless LAN Controller
(WLC) for guest users.
OL-27043-01
47
Table 9
Caveat
Description
CSCuq85955
For an LWA deployment, ISE sends CoA disconnect with empty session ID.
CSCuq86420
Triggered SNMP Query via Radius traps not working.
CSCuq90710
Posture policies are not listed after creation.
CSCuq92558
PSNs move to Replication Stopped state when the application server does not start
normally.
CSCuq92574
In ISE 1.2.1, Bring Your Own Device (BYOD) profile installation fails.
CSCuq93969
Authorization profile using CWA returns to default when static host is used.
CSCuq95245
ISE 1.2, CoA fails when guest credentials are suspended in the Sponsor portal.
CSCuq96971
In ISE 1.2.1, Framed-Pool attribute is not available in the authorization profile.
CSCuq97996
MyDevices portal does not display MAC addresses added by the AD user.
CSCur00110
Sponsor login fails when child user group is added as a guest in the sponsor group.
CSCur03113
Local Web Authentication (LWA) language template is corrupted after upgrading to
ISE 1.2.1.
CSCur07303
ISE GUI 1.x (except ISE 1.3) does not allow to import more than 100 custom portals.
CSCur09231
In ISE 1.2.1, if a sponsor account is configured to use Account Start Date, the
sponsor creates an account even after that date.
CSCur09439
SCEP EAP-TLS flow on OS X 10.9.5 fails to install the profile or provision
certificate.
CSCur11055
When running ISE 1.2.1, MNT Livelog does not display logs.
CSCur11083
MNT Livelog displays incorrect user details.
CSCur12480
In ISE 1.2.1 guest flow, redirection to the guest portal via PlayStation 3 browser
fails.
CSCur19320
Sponsor users who are not granted privileges are able to view and edit guest accounts
using the search criteria.
CSCur36291
Delay in BYOD Success Message
In Mac OS X 10.10, there is a delay in the CoA after SPW and hence when the users
click the Exit button, they do not get access.
Table 10 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899
cumulative patch 12. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log
into the Cisco Download Software site at
http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide
your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity
Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your
local machine. Starting from Release 1.2.0 patch 12, Cisco ISE supports MAC OSX Yosemite release
10.10.
Patch 12 will not work with older versions of SPW and users need to upgrade their SPW.
48
OL-27043-01
your system.
Table 10
Caveat
Description
CSCul43926
Difficulty in reading the catalina.log.
This fix addresses an issue in the Operations > Troubleshoot > Download Logs >
Appliance node list page. When the Debug Logs tab was selected for the required
node, the catalina.log file displayed the “work_pending_i: Interrupted system call”
message.
CSCum05562
Change of authorization (CoA) failed with Policy Sets.
This fix addresses an issue in the Administration > System > Settings > Policy Sets
page. The CoA associated with an endpoint profiling policy was not enabled when
using policy sets.
Workaround Disable policy sets or enable change of authorization (CoA) from
monitoring node using fast reauthentication on switch.
CSCum94858
Guest Sponsor Mapping report truncates the username.
This fix addresses an issue in the Operations > Authentications > Reports >
Endpoints and Users page. The Guest Sponsor Mapping report displayed the domain
name but truncated the user name that appears after the ‘\’ character.
CSCun04863
ISE sent alarms for expired advanced evaluation licenses.
This fix addresses an issue where ISE sent alarms for expired advanced evaluation
licenses, although, no advanced features were used.
Workaround Disable license alarms.
CSCun49379
Error in the custom Device Registration page redirects to the Login page.
This fix addresses an issue in the Device Registration page. Instead of the
ERROR_PAGE, guest users were redirected or mapped to the
CUSTOM_LOGIN_PAGE when a wrong MAC address was encountered.
CSCun66269
Data access permissions for role-based access control (RBAC) does not work for
Locations selection.
This fix addresses an issue when you create a custom group of users with a set of
Data and Menu access RBAC permissions. The data access criteria selected for the
Location access does not work with multiple rules set in the same hierarchy of
network device groups.
Workaround Create rules only for the low-level network device groups.
CSCuo23637
ISE Role-Based Access Control (RBAC) policy failed to control the defined access
policies.
This fix addresses an issue in the Administration > Identifies Management >
Identities > Users page. The access policies that were defined for a particular admin
group were displayed for all User Identity Groups.
OL-27043-01
49
Table 10
Caveat
Description
CSCup20586
Mix-up in the Extensible Authentication Protocol (EAP) and MAC Authentication
Bypass (MAB) attributes for the same endpoint.
This fix addresses an issue when there is simultaneous EAP and MAB authentication
requests for the same endpoint with the same audit session ID. The two
authentications share the same entry in the session cache and create a mix-up of
attributes.
CSCup62622
Default Sponsor Portal Fully Qualified Domain Name (FQDN) setting is changed to
the FQDN of the Policy Service Node (PSN).
Settings > General > Ports > Portal FQDNs page. If the user changed the “Default
Sponsor Portal FQDN” setting on the admin GUI, services were restarted on the
PSN. On accessing the admin GUI of the PSN via an URL, the user was redirected
to the sponsor portal.
Workaround Contact the Cisco Technical Assistance Center (TAC).
CSCup74180
Conditions defined for a Sponsor Group failed.
Sponsor Groups page. The Authorization Levels, Guest Roles, and Time Profiles set
for a particular sponsor group failed.
CSCup80994
ISE Policy Service Node (PSN) crashes due to network access device (NAD)
missing shared secret.
This fix addresses an issue when ISE app-svr crashed and Java core dump reported
failure while trying to obtain the NAD IP address with missing shared secret
configuration in ISE. Specifically, this occurred during dynamic authorization.
Although, the wireless LAN controller (WLC) was configured in ISE without a
shared secret, it continued to send the accounting information to ISE.
Workaround Remove NAD from ISE or reconfigure shared secret.
CSCup82816
Certificate is not issued for MAC OS X with wired and wireless in Native Supplicant
Provisioning (NSP).
CSCup96791
ISE 1.2 patch 9 breaks dashboard with Internet Explorer 9.
This fix addresses an issue with security enhancements to Internet Explorer 9
browser cache, which results in an empty ISE Dashboard.
Workaround
•
Use an alternative browser.
•
In Internet Explorer, navigate to Tools > Internet Options > Advanced. Scroll
down and select the Do not save encrypted pages to disk option under Security
and click Apply and OK.
•
Under the General tab, select Delete browsing history on exit option and click
Apply and OK.
50
OL-27043-01
Table 10
Caveat
Description
CSCup97085
Data unavailable for authentication details.
This fix addresses an issue in the Operations >Authentications page. When the ISE
admin user clicks the Details column for any event, an error stating “No Data
Available for this record. Either the data is purged or authentication for this session
record happened a week ago” was encountered.
CSCup97097
Export Results report for total endpoints is inaccurate.
This fix addresses an issue in the Home > Total Endpoints > Export Results page.
The report failed to export all endpoints that were authenticated or profiled by ISE.
Instead, the report displayed empty rows with the exception of the
ENDPOINTPOLICY field.
CSCup97125
ISE GUI crashes with HTTPS certificates without Enhanced Key Usage (EKU).
This fix addresses an issue when HTTPS was enabled by operations such as, binding,
importing, or editing certificates. If the certificates did not support Enhanced Key
Usage (EKU) of ClientAuth, an error was reported. An error was also encountered
by the Policy Administration Node (PAP).
CSCuq05237
Change in the Network Access Users status failed to reflect in the Reports.
This fix addresses an issue in the Operations > Reports > Deployment Status >
Change Configuration Audit page. When the status of a network access user was
either enabled or disabled, in the Administration > Identity Management > Identities
> Users page, it failed to reflect the change in the Change Configuration Audit page.
CSCuq07723
The Bring Your Own Device (BYOD) success page and Retry button do not display.
This fix addresses an issue with MAC OS X and Windows OS when it failed to
display the BYOD success page for a successful authentication. Also, it failed to
display the Retry button when a user’s authentication failed.
CSCuq19789
ISE fails to match Radius:service-type EQUALS authorize-only.
This fix addresses an issue in an Inline Posture Node (IPN/IPEP) deployment. VPN
users were not permitted to pass traffic after a successful VPN connection. This was
encountered when the authorization policy of an IPEP node included a RADIUS
server attribute.
Workaround Use the same authorization policy for IPEP and the standard
authorization profile.
CSCuq29015
MAC agent does not support MAC OS X Yosemite version 10.10.
This fix addresses an issue where the MAC Agent failed to support MAC OS X
Yosemite version 10.10.
CSCuq59006
Unable to install MAC SPW 1.0.0.26 in Wired MAC OS X version 10.7/8/9.
This fix addresses an issue when the Network Setup Assistant failed to install MAC
SPW 1.0.0.26 in Wired MAC OS X and displayed the Secure access configuration
failed message.
CSCuq74929
ISE 1.2 External Groups does not validate input properly.
This fix addresses an issue in the Policy > Policy Elements > Conditions >
Authorization > Compound Conditions page. An attribute that was selected from the
Dictionaries list was truncated and appended with an ellipsis.
OL-27043-01
51
Table 10
Caveat
Description
CSCuq75823
MAC Agent fails to validate server certificates in MAC 10.10.
This fix addresses an issue when a MAC endpoint device on the network was denied
access and an SSL certificate error was displayed.
Workaround Created an intermediate MAC agent build 4.9.5.2 to bypass the ISE
server certificate validation for MAC 10.10 users.
CSCuq81835
ISE base/advanced license counts remains at the default value zero.
This fix addresses an issue where the base and advanced licenses count did not match
the number of active endpoints that were displayed in the dashboard and monitoring
reports.
Workaround Contact the Cisco Technical Assistance Center (TAC).
CSCuq87920
MAC Agent provisioning is not supported in MAC 10.10.
This fix addresses an issue when the MAC Agent 4.9.5.2 did not get installed in
MAC 10.10 using Safari.
CSCur00532
ISE evaluation for CVE-2014-6271 and CVE-2014-7169 (AKA ShellShock).
This fix addresses an issue in ISE nodes that are SSH enabled. If SSH is enabled, a
remote user with ISE CLI credentials will be able to exploit the vulnerability and run
generic Linux commands.
PSIRT Evaluation
&version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:U/RC:C
Cisco Product.
following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Workaround Disable SSH and reload ISE node as follows:
ise1/admin# configure terminal
ise1/admin(config)# no service sshd enable
ise1/admin(config)# end
ise1/admin# reload
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Continue with reboot? [y/n] y
52
OL-27043-01
Table 10
Caveat
Description
CSCur09439
ISE OS X 10.9.5 Simple Certificate Enrollment Protocol (SCEP) Extensible
Authentication Protocol-Transport Layer Security (EAP-TLS) flow fails.
This fix addresses an issue where SCEP EAP-TLS flow fails to install the profile or
provision certificate.
CSCur17597
Users of some Identity Groups are not displayed.
This fix addresses an issue in the Operations > Authentications page. Users
belonging to Identity Groups containing an underscore character were not displayed.
cumulative patch 11.
Patch 11 will not work with older versions of SPW and users need to upgrade their SPW.
To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco
your system.
Table 11
Caveat
Description
CSCuq01548
This fix addresses an issue where a third-party User-Agent does not allow the
download of the NAC agent.
CSCuq02222
The Simple Network Management Protocol (SNMP) Query probe failed to discover
endpoints using periodic polling.
This fix addresses an issue where the ARP table failed to discover the MAC
addresses of endpoints that were connected to a Catalyst switch using the SNMP
Query probe.
CSCup88315
This fix addresses an issue where Apple devices running iOS 8 beta software failed
to complete external web authentication.
OL-27043-01
53
Table 11
Caveat
Description
CSCul28451
This fix addresses an issue in the Operations > Reports > Auth Services Status >
Radius Accounting page. In the click here for Accounting detail report option for the
Stop Account Status Type, the Account Session field did not display the difference
between a session’ start and stop time.
CSCum41138
This fix addresses an issue in the Operations > Authentications > Show Live
Authentications page. The NAS IP Address field failed to display the IP address of
the network device, when Change of Authorization (CoA) was triggered via the Rest
API.
CSCun74636
This fix addresses an issue where Cisco ISE failed to identify OSX Mavericks device
based on the endpoint profiling policies.
CSCun00427
This fix addresses an issue that occurred when there was a MATCHES operator in a
rule/policy: if the LeftHandSide of the rule/policy was returning NULL value and
the RightHandSide was CONSTANT, the operator was getting evaluated as TRUE.
The operator is now evaluated as FALSE.
CSCui08084
This fix addresses an issue with the Guest Account created using the Sponsor Portal.
When suspending the Guest Account, the Account was suspended but the wired
session on the switch was not terminated.
CSCup79399
This fix addresses an issue where all Cisco ISE reports opened from Cisco Prime
Infrastructure resulted in a “Web page not available” error.
CSCuq26320
This fix addresses an issue where EAP-FAST authentication for specific Android
versions was not working.
Table 12 lists the open issues in Cisco ISE 1.2.0 Patch 10 that may be resolved in other releases.
54
OL-27043-01
Table 12
Caveat
Description
CSCup99724
Log displaying active endpoints does not get updated with the latest authenticated
user.
In the Operations > Authentications page, a user is authenticated and the username
is updated in the Endpoints page. When a new user logs in from the same system,
the new username is not updated in the Endpoints page.
CSCuq11506
Deletion of repositories containing special characters in their passwords fail.
In the System > Maintenance > Repository page, deleting a Repository Name that
uses special characters, such as %, in the password encounters an error.
cumulative patch 10.
your system.
OL-27043-01
55
Table 13
Caveat
Description
CSCul21337
This fix addresses an issue where a vulnerability in the web framework of Cisco ISE
may allow an attacker to impact the integrity by executing arbitrary SQL queries.
PSIRT Evaluation
https://intellishield.cisco.com/security/alertmanager/
cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:P/I:P/A:P/
E:F/RL:OF/RC:C
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/
CVE-2014-3275
following URL:
CSCul39011
This fix addresses an issue where timeouts were caused when the MDM server was
not reachable during authorization policy evaluation.
CSCul58758
This fix addresses an issue where a guest user enters the username and password in
the Guest Login page, but is not redirected to the specified URL.
CSCul86970
This fix addresses an issue in the Admin Access settings page, where the following
option was not displayed in the UI: Allow only listed IP addresses to connect.
CSCum37237
This fix addresses an issue where an error message was encountered when sponsors
imported and printed guest usernames, formed from the guests email addresses.
CSCum57372
This fix addresses an issue where the Network Access Server (NAS) Identifier
information did not appear in the Authentication Details page.
CSCun28502
Settings page. The Sponsor, My Devices, and Guest portals contain the Language
Template option. The Language Template option contains a list of configurations.
The text fields in each configuration allow any one of the following character count:
128,512, 256, or 4000. An error message was displayed for specific fields, such as
AUP and Notifications, when the character limit was above 4000 characters.
56
OL-27043-01
Table 13
Caveat
Description
CSCun74285
This fix addresses an issue where ISE safe mode did not bypass user certificate
authentication and did not enable local admin credentials.
CSCun74460
targets.
This fix addresses an issue where the DST time zone offset was incorrect in the prrt
log.
CSCun84251
This fix addresses an issue where an error was found when the application
reset-config ise command was run.
CSCun94304
This fix addresses an issue where the RSA configuration (sdconf.rec) did not load
properly and data did not replicate from the PAP node to other nodes.
CSCuo13099
This fix addresses an issue where the guest user email IDs with spaces encountered
an error when used in usernames.
CSCuo39442
This fix addresses an issue where the Remote Logging Target names displayed in the
Administration > System > Logging > Remote Logging Targets page reported the
following error message: Name should not contain space(s) or any of the following
characters: ! % ^ : ; , [ { | } ] \ ` " = ?. The above error message was displayed even
though hyphen or period was used.
CSCuo58919
seconds.
This fix addresses an issue where the Static Group Assignment check box in the
Administration > Identity Management > Identities > Endpoints page toggled
between true or false value every 55 seconds.
CSCuo63448
This fix addresses an issue where in the Profiling Policies page, on modifying a
parent profile, endpoints failed to reach the correct profile policy.
CSCuo75506
This fix addresses an issue where a CWA authorization profile was configured and
if the CWA authorization profile was edited again, the changes were displayed only
in the UI, but failed to reflect in the attributes.
CSCuo88571
This fix addresses an issue where a user logged into the guest portal was unable to
renew the IP address after clicking Accept in the Acceptable Use Policy (AUP) page.
CSCup33018
This fix addresses an issue where with single or dual SSIDs, Apple devices running
iOS 8 beta software failed to complete provisioning.
OL-27043-01
57
Table 13
Caveat
Description
CSCup50216
This fix addresses an issue where the ERS API failed to update existing endpoints in
static groups.
CSCup51902
This fix addresses an issue where exporting active endpoints from a Cisco ISE server
Administration node did not work.
CSCup63424
not accomplished.
This fix addresses an issue where the IP address release or renew operation in the
VLAN release or renew page, was nonfunctional when it was not the latest version
of the Java Applet.
CSCup99806
This fix addresses an issue where Custom data access permission did not work
according to the mapped RBAC policy in the Network Device page.
cumulative patch 9.
your system.
Table 14
Caveat
Description
CSCty01787
This fix addresses an issue where an internal error was displayed in the XML when
calling the EndPointByIPAddress API for a given IP address appearing in the
AuthSessionList.
CSCui57100
EAP-TLS authentication fails with two sets of CRLs because CRL signature decrypt
failed
When Certificate Authority certificates are about to expire, an old and new version
of the certificate can coexist on ISE to make sure there is no downtime for users.
Both versions have their dedicated CRLs.
This fix addresses an issue where ISE was not able to match the CRLs with the
appropriate Certificate Authority certificate, which resulted in failed authentication
with the message “CRL signature decrypt failure.”
58
OL-27043-01
Table 14
Caveat
Description
CSCuj36104
ISE does not allow CRL when the name is the same on two Certificate Authorities
This fix addresses an issue where an handshake error occurred because there were
two issuing Certificate Authorities with the same exact name and ISE did not allow
CRL checking on both certificates.
CSCul25066
This fix addresses an issue where customers upgrading to ISE 1.2 who had the
Wireless Upgrade license to add advanced license functionality to their deployment
received the following alert: “Feed Service error : The Advance License installed on
the ISE nodes have been expired.”
CSCul29344
This fix addresses an issue where the sample HTML for custom Guest Portal pages
provided in the user guide did not work correctly.
CSCum29186
Time
This fix addresses an issue where changing the time zone during Guest account
creation was not reflected with the newly updated allowed time to login.
CSCum54099
This fix addresses an issue where ISE did not send messages like 86008 or 86006 to
the external syslog server. It only sent the 86028 messages.
CSCum69410
This fix addresses an issue where the endpoint DB didn’t indicate that an endpoint
was registered after a CWA user entered their MAC address on the Guest Device
Registration screen.
CSCum85930
This fix addresses an issue where custom CWA portal may not have loaded images
or CSS as expected.
CSCum88817
This fix addresses an issue where ISE was logging license checks in INFO mode,
which caused massive output in the log files.
CSCum96035
This fix addresses an issue that occurred when a user typed in a password that
violated the password policy on the default custom portal password-change page and
the page refreshes instead of displaying an error message.
CSCun15601
This fix addresses an issue where the message “This is an invalid text message
template. Contact your system administrator for assistance.” was shown while
sending Guest account through Mail/SMS if the sponsor is CC’ed.
CSCun36594
This fix addresses an issue that occurred after importing endpoints from a CSV file
where the “Endpoint Identity Group” was changed from the one specified in the file
to Profiled.
OL-27043-01
59
Table 14
Caveat
Description
CSCun41732
is Present
This fix addresses an issue where Cisco ISE could not load the complete Trusted
certificate list when a corrupted certificate was present in the list.
CSCun51094
This fix addresses an issue where imported guest users always get the role of default
Guest during a bulk import from the Sponsor portal.
CSCun67719
The Cisco ISE Guest portal provides a generic error for events such as guest user
account expired and gives no information on the cause of the issue.
CSCun68637
This fix addresses an issue where an SNMP query failed to execute when it was
triggered by an NMAP probe.
CSCun93673
This fix addresses an issue where exporting endpoints results in an empty file if you
search using lower case letters.
CSCun97606
This fix addresses an issue that occurred when attributes about endpoints differed
from one PSN to another when using multiple PSNs for profiling or authentication.
CSCuo32987
This fix addresses an issue where attempts at ERS API endpoint register end in
HTTP 500 Internal Server Error.
CSCuo34449
This fix addresses an issue where a client application that initiated HTTP using
User-Agent was not recognized by ISE, and triggered ISE to clear that session and
send a Radius CoA Terminate command to NAD.
60
OL-27043-01
Table 14
Caveat
Description
CSCuo56780
This fix addresses an issue where the RADIUS service may become unresponsive
when receiving accounting packets from two different Network Access Servers
(NASs).
PSIRT Evaluation
&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:U/RC:C
6
following URL:
CSCuo63892
PSIRT Evaluation
highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as
of the time of evaluation are 7.8:
&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
Cisco Product.
CVE ID CVE-2014-0050 have been assigned to document this issue.
following URL:
CSCuo73070
CSCuo76078
This fix addresses an issue where the error “No valid system license exists” appeared
for the sponsor portal and guest portal after the installation of a Cisco ISE 1.2 Patch.
OL-27043-01
61
Enhancements in Cisco ISE Version 1.2.0.899—Cumulative Patch 8
New Plus License
Cisco ISE, Release 1.2 Patch 8, includes the new Plus license. The Plus license provides the following
services:
•
•
Profiling
•
•
TrustSec SGT
The Advanced license provides access to the same features, as well as additional services. The Plus
license does not include Base services.
For more information, refer to the “Cisco ISE Licenses” chapter in the Cisco Identity Services Engine
User Guide, Release 1.2.
New Customize ISE 1.2 Web Portals HowTo Guide
Learn how to customize Cisco ISE 1.2.x portals using this new HowTo guide:
http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-42-Customize_ISE12_Web_Po
rtals.pdf
New Sample HTML Files for Custom ISE 1.2.x Web Portals
You can download the ISE12CustomPortalPackage-v#.zip file, which contains sample HTML files for
customizing Cisco ISE 1.2 Web portals, at
http://software.cisco.com/download/release.html?mdfid=283801620&flowid=26081&softwareid=2838
02505&release=1.2
Updated Cisco ISE 1.2.x User Guide
The sample HTML code has been removed from Appendix D. Use the downloadable sample files and
the new Customize Web Portals HowTo guide for information on creating custom Cisco ISE 1.2.x Web
portals.
You can find the updated user guide at
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide.html
The following table lists the open issues in Cisco ISE 1.2.0 Patch 8 that may be resolved in other releases.
62
OL-27043-01
Table 15
Caveat
Description
CSCun49379
If you enter an invalid MAC address on the default custom device registration page,
the default login page is returned with an error message instead of the custom login
page.
CSCuo20069
Device Registration done through a custom portal does not allow user to continue
after adding MAC addresses because it is missing the Continue button.
Workaround Use the default portal.
CSCuo27093
CSCup34046
The default custom portal is not in sync with some of the functionality of the default
portal, including:
1.
The Decline button on the custom AUP page is disabled.
2.
Sessions are expired in less than 2 minutes.
3.
Input validation is not working on the Login, Password Change,
Self-Registration, and Device Registration Pages.
4.
If you idle for a while after creating a guest on the Self Registration page, you
are taken to the default portal login page.
5.
The default custom portal’s Self Registration page does not show the optional
fields set in Cisco ISE. It also does not apply the mandatory fields set in Cisco
ISE.
Example custom AUP and Guest_Success pages are not in sync for DRW flow.
Workaround Validation cases.
cumulative patch 8.
your system.
OL-27043-01
63
Table 16
Caveat
Description
CSCud89273
Passed Numbers Not Appearing on Authentications Dashlet
This fix addresses an issue where the passed numbers were not appearing on the
Authentications Dashlet when there were a large number of passed authentications.
CSCuh79596
Freshly Installed Standalone ISE Server Not Logging MDM Events
This fix addresses an issue where MDM events were not being recorded by
monitoring components in freshly installed ISE 1.2 standalone deployments.
CSCuj97669
DNS Resolution Failed for CNAME:"hostname" from the ISE node "hostname"
This fix addresses an issue where the DNS name resolution failure alarm had the
wrong description or context.
CSCul10677
ISE 1.2 CWA Failure Reason 86017
This fix addresses an issue where a guest user was redirected back to guest login
page after accepting the Acceptable Use Policy. The live log showed the failed
attempt as 86017 error.
CSCul55934
ISE 1.2 Cannot Delete Guest Users Created Using Unavailable Timezone Setting
This fix addresses an issue where you could not delete guest user accounts that were
created using the old timezone settings in 1.1.x after upgrading to 1.2.
CSCum10047
Invalid Account Date When Changing Account Duration
This fix addresses an issue where you couldn’t edit the Start/End duration for
accounts on the sponsor portal.
CSCum13453
ISE SYSLOG Parsing Failure when Forwarding to Third-Party SYSLOG
This fix addresses a parsing error that occurred when trying to forward SYSLOG
messages to a 3rd party SYSLOG server.
CSCum40721
Optional Data Field Not Matching in Authorization Rules
This fix addresses an issue where the client authentication for a guest user failed to
match data in the “Optional Data Field” to the authorization rules.
CSCum62918
ISE 1.2 Sample guest portal HTML files should be improved
This fix addresses the issues with the sample Web portal examples using "static"
examples instead of variables to populate the fields.
CSCum82815
Acceptable Use Policy Page Shouldn't Be Presented if ISE Knows Session is
Expired on Login
This fix addresses an error where a user was presented with the Acceptable Use
Policy page after their session had expired, only to be told that their session expired
after accepting the AUP.
CSCum82829
Cisco-branded Expiration Page Presented on Custom Portal
This fix addresses an error where a user was redirected to the Cisco default guest
portal expiration page after thier session expired instead of a custom expiration page.
CSCun60443
No Dashboard or Live Logs for Long Time After Primary MnT Failure
This fix addresses an issue where no dashboard or live logs were available for long
time after the primary MnT failed in an ISE distributed deployment.
64
OL-27043-01
Table 16
Caveat
Description
CSCun61928
Not All Authorization Profiles are Recognized by Runtime
This fix addresses an issue where an error message was displayed stating that ISE
could not find selected Authorization Profiles because ISE was unable to load all of
the selected profiles from the database.
CSCuo02708
ERS Port Should Not Request Client Certificate
This fix addresses an issue where ISE requested a client certificate when a HTTP
request was sent to the ERS port (9060).
CSCuo04860
Raise Alarms for EAP Session and Context Limits
This fix adds an MnT alarm when ISE reaches EAP session and context limits.
CSCuo16503
ISE 1.2 Patch 7 AD Sponsor Created Guest Users Cannot Log In
This fix addresses an issue where guest users created with a Sponsor holding their
credentials on Active Directory could not log in.
cumulative patch 7.
your system.
If you experience problems installing the patch, contact Cisco Technical Assistance Center.
Table 17
Caveat
Description
CSCtx94533
The Endpoint DeviceRegistrationStatus Attribute Always Shows “Pending”
This fix addresses an issue where devices stayed in “Pending” status when client
provisioning policy was not available and the endpoint already existed in the
database.
CSCty87291
Admin Web Portal Requests ID certification When It’s Password
authentication-only
This fix addresses an issue where web browsers prompted for an ID certificate when
navigating to ISE admin web portals, although no certification authentication was
configured for admin users.
CSCuh41450
IP Columns Sort on Char on Network Devices Page
This fix addresses an issue where the IP columns on the Network Devices page
sorted on char, not varchar, which lead to incorrect sorting.
OL-27043-01
65
Table 17
Caveat
Description
CSCui15038
ISE HTTP control interface for NAC Web Agent XSS Vulnerability
This fix addresses an issue where, due to insufficient input validation, a cross-site
scripting (XSS) vulnerability was present in the naccontrol web application of Cisco
Identity Services Engine (ISE).
PSIRT Evaluation
&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:C
0
following URL:
CSCui15064
Certain ISE Reports Vulnerable to XSS Injection
This fix addresses an issue where certain report pages within the Cisco Identity
Services Engine (ISE) administration interface were subject to a cross-site scripting
(XSS) vulnerability.
PSIRT Evaluation
&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C
1
following URL:
CSCui21839
“Export Endpoints” Creates Empty File When Quick Filter is On
This fix addresses an issue where the Export Endpoints function created empty files
when the quick or advanced filter was on and used a non alphanumeric character (i.e.
:,.).
CSCui78135
On Alpha Alarms Still Show Up When We Select All and Acknowledge
This fix addresses an issue where Alpha Alarms still showed up even though the user
selected all the alarms and acknowledged them.
66
OL-27043-01
Table 17
Caveat
Description
CSCui82998
Custom Guest Portal Loops after AUP Due to Loss of Session ID
This fix addresses an issue where, due to the custom guest portal, a user received a
404 message or was looped back to the portal’s login page after accepting the AUP.
CSCui96322
Default Guest Portal Email Address Limited to 24 Characters
This fix addresses an issue where the default guest portal limited email addresses to
24 characters.
CSCuj07535
IP Address Change is Not Recorded in Endpoint Profile on ISE 1.2
This fix addresses an issue where a change in the IP address was not recorded in an
endpoint profile.
CSCuj11040
ISE Should Not Degrade a Profile Based on Problematic User-Agent
CSCum97337
This fix addresses an issue where iPads were not profiled as iPads, but as
Apple-device only, due to an application sending a HTTP packet with a user-agent
field of “MobileAsset/1.0” which downgrades the profile in ISE to “Apple-device.”
CSCuj25038
ERS Service Disabled After Reboot
This fix addresses an issue where the ERS API was disabled after reboot, even
though it was enabled before the reboot and the configuration was saved using “write
mem.”
CSCuj36310
“@” Character Not Accepted in Wireless SSIDs Fields
This fix addresses an issue where ISE did not allow the use of the @ character in
wireless SSID fields.
CSCuj66093
86017 Error page sessionExpired.jsp images links are invalid
This fix addresses an issue where the sessionExpired.jsp page (the page that is
displayed after error 86017, where a guest user tried to authenticate using an expired
sessionID) image links were broken.
CSCul03597
LDAP User Authorization Doesn't Work with EAP-FAST Chaining
This fix addresses an issue where LDAP user authorization didn’t work with
EAP-FAST chaining.
CSCul35820
ISE Guest Registration Breaks with Apple IOS7 User Name as Emil Address
This fix addresses an issue where the ISE Guest registration process had issues with
Apple iOS 7 using an Emil address for the username instead of the first and last
name.
CSCul66272
Terminate Change of Authorization during Posture for Unknown User-agent
DynGate
This fix addresses an issue where the NAC Agent got stuck in a posture loop due to
the TeamViewer application by DynGate.
CSCul77793
Scheduled Reports Not Exported When Using Illegal Character as a Report Name
This fix addresses an issue where you couldn’t export a schedule report if an illegal
character (i.e., ~%<>) was used as the report name.
OL-27043-01
67
Table 17
Caveat
Description
CSCul84544
Retrieval of Active Directory Groups or Attributes from GUI is Failing
This fix addresses an issue where the user was unable to fetch Groups and/or
attributes from Active Directory on the ISE GUI.
CSCul87300
Special Character in LDAP password is not read correctly by ISE
This fix addresses an issue where LDAP authentication and/or group fetch failed
when the admin/service account password had special characters, especially double
quotation marks.
CSCum26362
Authentications Details are Missing All the Required Data
This fix addresses an issue where the Authentication details page was missing data,
such as Authentication Protocol, Authentication method, Network device and
service type data.
CSCum60627
Client EAP Sessions Never Get Cleared
This fix addresses an issue where an EAP session would leak when ISE retransmitted
the last RADIUS message in response to duplicate packet from NAS, and then the
client (NAS or supplicant) dropped the conversation.
CSCum77223
Increase Maximum Login Failures for Guest
This patch allows you to increase the number of maximum login failures for guest
users. You can select the maximum number of login failures from a range between
1 and 999. Guest users are also redirected to the Custom Portal login page after
exceeding maximum login failures if the Custom portal is in use.
CSCum86347
ISE Guest Start and Expiration Dates Don't Reflect Sponsor Portal Time Zone
This fix addresses an issue where the guest start and expiration dates did not reflect
the time zone configured in the sponsor portal settings.
CSCum93050
Patch info not shown in CLI and GUI after installing from CLI
This fix addresses and issue where the patch information was not shown in the Cisco
ISE CLI and GUI after installing the Cisco ISE, Release 1.2 patch from the CLI.
CSCum92155
ISE REST API (ERS) - PUT Update Request Removes identityGroups Value
This fix addresses an issue where the identityGroups value was removed when you
updated any value using a PUT method via the ISE REST API (ERS).
CSCun00215
ISE RSA Agent Exhausted Under Heavy Load
This fix addresses an issue where the RSA agent became unresponsive due to a very
large number of simultaneous PAP requests.
CSCun08410
Guest Account’s Start and End Time Validated Against System Time Zone
This fix addresses an issue where an error message is displayed if the start and end
time for a guest user’s account uses a time zone that’s earlier than the system’s time
zone.
68
OL-27043-01
Table 17
Caveat
Description
CSCun11240
Guest Sponsor Mapping Report Incorrectly Changes Sponsor
This fix addresses an issue where a Guest Sponsor Mapping Report showed the
Sponsor as GuestAction instead of the sponsor who created the account.
CSCun25178
Fetching Group Information Takes a Long Time Because of SIDHistory
This fix addresses an issue where Cisco ISE failed to resolve SIDHistory to group
names if the SIDHistory belonged to a trusted domain/forest.
The large number of SIDHistory values in the user's token used to cause long delay
(2-5 minutes) during user authentication.
cumulative patch 6.
your system.
Table 18
Caveat
Description
CSCud38634
Guest sponsor details shows wrong sponsor name
This fix addresses an issue where the username shown as the Sponsor was the
username of the Guest when viewing Guest Sponsor Details from a report.
CSCud70219
Log.xml files are not cleaned out regularly
This fix addresses an issue where /opt/oracle/base/diag/rdbms/cpm10/cpm10/alert
folder filled up with log XML files and caused the hard drive to fill up.
CSCuf76821
.trc and .trm files are not cleaned out regularly
This fix addresses an issue where the
/opt/oracle/base/diag/rdbms/cpm10/cpm10/trace folder filled up with *.trc and *.trm
files and caused the hard drive to fill up.
CSCug96069
Replication status update fails for all nodes if the network is restored on PAP
This fix addresses an issue in large scale deployments where the status of one or
more PSN nodes was shown as 'Replication Stopped' and the data was not published
or replicated to other PSN nodes from the PAN node.
OL-27043-01
69
Table 18
Caveat
Description
CSCui40950
Guest login takes long time and times out
This fix addresses an issue where a guest login could take a long time and then times
out after 5 minutes.
CSCui57882
Some expired guest accounts cannot be deleted from PDP
This fix addresses an issue where some expired guests accounts could not be deleted
from the sponsor portal.
CSCui57933
Purge expired guest accounts does not work
This fix addresses an issue where some accounts were in a state where they could
not be deleted due to incorrect attributes.
CSCui57961
When editing an expired guest account that cannot be deleted, logs out
This fix addresses an issue where the UI logged you out with error “You do not have
sufficient permission to access this page” when editing an expired guest account that
cannot be deleted.
CSCui72658
Guest Portal cookies not set as Secure or HTTP Only
This fix addresses an issue where the JSESSIONID cookie used in the Guest Portal
is not set to Secure or set as HTTP Only.
CSCuj01781
ISE uses SAN of user certificate for machine lookup in Active Directory
This fix addresses an issue where machine lookup in Active Directory failed during
EAP-chaining authentication if both machine and user were authenticated with
EAP-TLS and principal Username X509 Attribute is configured to SAN.
CSCuj13804
IE8 gives error on ISE1.2 when accessing the provisioning portal
This fix addresses an issue where Internet Explorer 8 on Windows XP displayed an
error when you tried to open the client provisioning portal.
CSCuj26086
ISE Client Provisioning - NSP does not launch on Safari 7 (Mac OS X 10.9)
CSCuj80131
Java Applet fails to install SPW/Agent from Client Provisioning page on Safari
browser version 7 available with Mac OSX 10.9.
Patch 6 addresses this issue by displaying a message on the login page with
instructions on how to configure Safari to allow the Java applet to install.
Before clicking Click to Install Agent, go to:
Safari->Preferences->Security->Manage Website Settings->Java->Click on your
ISE URL->Run in unsafe mode.
70
OL-27043-01
Table 18
Caveat
Description
CSCuj34004
User name change detected for the session removes all session attributes
When using Machine authentication followed by user authentication, changing the
username will remove attributes for the session from the cache, including the
attributes in the whitelist category. This would result in authorization evaluation
failure where the first user authentication falls into the wrong authorization profile.
if there is a username change on the session, this cleans up all the session attributes
including the ones that are in whitelist category (attrsToKeep).This can result in
authz evaluation failure where the first user authentication falls into the wrong authz
profile.
This fix addresses this issue by re-initializing the default attributes with their default
values.
CSCuj38204
ISE does not allow access for guest with no webagent if posture is configured
This fix addresses an issue where Cisco ISE did not allow access for guest with no
NAC web agent if posture is configured.
CSCuj47806
ISE redirects to default guest pages when it’s configured to redirect to custom pages
This fix addresses an issue where the browser renders the initial login page when the
user enters the wrong username/password instead of the custom error.html page.
CSCuj49903
Downloading / viewing large log files from PDP causes out of memory error
This fix addresses an issue where downloading or viewing large log files from PDP
caused out of memory error.
CSCuj84427
ISE 1.2 Admin password alerts not functioning properly
This fix addresses an issue where admin password alerts were being sent earlier than
the Password Policy setting specified.
CSCul02821
MDM attributes doesn't update to Endpoint objective
This fix addresses an issue in Cisco ISE where the MDM can't update into endpoint
objective at ISE GUI.
CSCul48352
Right-Click - Copy to MAC and Username in Live Log
This fix addresses an issue where items in the Live Log grid are not selectable
enabled by default. Therefore, the user could not select and copy out live log grid
cell content.
The MAC address and Username columns in the Live Log grid can now be selected
and copied using a right-click.
CSCul50495
Device Registration failed with Cisco Catalyst 3850 Switch
This fix addresses an issue where the Device Registration page displayed an error
message when working with the Cisco Catalyst 3850 Switch.
CSCul50720
Samsung Galaxy S4 cannot be on-boarded in dual SSID flow
This fix addresses an issue where Android devices, including the Samsung Galaxy
S4, that did not contain “Linux” in their user-agent string were not on-boarded in
dual SSID flow.
OL-27043-01
71
Table 18
Caveat
Description
CSCul58895
ISE 1.2 Patch 3 StartEnd time profiles do not work for guest import
This fix addresses an issue where importing guests using the Import Accounts
Option on the Sponsor Portal using a csv file failed on ISE 1.2 patch 3 to an invalid
format for the date.
CSCul62175
ISE BYOD enhancement troubleshooting for SCEP
Cisco ISE 1.2 Patch 6 adds logging for Certificate provisioning. This includes
interaction messages with the SCEP server.
CSCul65045
Cannot create/edit network device if advanced license expired
This fix addresses an issue where ISE refused to accept new changes to existing
network devices or add new ones if the advanced evaluation license expired, even if
you did not use any of the advanced feature set.
CSCul66218
Posture delays due to HTTP thread exhaustion
This fix addresses an issue where the NAC Agent took a few minutes to load into the
system tray after logging into Windows and then took up to 10 minutes to pop and
complete posture assessment.
CSCul71176
Endpoints manually assigned to identity groups might change groups randomly
This fix addresses an issue where endpoints that were manually assigned to an
identity group would sometimes randomly show up belonging to another identity
group if profiling is enabled.
CSCul71532
XML external entity injection found under ERS
This fix addresses an issue where ERS was vulnerable to XML injection attacks
using the DOCTYPE and ENTITY meta data tags in the XML sent in ERS request.
CSCul77732
Warning message while creating Guest user with hyphen in Self Registration
This fix addresses an issue where the Self Registration page displayed an error
message if the guest’s first name or last name included a hyphen.
CSCul82658
“Strip prefixes listed below” for Active Directory in GUI is a typo
This fix addresses an issue where the Advanced Settings page for Active Directory
in the GUI has a typo that says “Strip prefixes listed below” when it should be
“suffixes” instead of “prefixes.” This has been corrected.
CSCum01290
MDM Integration Not Working With ISE 1.2 Patch 3 and Patch 4
This fix addresses an issue where MDM enrollment failed while running ISE 1.2
patch 3 or patch 4. Upon redirect to the ISE MDM portal, clients were immediately
presented with an error related to "The MDM system is not reachable at this time"
even when the MDM server was reachable. MDM logging to ise-psc.log was missing
key server response and connection failed syslog info when running the patch.
cumulative patch 5.
72
OL-27043-01
your system.
Note
Please be aware that applying patch 5 to Cisco ISE 1.2 will reboot the nodes on which it is installed.
Please make sure you carry out this activity in a maintenance window with a downtime. Cisco ISE 1.2
will also reboot if you revert from patch 5 to an earlier version.
Table 19
Caveat
Description
CSCub18575
Problem with sponsor accounts starting with a "0"
This patch fixes an issue where you could not log into the Sponsor Portal with an
account that started with the number 0.
CSCuf24898
ISE repository max password length 16 characters
This fix addresses an issue where FTP / SFTP repository access failed when the user
password was larger than 16 characters.
CSCug20065
Unable to enforce RBAC as desired to a custom administrator
This fix addresses an issue where a user, who only has permissions to a custom
endpoint identity group, is unable to add, modify, or delete identities unless the
entire identities are visible to him.
CSCuh25506
Cisco ISE CSRF Vulnerability
This fix addresses an issue where CSRF protection did not work for some of the web
pages and an attacker could exploit this issue to perform CSRF attack against the
users of the web interface.
PSIRT Evaluation
&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:U/RC:C
0
following URL:
OL-27043-01
73
Table 19
Caveat
Description
CSCui30266
ISE MDM Portal Cross-Site Scripting Vulnerability
This fix addresses an issue where the Mobile Device Management (MDM) portal of
Cisco Identity Services Engine (ISE) was vulnerable to a cross-site scripting (XSS)
attack.
PSIRT Evaluation
CVE ID has been assigned to document this issue.
4
following URL:
CSCui46739
Guest applet fails after update to Java 7 update 25
This patch addresses an issue where both Guest Authentication and Supplicant
Provisioning failed due to Java 7 update 25’s CRL check feature.
To disable the CRL check feature:
1.
Allow the CRL check through the Redirect ACL, Port ACL and any Firewall in
place.
2.
Clear the checkbox for the CRL check in the Java Control Panel:
•
OS X: System Preferences > Java Advanced > Perform certificate
revocation using1: Change to 'Do not check (not recommended)'
•
Windows: Control Panel > Java Advanced > Perform certificate revocation
using: Change to 'Do not check (not recommended)'
74
OL-27043-01
Table 19
Caveat
Description
CSCui67495
Uploaded Filenames/Content Not Properly Sanitized
This fix addresses an issue where filenames and content uploaded to Cisco Identity
Services Engine (ISE) was not filtered/sanitized effectively. This could have resulted
in a file of incorrect type being uploaded to ISE or the filename leading to a potential
cross-site scripting (XSS) issue.
PSIRT Evaluation
Base and Temporal CVSS scores as of the time of evaluation are 4/4:
&version=2&vector=AV:N/AC:L/Au:S/C:N/I:P/A:N/E:H/RL:U/RC:C
1
following URL:
CSCui67511
Certain File Types are not Filtered and are Executable
This fix addresses an issue where, due to insufficient filtering and access control,
potentially malicious file types could have been uploaded to, and executed within,
the Cisco Identity Services Engine (ISE) web interface.
PSIRT Evaluation
Base and Temporal CVSS scores as of the time of evaluation are 4/4:
&version=2&vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:H/RL:U/RC:C
9
following URL:
CSCui72269
ISE unable to understand SNMP attribute coming from Switch
This fix addresses an issue where Cisco ISE was unable to handle a bad attribute in
an SNMPT query coming from a switch, which caused high CPU cycles on PAP
node.
CSCuj48111
Hyphen and minus sign can't be entered as first or last name
This fix addresses an issue where a guest sponsor was unable to enter a hyphen or
minus as part of a first or last name while entering a guest’s account information.
OL-27043-01
75
Table 19
Caveat
Description
CSCuj61976
Admin UI fails to display certain UI pages when using Firefox 25
This fix addresses an issue where ISE admin UI pages with a tree view were not
displayed correctly in Firefox 25.
CSCuj84194
ISE sometimes does not send DACL in authorization profile
This fix addresses an issue where ISE sometimes did not send DACL in an
authorization profile.
CSCuj98726
iOS devices bypass account suspension/lock by starting new EAP session
This fix addresses an issue where an iOS device can bypass account suspension/lock
even it is enabled, due to it being reported as '5440 Endpoint abandoned EAP session
and started new' instead of using a wrong password.
CSCul02860
Struts Action Mapper Vulnerability
Previous versions of ISE Cisco ISE included a version of Apache Struts that is
affected by the vulnerabilities identified by the following Common Vulnerability
and Exposures (CVE) IDs:
CVE-2013-4310
Cisco has analyzed these vulnerabilities and concluded that the product is not
impacted, however the affected component has been updated as harden measure.
PSIRT Evaluation
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT
ownership or involvement. This issue will be addressed via normal resolution
channels.
If you believe that there is new information that would cause a change in the severity
of this issue, please contact [email protected] for another evaluation.
following URL:
76
OL-27043-01
Table 19
Caveat
Description
CSCul03127
Struts 2 Dynamic Method Invocation Vulnerability
Previous versions of Cisco ISE included a version of Apache Struts2 that is affected
by the vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2013-4316
PSIRT Evaluation
&version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C
following URL:
CSCul03621
Endpoint Profiling Information is not being replicated correctly
This fix addresses an issue where Endpoint Profiling Information was not replicated
on the PSN that was not doing the profiling.
CSCul06431
Active Directory attribute value in ATZ profile is not sent
This fix addresses an issue where an Active Directory attribute was not sent to the
client as part of an ATZ profile.
CSCul13757
Audit records MUST log to External Syslog Servers: CLI log level
This fix addresses an issue where any configured External Syslog servers failed to
receive audit records after using the command line interface (CLI) commands to
change the log level to any of the following levels: 2, 3, 4, 5, 6 or 7.
CSCul13805
Audit records MUST log to External Syslog Servers: HTTPS idle timeout
This fix addresses an issue where External Syslog Servers failed to receive an audit
record in the case of HTTPS Admin GUI idle session timeout occurs and auditable
events could only be seen locally by setting the Debug Log Configuration for
admin-infra and infrastructure to DEBUG level.
CSCul13812
Audit records MUST log to External Syslog servers: SSH publickey
This fix addresses an issue where SSH server authentication using the publickey
authentication method fails to record an audit log and failed connecting to External
Syslog Servers.
CSCul13883
Audit records MUST log to External Syslog servers: SSH KEX Group14
This fix addresses an issue where Configured External Secure Syslog servers failed
to receive audit events for the administration configuration of SSH server
enforcement requiring diffie-hellman-group14-sha1 key exchange algorithm in
order to successfully connect.
OL-27043-01
77
Table 19
Caveat
Description
CSCul13905
Audit records MUST log to External Syslog Servers: CLI clock set
This fix addresses an issue where no audit logs were recorded for changing the
system clock via the CLI.
CSCul13946
Audit records MUST log to External Syslog servers: Purge M&T Data
This fix addresses an issue where no audit logs were recorded after purging M&T
operational data using the CLI command.
CSCul15967
ISE 1.2 Patch 3 Windows 8.1 CPP OS Detection Failure in Distributed Setup
This fix addresses an issue in the ISE 1.2 patch 3 where Windows 8.1 clients received
an error on secondary PSNs after a CPP redirect.
CSCul16300
Audit records MUST log to External Syslog servers: CLI idle timeout
This fix addresses an issue where External Syslog Servers fail to receive the audit
syslog event when command line interface (CLI) connections are closed due to idle
session timeout.
CSCul18169
Blocking ISE admin UI access for Chrome browser
This fix addresses some issues that blocked Chrome browsers from using the ISE
admin UI.
CSCul18521
Audit records MUST log to External Syslog servers: VGA CLI AUTHC
This fix addresses an issue where External Syslog Servers fail to receive audit syslog
events for administrative CLI logins on a VGA console.
CSCul18555
Audit records MUST log to External Syslog servers: SSH conn fail
events for common SSH connection failures.
CSCul23070
Audit records MUST log to External Syslog Servers: SSH exit forceout
CSCul23252
events for CLI exit and forceout commands.
CSCul42646
Failed to create Posture Condition with "NOT ENDS WITH" Operator
This fix addresses an issue where creating a Posture condition with an NOT ENDS
WITH operator resulted in an error.
CSCul46893
URL preservation not working with self service guest user in MAB flow
This fix addresses an issue where, after connecting to a wired MAB and creating a
guest account, the user’s browser did not redirect to the URL that they originally
attempted to access.
CSCul58758
Redirecting to 'null' page in the browser after LWA flow with WLC-5500
This fix addresses an issue where connecting to the Guest Wireless LWA flow using
a Windows client machine resulted in a guest account getting redirected to a "null"
page in the browser window instead of original URL.
78
OL-27043-01
Enhancements in Cisco ISE Version 1.2.0.899—Cumulative Patch 4
Automatic Update of Compliance Module on Mac OS X Clients
Starting from Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 4, the Cisco NAC
Agent supports automatic update of the Compliance Module on Mac OS X clients. Ensure that you have
installed the Mac OS X Agent version 4.9.4.1 or later so that the Compliance Module gets updated
automatically. Refer to Cisco ISE Installation Files, Updates, and Client Resources, page 24 for more
information on automatic updates. See Also CSCui83009, page 80.
Domain Stripping for Active Directory
Starting from Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 4, you can strip
prefixes or suffixes from user names when Active Directory is used as External Identity Source. You can
configure the prefixes or suffixes to be stripped from the user names by navigating to Administration >
Identity Management > External Identity Sources > Active Directory > Advanced Settings. Refer
to the “Configuring Active Directory as an External Identity Source” section in the Cisco Identity
Services Engine User Guide, Release 1.2 for more information. See Also CSCuj95908, page 81.
cumulative patch 4.
your system.
OL-27043-01
79
Table 20
Caveat
Description
CSCug90502
ISE Blind SQL Injection Vulnerability
This fix addresses an issue where the Cisco Identity Services Engine (ISE) was
vulnerable to blind SQL injection. This could allow a remote, authenticated user to
modify information in the database.
PSIRT Evaluation
&version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:U/RC:C
5
following URL:
CSCuh84099
ISE should verify non-printable characters in x.509 certificates
This fix addresses an issue where ISE was unable to add any endpoints and threw
exceptions due to the import of x.509 certificates with non-printable characters.
CSCui22884
ISE presents wrong HTTPS certificate
This fix addresses an issue where ISE presented an old HTTPS certificate when user
accesses the admin or sponsor GUI even though it has been configured to use a new
imported certificate for HTTPS.
CSCui83009
Unable to push compliance module to NAC agent on Macs
Fixed an issue where ISE did not push the latest compliance modules to the NAC
agent for Macs on the fly like it does with the Windows version.
CSCui94488
MyDevice Portal allows endpoints with static endpoint ID group other than
RegisteredDevices
This fix addresses an issue where ISE MyDevice Portal is allowed employees to
register existing endpoints with a static group assignment other than
RegisteredDevices, unless the endpoints already associated with another PortalUser.
CSCuj03131
Lower "Request Rejection Interval" minimum to 5 minutes
The minimum length of time for the “Request Rejection Interval” for RADIUS has
been lowered to 5 minutes.
CSCuj28968
Guest Activity Report is not working
This fix addresses an issue where the Guest Activity report was blank.
CSCuj39926
Kaspersky remediation does not appear anymore in the AV remediation
This fix addresses an issue where Kaspersky remediation did not appear for AV
remediation (Posture Results).
80
OL-27043-01
Table 20
Caveat
Description
CSCuj62435
ISE 1.2 TrendMicro not listed for AV Remediation
This fix addresses an issue where Trend Micro was not seen in the AV vendor list
when creating an AV Remediation.
CSCuj63046
Text fields impose 24 character limit during guest self-registration
This fix addresses an issue where guest users could not enter information into the
boxes on the Self Registration page in excess of 24 characters.
CSCuj72022
Cannot use "Ends With" operator in a Posture condition on ISE
This fix addresses an error that occurred when the user attempted to create a Posture
rule using the ENDS WITH logical operator.
CSCuj90823
Guest Portal: IP Refresh Failing in IE 11
This fix addresses an issue where IP Refresh was not working properly in the Guest
Portal due to ActiveX in Internet Explorer 11 for Windows 8.
CSCuj91050
Creating Guest users shows incorrect timezone 'GMT+2 ECT'
This fix addresses an issue where Guest user would fail to login with the following
error due to an incorrect time zone being assigned to the account: "An internal error
occurred. Contact your system administrator for assistance. Contact your system
administrator."
CSCuj95908
ISE does not do domain stripping for Active Directory external store
This fix addresses an issue where ISE did not allow the modification of the domain
name before authentication when the external identity store used is Active Directory.
CSCul62723
Mobile Guest Portal: Success page redirects to http://10.86.149.92
This fix addresses an issue where the success page on the Mobile Guest Portal
redirected the guest to http://10.86.149.92.
CSCuh94133
NAC agent with ISE slowly leaking memory after posture
This fix addresses the issue where there was a memory leakage in the client machine
when NAC Agent was connected to Cisco ISE after posture.
Support for Windows 8.1 and Mac OS X 10.9 in Cisco ISE Version
1.2.0.899—Cumulative Patch 3
ISE 1.2 Patch 3 supports clients using the Windows 8.1 and Mac OS X 10.9 operating systems.
Please see Open Caveats, page 91 for a workaround for client provisioning using Safari 7 in Mac OS X
10.9.
cumulative patch 3.
OL-27043-01
81
your system.
Table 21
Caveat
Description
CSCue14864
Endpoint statically assigned to ID group may appear in different group
This fix addresses an issue where endpoints that are statically assigned to an
Endpoint ID group unexpectedly appear in another group. The issue was that, where
authorization profiles are based on ID group, these endpoints may wind up getting
assigned the wrong authorization result.
This issue had been observed where the administrator creates endpoint identity
groups and manually add endpoints to the Cisco ISE database, making them static.
CSCuf47491
Timestamp of core files not preserved in support bundle
This fix addresses an issue where core-dump were timestamps not always from when
the core dump was created.
CSCug59579
Windows 8 and 8.1 not included in Client Provisioning
This fix addresses an issue where Windows 8 is not included in the OS options for
Client Provisioning Policies.
CSCuh14228
Internal administrator summary report export not working
This fix addresses an issue where the export feature for the Internal administrator
summary report was not working.
CSCuh20322
Need ISE application server restart reason and timestamp
This fix addresses reformats the timestamp for the show application status ise
command in order for the user to determine the uptime of the application.
CSCuh23536
RADIUS drop should have last event timestamp
This fix adds a new time stamp column for the radius drops, misconfigured
supplicants, and misconfigured network devices log counters
CSCuh30587
Backup fails due to ISE restart
This fix addresses an issue where the ISE application server restarts in the middle of
a backup because of a local certificate change, which causes the backup to fail. Now,
ISE prevents you from restarting the application server if a backup or restore is in
progress.
CSCuh36333
Successful DACL download authentication is counted under authentication dashlet
This fix addresses an issue where the authentication dashlet incorrectly included
DACL download authentications.
82
OL-27043-01
Table 21
Caveat
Description
CSCuh45239
Node Status Patch page does not refresh automatically
This fix addresses an issue where the Node Status page would not automatically
refresh when installing an patch. This fix adds a Refresh button to the page.
CSCui21439
Message code texts are blank or incorrect
This fix addresses an issue where the texts for message codes 86009, 86010, 86017,
and 86019 were blank and the text for message code 5411 was incorrect. This fix
also addresses an issue where the failure reason text for the RADIUS
Authentications report did not display properly.
CSCui30275
Fixed an issue where a component of the administration page of the Cisco Identity
Services Engine (ISE) was vulnerable to a cross-site scripting (XSS) attack.
For additional information on cross-site scripting attacks and the methods used to
exploit these vulnerabilities, please refer to the Cisco Applied
Mitigation Bulletin ''Understanding Cross-Site Scripting (XSS) Threat Vectors'',
which is available at the following link:
http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisc
o-amb-20060922-understanding-xss
PSIRT Evaluation:
CVE ID has been assigned to document this issue.
5
following URL:
CSCui35514
'show tech' script in support bundle needs fixing
This fix addresses errors in the output of the “show tech” script in the support
bundle. These errors included:
CSCui36643
•
incorrectly displaying "grep: writing output: Broken pipe" errors
•
the order not being the same as the 'show tech' output on the ADE OS CLI
•
the certificate output having a bad new line character (^M), rendering the PEM
output unusable unless manually modified
ISE Editing schedule report complains of existing report name in use
This fix addresses an issue where editing a scheduled report returned the error "This
schedule name has been used. Please specify a different one.”
OL-27043-01
83
Table 21
Caveat
Description
CSCui71484
ISE SEC PAP has write access via ERS API
This fix addresses an issue where a provisioning request (add/delete/modify) could
be done on SEC PAP via ERS API, although it should have only allowed using a
GET method.
CSCui77336
Customized URL ISE self registration not working
This fix addresses an issue where ISE Customized web portal self-registration was
not working for guest users when using a custom portal with the guestUser.timezone
input tag specified in the self-registration html page.
CSCui89741
ISE ERS API creates endpoint with invalid format MAC address
This fix addresses an issue where an invalid MAC address format could be added to
ISE database by the External RESTful Services API using the CURL command.
CSCui96960
MNT Livelog/Dashboard performance
This fix addresses an issue where the Livelog and Dashboard performance in ISE 1.2
suffered when the underlying query ran for a specific MAC address and when there
was a large volume of data in the newly-created partition without stats.
CSCuj03071
EndPoint update not being saved to PAP due to high latency
This fix addresses an issue where systems with high latency might skip endpoint
updates when endpoints are created on PSNs over the WAN from the PAP. For
example, Cisco-IP-Phone may appear as Cisco-Device even if the information was
collected and endpoint was profiled as Cisco-IP-Phone.
This occurred when there was a very high latency (low bandwidth) between PSN to
PAP. Around 0.5 seconds time to create an endpoint.
CSCuj03697
Allow Tunnel* attributes in policies
This fix addresses an issue where tunnel attributes in the Radius IETF dictionary
could not be seen in the pull down when configuring a condition.
CSCuj05295
ISE Application server crashed and stuck in initialized state with “null” in collection
filter
This fix addresses an issue where ISE crashes and the Application server gets stuck
in an initialized state if a Collection Filter is created with value “null.”
CSCuj09430
Guest account is not working according to its Time Zone
This fix addresses an issue where a guest account worked only on the time zone of
the server, not the user, which affected when a guest could log into the guest portal
and when the guest account expired.
CSCuj14382
Cannot statically assign IP address as FramedAddress
This fix addresses an issue where assigning a string IP value to an IPV4 attribute
resulted in a validation error.
CSCuj15372
Authentications fail with MDM authentication rules enabled
This fix addresses an issue where, with MDM authentication rules enabled, all
RADIUS authentications fail after several successful runs with the following error
message: 5436 RADIUS packet already in the process.
84
OL-27043-01
Table 21
Caveat
Description
CSCuj16049
HA Licensing
This fix addresses an issue where in the deployment process, once the secondary is
promoted as primary, the HA licensing file could not be installed on the promoted
secondary.
CSCuj19882
Unable to edit the existing Guest accounts after restoring old backup
This fix addresses an issue where you could not edit a guest account from the
sponsor portal if the account was created before ISE 1.2 patch 2 was applied.
CSCuj28447
This fix addresses an issue where an endpoint statically assigned to an Endpoint ID
group may have been seen in another group for no apparent reason. Authorization
profiles based on ID group led to the endpoint being assigned the wrong
authorization result.
CSCuj45431
ISE Support for Mac OS X 10.9 NAC Agent
ISE 1.2 patch 3 supports a NAC Agent for Mac OS X 10.9.
CSCuj45766
Add/Remove MDM server never got replicated to PSNs in distributed deployment
This fix addresses an issue where ISE would still use a previously configured MDM
server when another MDM server is created as an active MDM or updated as an
Active MDM.
CSCuj51094
Captured TCPDump file is not working
This fix addresses the issue where you are unable to open the captured
TCPDump.pcap file in a program like Wireshark.
CSCuj54630
ISE 1.2 patch 2 is rejecting https cookies from the Mobile Iron Server
This fix addresses an issue between ISE 1.2 (899) patch 2 and Mobile Iron Stand
Alone (VSP 5.7.1 Build 74). When ISE used the API to check on the status of an
endpoint, ISE rejected cookies issued from MI, thus preventing the server from
properly identifying what devices are compliant or not. This resulted in the status of
"unknown," which prevented access for endpoints that are compliant (via AuthZ rule
set).
CSCuj57335
Egress Matrix: require default SGACL that includes log option
This fix adds new log functionality to the default Egress rule.
CSCuj60796
ISE Support for IE 11
ISE 1.2 patch 3 supports Internet Explorer 11.
CSCuj70022
This fix addresses an issue where ISE TLV failed when parsing a TLV sequence that
some versions of Android sent during authenticated provisioning.
CSCuj82378
Downloaded captured TCP dump file for remote node is not of proper size
This fix addresses issues with TCP dump files. Previously, the Download button
would not respond after running the TCP dump for more than five minutes. Also, an
error occurred after downloading the TCP dump file because the file size was
incorrect. These issues have been resolved.
OL-27043-01
85
New Features in Cisco ISE Version 1.2.0.899—Cumulative Patch 2
Support for Guest Self-Registration Based on Email Domain Whitelist
You can allow guests to create their own accounts by enabling the self-service feature by choosing:
Administration > Web Portal Management > Settings > Guest > Multi-Portal Configurations >
Operations > Guest users should be allowed to do self service. When you enable this feature, the
account credentials display on the screen, and they are also emailed to the email address used to create
the account.
You can restrict this feature by limiting guests’ ability to create their own accounts based on their email
domain. By creating an email domain whitelist, you can ensure that only guest users with email accounts
on those domains can create guest accounts.
To prevent the account credentials from displaying on the screen, you must create a custom portal when
using an email domain whitelist. These steps provide an overview:
1.
Create a custom portal, following these guidelines:
– Add a required email field and an acceptable use policy (AUP) page to the Self-Registration
html file. See New Sample HTML Files for Custom ISE 1.2.x Web Portals, page 62 for
information on downloading a sample file.
– Add text to refer users to their email for their login credentials on the Self-Registration Results
html file. See New Sample HTML Files for Custom ISE 1.2.x Web Portals, page 62 for
information on downloading a sample file.
– Map the Login file to the Self-Registration page. See the “Mapping HTML Files to Guest Portal
Pages” section in the Cisco Identity Services Engine User Guide, Release 1.2 for detailed
instructions.
2.
Configure the SMTP server to support notifications (Administration > System > Settings > SMTP
Server).
3.
Specify the default e-mail address from which to send all guest notifications. (Administration >
System > Settings > SMTP Server and choose Use Default email address).
4.
Create the email domain whitelist. See the “Restricting Self-Registration Based on Email Domain”
section on page 86.
5.
Customize the self-registration credentials email message. See the “Customizing the
Self-Registration Credentials Email” section on page 87.
6.
Customize the self-registration failure message. See the “Customizing the Self-Registration Failure
Message” section on page 87
Restricting Self-Registration Based on Email Domain
Before You Begin
Step 1
•
Configure the SMTP server to support notifications (Administration > System > Settings > SMTP
Server).
•
Specify the default e-mail address from which to send all guest notifications. (Administration >
System > Settings > SMTP Server and choose Use Default email address).
Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal
Configurations.
86
OL-27043-01
Step 2
Add or edit a guest portal and click Operations.
Step 3
Check these options:
Step 4
Step 5
•
Guest users should be allowed to do self service.
•
Send self-registration credentials to whitelisted email domains
Enter the allowable domains in the Whitelisted email domains field, following these criteria:
•
Enter the exact domain name; wildcard characters are not supported.
•
Use commas to separate multiple domain names
•
The field supports a maximum of 4000 bytes so the total number of supported domains varies,
depending on multibyte or unicode requirements.
Click Save.
Customizing the Self-Registration Credentials Email
You can customize the email message sent to users containing their self-registration login credentials.
When customizing this message, be sure to configure it for the languages supported for your guest users.
This email is sent to the guest and sponsor using the guest notification language (specified in this setting:
Sponsor portal > Edit guest account > Notification language).
Step 1
Choose Administration > Web Portal Management > Settings > Sponsor > Language Template >
English (or other language) > Configure Email Notifications > Self-Registration Credentials.
Step 2
Customize the message and click Save.
Customizing the Self-Registration Failure Message
You can customize the error message that displays when users attempt to register using an email account
from an unsupported domain.
Step 1
Choose Administration > Web Portal Management > Settings > Guest > Language Template >
English (or other language) > Configure Error Messages > Self Service Failed Message.
Step 2
Customize the message and click Save.
Guest Account Expiration Notifications
You can notify guests and sponsors in advance that guests’ accounts are close to expiring. Sponsors can
then proactively extend the account duration.
These restrictions apply when sending account expiration notifications:
•
Notifications are sent only to active accounts. Pending, suspended, and expired accounts will not
receive a notification.
•
Accounts using the FromFirstLogin time profile will not receive a notification until they have
become activated and are in the expiration notification window.
•
The timezone of the guest account is used to determine the account expiration.
OL-27043-01
87
Configuring Guest Account Expiration Notifications
Step 1
Choose Administration > Web Portal Management > Settings > Guest > Time Profiles.
Step 2
Add or edit a time profile.
Step 3
Check these options:
Step 4
•
Send account expiration notification
•
Notification time—enter a value between 0 and 336 hours. You must enter a time allowed by the
time profile. (For example, if the time profile limits guest access to one week, you might enter 24 to
send the expiration notification a day in advance.)
•
Send email to guest or Send email to sponsor—you must choose at least one of these options.
Click Save.
Customizing the Guest Account Expiration Notification
You can customize the messages sent to guests and sponsors to warn them that the guest account is
expiring soon. When customizing these messages, be sure to configure it for the languages supported for
your guest and sponsor users. This email is sent to sponsors and guests in the language indicated by these
settings:
Step 1
Step 2
•
Sponsors—Sponsor Portal > My Settings > Language template
•
Guests—Sponsor portal > Edit guest account > Notification language
Choose one of these options:
•
Guests—Administration > Web Portal Management > Settings > Guest > Language Template
> English (or other language) > Configure Email Notifications > Account Expiration
Notification Message.
•
Sponsors—Administration > Web Portal Management > Settings > Sponsor > Language
Template > English (or other language) > Configure Email Notifications > Account Expiration
Notification Message.
Customize the message to send to sponsors and guests, using these supported variables:
•
$guest$—first name of the account or the username if first name is empty
•
$username$—login of the guest account
•
$firstname$—first name on guest account
•
$lastname$—last name on guest account
•
$sponsor$—the sponsors login username
•
$time$—the time remaining on the account before expiration. Displays as: HH:MM
•
$remaininghours$—the remaining number of hours before expiration
•
$remainingminutes$—the remaining number of minutes before expiration
•
$starttime$—the start date and time of the account. Displays as: EEE dd, MMM yyyy HH:mm. For
example: Fri 30, Aug 2013 10:30.
•
$endtime$—the end date and time of the account. Displays as: EEE dd, MMM yyyy HH:mm. For
example: Fri 30, Aug 2013 10:30.
88
OL-27043-01
Step 3
Click Save.
Support for Apple iOS 7 in Cisco ISE Version 1.2.0.899—Cumulative Patch 2
ISE 1.2 Patch 2 supports iOS 7 Endpoints for Guest users (Local Web Authentication and Central Web
Authentication), as well as BYOD on-boarding. Please note that to ensure iOS 7 endpoint support with
ISE 1.2 Patch 2, the WLC needs to be updated to version 7.4.115.0.
The WLC 7.4.115.0 update for these devices:
•
Cisco 2504 Wireless Controller
•
•
•
Cisco Flex 7510 Wireless Controller
•
Cisco Virtual Wireless Controller
can be downloaded by registered users of Cisco.com from this location:
http://software.cisco.com/download/special/release.html?config=fe18b0e824ca3427253bf74fdf50dab9
The WLC 7.4.115.0 update for the Cisco Wireless Services Module 2 (WiSM2) can be downloaded by
registered users of Cisco.com from this location:
http://software.cisco.com/download/special/release.html?config=dc3ed2770a7e6d66be495ac1d8cf0cc5
cumulative patch 2.
your system.
OL-27043-01
89
Table 22
Caveat
Description
CSCuh25868
Authorization policy condition’s re-editable text/string limited to 16 characters.
This fix addresses an issue where editing an authorization policy’s conditions
resulted the text box only showing the first 16 characters in a string condition. The
remaining characters were replaced by "..."
CSCuh56278
Local Web Authentication (LWA) Guest access by iOS 6 devices on ISE 1.2 fails.
This fix ensures that iOS 6 devices are authenticated correctly and gain access to the
network appropriately.
CSCui34389
RADIUS accounting drop is not suppressed, flooding live log
This fix addresses an issue where message codes for RADIUS accounting drops
were not suppressed, resulting with live logs being flooded.
CSCui36160
Whitelist and expiration notification.
The new Guest Self-Service feature provides administrators and sponsors the ability
to have a customized notification email sent to guest users or sponsors X days before
the guest account expires, allowing the sponsor (or guest user in SPP) to update the
time profile and extend the account expiration.
Self Service Guest accounts have password credentials sent via email, with an
additional Email Whitelist feature for validation.
Note
CSCui42788
See Support for Guest Self-Registration Based on Email Domain Whitelist,
page 86 for more information.
Exporting of imported profile policy results a garbled description.
This fix addresses an issue where exporting an imported policy with a description
field resulted in a garbled description field.
CSCui44324
Backup task can't be configured in ISE 1.2 UI.
This fix addresses an issue where a scheduled backup couldn’t be configured on ISE
1.2 in UI under "Administration -> System -> Backup and restore". After filling all
data and clicking on "Save" button, nothing happened. (e.i., neither is a task created
nor an error generated).
CSCui56071
ISE: Ignore 0.0.0.0 in Framed-IP-Address Profiler Updates
This fix filters incoming Framed-IP-Address that contains zero IP address (0.0.0.0)
to reduce replication.
CSCui58390
Multiple names in SAN Field and ISE choose value randomly
This fix addresses an issue where the ISE chose the wrong Subject Alternative Name
if there are multiple names in the SAN field values in the certificate.
CSCui75335
ISE 1.2 NAC agent fails posture due to 'NAC Server not available'
This fix addresses an issue where a NAC agent fails a posture assessment attempt
and displayed a “NAC Server not available” error.
CSCuj23727
A change in iOS 7 to the user-agent string for an iPod Touch breaks its BYOD
workflow.
This fix ensures that an iPod Touch device is recognized as such in a BYOD
workflow.
90
OL-27043-01
Cisco ISE, Release 1.2.x, Open Caveats
cumulative patch 1.
your system.
Table 23
Caveat
Description
CSCui16528
Wrong service selection for NDAC Policy
This fix addresses the issue in a Cisco ISE deployment with SGA functionality
implemented, where the authentication request was rejected by the Cisco ISE PSN
server and the request from the client timed out.
•
Open Caveats, page 91
•
Open Agent Caveats, page 114
Open Caveats
Table 24
Caveat
Description
CSCua97013
Apple iOS devices are prompted to accept “Not Verified” certificates
Apple iOS devices (iPhone & iPad) are asked to accept the certificate, appearing to
them as “Not Verified,” when connecting to WLAN (802.1X).
By design, Apple iOS devices are prompted to accept a proprietary certificate, but
Apple OS X and Android devices work without being prompted to accept a
certificate.
This happens even when the certificate is signed by a known CA, as there is an
intermediate certificate in the server certificate chain.
Workaround Click Accept to acknowledge the certificate. While browsing any URL,
the user is redirected to provision the device. After provisioning, the intermediate
certificate is installed on the iDevice.
OL-27043-01
91
Table 24
Cisco ISE, Release 1.2.x, Open Caveats (continued)
Caveat
Description
CSCub17522
IP Phone IEEE 802.1X authentication reverts to PAC-based authentication when the
“Accept client on authenticated provisioning” option is not enabled.
When the “Accept client on authenticated provisioning” option is off, Cisco IP
Phone EAP-FAST authentication sessions always end with an Access-Reject event.
This requires the IP phone to perform PAC-based authentication to pass
authentication. Since Cisco IP Phones perform authentication via authenticated
provisioning and not via PAC-based authentication, it is not possible for the phone
to authenticate when this option is off.
Workaround Try one of the following:
CSCuc60349
•
Turn on the Cisco IP Phone “Accept client on authenticated provisioning”
option.
•
Switch from EAP-FAST protocol to PAC-less mode.
•
Authenticate Cisco IP Phones via EAP-TLS rather than EAP-FAST.
False alarms on patch install/rollback as failure on secondary node
ISE sometimes generates critical false alarms for install or rollback failure alarms
on secondary node even though the install or rollback operations were successful.
Workaround Use PAP (Administration > Maintenance > Patch > Show Node Status)
to verify patch installation status.
CSCuc92246
Disk input/output operation while importing users slows down the appliance
If you enabled the Profiler service in your deployment, you have a Cisco ISE 3315
appliance as your primary Administration node, and you import users, accessing the
user interface becomes very slow.
Workaround None
CSCud00407
Microsoft Active Directory 2012 user authentication with Alternative User
Principal Name suffix fails.
This issue occurs when the Alternative User Principal Name (UPN) is the same as
the name of the parent or ancestral domain to which Cisco ISE is joined. For
example, if Cisco ISE is joined to a domain named
“sales.country.region.global.com,” and you have an Alternative UPN named
“global.com,” then user authentication fails.
Workaround Use an Alternative UPN that is not the same as the parent or an
ancestor.
92
OL-27043-01
Table 24
Caveat
Description
CSCud18190
Unable to reregister a device (via EAP-TLS) that was provisioned earlier.
If you delete an endpoint that was provisioned, you have to force the deleted or
missing endpoint to re register with Cisco ISE so that the endpoint is created again.
Workaround Create an authorization rule similar to the following:
Re-register-Policy NetworkAccess.AuthenticationMethod == x509_PKI
CWA-Policy
This rule redirects to the CWA policy and authenticates the user (you must add the
identity store to the guest authentication store sequence), and re-provisions the
endpoint.
CSCue08385
After changing the domain name could not access node in 3 node setup.
After changing the domain name in PAP node, it is not possible to access the PAP
node through GUI and HTTP error is thrown.
CSCue17018
MNT node gets messages even after it is out of deployment and is disconnected.
CSCue46758
Session expired error occurs during guest authentication. Cisco ISE displays the
following error message:
ISE: 86107- Session cache entry missing
For Central Web Authentication, when you configure an authorization profile, and
modify the cisco-av-pair (cisco-av-pair =
url-redirect=https://ip:8443/guestportal/gateway?
sessionId=SessionIdValue&action=cwa), the user is redirected to the Web
Authentication page, but the session expires after the user logs in.
Workaround Do any one of the following:
CSCue51298
•
Do not replace “ip” in the cisco-av-pair with a value.
•
Do not modify cisco-av-pair. Instead, configure the Web Authentication option
under Common Tasks.
Guest users who are assigned the ActivatedGuest role and First Login time profile
have to change their password at first login or after password expiration.
This issue occurs when you assign the ActivatedGuest guest role and the From First
Login time profile to a guest user.
This time profile requires the guest users to first access the Guest portal to change
their password. The typical flow for these activated guest users does not require
them to access the Guest portal because they sign in using IEEE 802.1X (dot1x)
authentication or VPN.
Workaround For activated guest users, use the From Creation time profile instead of
the From First Login time profile.
OL-27043-01
93
Table 24
Caveat
Description
CSCuf77949
After upgrade, two instances of the same alarm appear on your dashboard.
After you upgrade, you might see two instances of the same alarm being generated.
This issue exists for about 15 minutes after the upgrade is complete.
Workaround None.
CSCug60740
While using Chrome as browser on Nexus 7 tablet, if the Javascript is disabled, users
logging in to the Guest portal for the first time will not be able to continue with the
site security certificate page.
Workaround Enable Javascript for the browser or install trusted certificate on ISE to
avoid the site security certificate page.
CSCuh07358
Holistic solution is required to resolve Java/SPW issue on Mac OS X/Windows
provisioning.
While onboarding Mac OS X devices, if Java is not installed, an error message is
displayed. This requires the user to install Java and rerun the flow again to onboard
the device.
CSCuh75971
Issue running applet in Windows or Macintosh OS with latest Java 7 update 25.
If Java 7 update 25 or above is installed, launching of the Agents or Network Setup
Assistant during client provisioning or the onboarding process on a Windows or
Mac OS X clients would take about 3 minutes as this Java update has Perform
revocation checks enabled by default. This causes the applets signed certificates to
be verified against the issuers CA server, which is currently blocked. This issue
affects only Java applet and does not affect ActiveX, so there is less impact on
Internet Explorer that uses ActiveX by default.
Workaround Cisco ISE administrator should allow access to crl.thawte.com and
oscp.verisign.net for restricted network during provisioning. If the administrator is
not able open access to these sites, then the end user should turn off Perform
certificate revocation checks in Java as follows:
Open the Java Control Panel, click the Advanced tab, go to Perform certificate
revocation checks on and select Do not check.
CSCuh78210
Agent does not turn TLS1.0 in IE if FIPS ciphers are disabled by default
When redirected from Internet Explorer, if the FIPS cryptographic cyphers from
local security policies on client machines are enabled or disabled, then the NAC
Agent does not pop up for posture assessment.
Workaround Exit and launch the NAC Agent again to get the latest FIPS settings.
CSCuh07275
Roaming of iPad breaks onboarding process.
If a device roams to a different Access point or WLC that connects to a different
PSN, then the CoA is sent to WLC that is not expecting it and the onboarding goes
into a loop.
Workaround Disconnect from the wireless and try to connect again.
94
OL-27043-01
Table 24
Caveat
Description
CSCuh12619
BYOD: Device registration is successful even after canceling the profile
installation.
CSCuh21153
IP Address does not refresh in Windows 7 client when using Internet Explorer for
authentication in DRW flow.
CSCuh22013
Some endpoint devices like iPAD and iPhone have issues with wildcard certificates
when CN is blank.
CSCuh43300
Node group cluster information is deleted if a node is made primary and included in
a node group at a time.
When a node group is created in a standalone node and then the node is made as
primary, the failover information is not notified to the primary node.
CSCuh60829
While upgrading from ISE 1.1.1 to ISE 1.2, the Time and Date condition configured
as 'All Day' changes to specific hours and it fails for all authentication and
authorization policies that use the time based condition.
CSCuh64576
Language Template description and browser Locale Map are not carried over
After upgrading to ISE 1.2, the 'Description' and 'Browser Locale Mapping' in the
template definition are not carried over for Sponsor, My Devices, and Guest
Language template.
Workaround After the upgrade, set the flags manually.
CSCuh77967
Error message when same rule name appears under local and Global exception
When global and local exception rules are created with same names, they get saved
successfully. While trying to edit and save the policy, an error message is displayed
that the exception rule already exists.
CSCuh78514
Config Restore including ADE-OS could cause nodes go out of sync
In a deployment, nodes are not in sync after ADE-OS restore.
Workaround After the restore is successful, the nodes need to be syncronized
manually using ISE Administration web UI.
CSCuh88557
User password policy attribute migration issue
In ACS UI, the Password may not contain the username or its characters in
reversed order checkbox is enabled and exported to ISE. After importing the
policies, the checkbox appears disabled.
CSCuh90273
BYOD flow does not work when ISE acts as RADIUS proxy.
Once AD user is authenticated successfully against remote RADIUS server, the user
is redirected to NSP portal. In the NSP portal, it is not possible to obtain the user
information. An error is thrown and instead of the 'Register' option, 'Try Again'
option is displayed.
CSCuh94096
IE9: Register button greyed out when ActiveX is disabled
In a Windows 7 client using Internet Explorer 9 with ActiveX disabled, while trying
to perform the BYOD flow the browser redirects the user to ‘Device Registration’
page, where the ‘Register’ option is greyed out.
Workaround Enable the ActiveX to get the Register option properly.
OL-27043-01
95
Table 24
Caveat
Description
CSCui00865
After creating guest accounts using Mozilla Firefox, the 'Manage Guest Accounts'
page does not contain the newly created guests and has missing objects.
Workaround Clear the cache and restart the browser.
CSCui01605
Saving Duplicate policy set which has user defined simple condition fails
It is not possible to duplicate and save a policy set that contains user defined simple
condition.
Workaround
•
Create a new policy set with same user defined simple conditions and save it.
OR
•
CSCui03041
Duplicate a policy set with authorization simple condition and delete the user
defined simple conditions in the policy set. Create the same condition in the
duplicated policy set and save it.
Device ID does not go to RegisteredDevices group
When a laptop with Mac OS X is connected to a network through BYOD flow, both
the wired and wireless MAC addresses are listed in 'RegisteredDevices' group.
When the same laptop is connected again after cleaning up the profiles and user
credentials, only the wireless MAC address is listed in the 'RegisteredDevices'
group.
CSCui05265
Guest Role configuration in the Administration UI using IE does not work properly
Configuring Guest Role at Administration > Web Portal Management >
Settings > Guest > Guest Roles Configuration, using Internet Explorer does not
display the ID groups properly.
Workaround Use other browsers like Firefox.
CSCui07457
WLC ACL issue with Android device during BYOD
In a BYOD flow, when the ACLs are created through the Setup Assistant, Android
devices fail to download the Network Setup Assistant application.
Workaround Do any one of the following to enable the Android devices to download
the profile and connect to the network successfully.
•
Update the ACL in the WLC GUI by deleting one of the ACLs and creating it
again with same values.
OR
•
CSCui10632
In the Edit page of the WLC, click Save without changing the values. This will
update the ACL.
NSP profile deleted and replaced by another after downloading the resources
After creating an NSP profile for EAP-TLS and using it in a client provisioning
policy, when the agents and resources are downloaded through the update feed URL,
the NSP profile gets deleted. It is replaced with one of the downloaded NSP profiles.
96
OL-27043-01
Table 24
Caveat
Description
CSCui12947
After upgrading, replication fails on deployment when secondary PAP is promoted.
Workaround Delete the local certificates and restart the PAP.
CSCui16373
Upgrading any secondary node from Limited Availability Release to Release 1.2
Fails.
This issue occurs only when you upgrade from the Limited Availability release to
Cisco ISE, Release 1.2. This issue is seen when you have backup schedules
configured in Cisco ISE.
Workaround Disable or cancel the backup schedules before you upgrade to Release
1.2.
CSCui16876
Default authentication policy matching instead of default dot1x rule
When the default policy is modified to 'deny access' and dot1x authentication is
performed against PDP with internal user, authentication fails. The authentication
matches with 'AllowedProtocolMatchedRule'.
Workaround Instead of deny access, select identity source/sequence to get
authenticated.
CSCui18956
Not able to update the custom RBAC policies after upgrading to Cisco ISE 1.2
After upgrading from Cisco ISE 1.1.x to 1.2, it is not possible to update the RBAC
policies, custom menu access and data access permissions that were created in Cisco
ISE 1.1.x.
Workaround
CSCui19072
1.
Create new menu access permission after upgrading to 1.2
2.
Update the RBAC policy created in 1.1.x with the newly created menu access
permission and save the policy.
3.
Log in with the RBAC user and the updated menus will be displayed.
After creating RBAC menu access permission, navigate to the Home page and click
the Show button. This throws the following error: 'TypeError: selectedItem is
undefined'.
Workaround This happens only for the first time. Edit the menu access, go to the
Home page, and click Show.
CSCui28492
Registered Endpoints report takes a few minutes.
Workaround Gather the statistics in CEPM schema and the reports are generated
without delay.
OL-27043-01
97
Table 24
Caveat
Description
CSCui87386
Default Guest Portal displays Self Service Results on screen with the White Listing
Feature enabled.
Workaround Use Custom Guest Portal, with the Self Service Results Page
customized not to display the Results on screen. Additionally disable the Self
Service option in Default Guest Portal Settings, as there is risk of accessing the
Default Guest Portal tweaking the redirected URL
CSCuj10678
The iPEP Node is unable to correctly handle tagged VLANs.
Workaround Make the native VLAN on the switch the same as the management
VLAN.
CSCuj22597
When using the notification feature, emails are delivered even when notifications
disabled for the sponsor in admin.
Workaround Disable the notification on the time profile setting instead.
CSCuj40148
During the BYOD flow the end user will be continuously redirected to the device
registration page after installing Java.
This occurs when:
•
the endpoint does not have Java installed and after the installation is completed
on the Firefox browser, or
•
Java is uninstalled and the Firefox browser was not quit before starting the
BYOD flow
Workaround Quit and relaunch the Firefox browser after installing the Java package
from www.java.com/en/download and then continue with the BYOD onboarding.
CSCuj62777
After uninstalling 1.2 Patch 3, the PAP node goes down and doesn’t come up,
showing HTTP 404 Error in GUI.
CSCul27693
If you do a CSV bulk import from the sponsor portal, you are asked to which role
to tie the imported guests. If you use the "Guest" group as suggested by default and
then try to authenticate with one of those guests, they never hit the authorization rule
where you configured "identity group=guest" as condition because ISE sees the
guest account as part of the “Any” identity group.
Workaround As the sponsor, edit the guest account but change nothing and save the
account without having changed anything. The user will correctly show as
belonging to Guest group when logging in.
CSCul69609
The same session ID is being used by multiple guest users, so some guest users see
login page even after accepting AUP.
98
OL-27043-01
Table 24
Caveat
Description
CSCul39011
For installations of ISE 1.2 with MDM server integrated, ISE tries to query the
MDM server during EAP sessions. If the server does not respond, it continuously
retries and this causes the session to hang in runtime. The ISE live authentication
logs may report 5436, 5405/5411, and 5441 errors making it appear as if the
supplicant is misbehaving while the ISE alarms report “External MDM Server
Connection Failure.”
Workaround Make sure the MDM server is constantly able to respond to queries. If
profiling is used, configure and assign logical profiles to the MDM rules to reduce
the scope to mobile devices only. Add the MDMServerReachable condition to the
configured MDM authorization rule to allow ISE to use MDM reachability as a
condition match.
CSCul92356
While using Guest Portal along with “Guest users should be allowed to do Device
Registration,” when the Guest user registers the device, the device falls into the
UNKNOWN Group whereas it should go in either the GuestEndpoints group or in
the RegisteredDevices group.
Workaround We can force the endpoint to fall into a different group by manually
creating a profiler policy.
•
Create a Profiling condition where the “IP_EndPointSource” EQUALS
“GUEST Portal.” Allow it to Create a matching Identity group.
•
We can see that the endpoints will now fall into the new Endpoint Identity group
under Endpoint groups > Profiled and can be used in an authorization Policy.
OL-27043-01
99
Table 24
Caveat
Description
CSCul94611
Issue with the Live dashboard in ISE 1.1.4 not displaying information and only
showing “No Data Available.”
Workaround Enter the following commands below:
ms-ise-mgm01/admin# app config ise
Selection ISE configuration option
[1]Reset Active Directory settings to defaults
[2]Display Active Directory settings
[3]Configure Active Directory settings
[4]Restart/Apply Active Directory settings
[5]Clear Active Directory Trusts Cache and restart/apply Active
Directory settings
[6]Enable/Disable ERS API
[7]Reset M&T Session Database
[8]Rebuild M&T Unusable Indexes
[9]Purge M&T Operational Data
[10]Reset M&T Database
[11]Refresh M&T Database Statistics
[12]Display Profiler Statistics
[13]Exit
Select the following options:
7 to reset the session db
10 to reset the M&T database
11 to refresh the statistics (Possibly do not need. Was only needed in 1 case.)
Once you have run these commands the DashBoard should begin to display
information.
This process can take up to 12 hours to complete all three steps. Roughly 1 to 3
hours per option selected.
CSCum05066
When rolling back a patch update using the GUI, it is uninstalled successfully on
primary node but it does not happen in secondary nodes. On the Primary node, the
GUI shows patch is no longer installed in Primary but shows the patch as installed
on the secondary node.
This issue is fixed in ISE 1.2 patch 5. However, it will occur if you rollback a fresh
install of ISE 1.2 patch 6 or 7, or if you rollback ISE 1.2 patch 5.
Workaround The user needs to run the rollback again from the Primary GUI.
CSCum05562
An endpoint might not matching the right authorization profile because the change
of authorization was not sent.
Workaround Don't use policy sets or use fast reAuths on switch as doing a CoA from
MnT works as well.
100
OL-27043-01
Table 24
Caveat
Description
CSCum21201
Windows workstation devices that have a MAC address starting with "3C:97:0E"
are profiled as a "Nortel-Device."
Workaround Remove Nortel condition matching on "OUI CONTAINS Wistron" and
increase the Certainty Factor of Windows workstation device so that it prefers
Windows profile policy over Nortel policy.
CSCum41138
After CoA REST API is issued successfully, ISE live logs shows the “NAS IP
Address” to be the MnT address, instead of the switch address.
CSCum73765
While using profiling with SNMP v3 Query and Trap probes, the correct profiling
information is not fetched. The SNMP v3 queries triggered by the SNMP traps
generated by linkup/linkdown or mac-notification from the switch fails SNMP v3
authorization and leads to closing of the SNMP session.
The same is seen when the SNMP v3 query is triggered by a Radius Accounting
probe.
In the profiler.log, we can clearly see that the SNMP v3 authorization fails and the
SNMP session is closed.
Workaround There is no workaround. The only options available currently are:
1.
Use SNMP v2c instead of SNMP v3.
2.
Reduce the polling interval to 600 seconds on the network device configuration.
Now, when the device is connected, it will be profiled wrongly at first but 10
minutes later (600 seconds), when the independent query takes place, it will get
correctly profiled. This delay will be seen only the first time the device is
bought in the network. From the next time onwards, it will connect and get the
correct policy immediately since it is already saved with the right profiling
information.
CSCum85832
On the Fresh installation setup of 1.2.1 and restoring the Operational (MNT) data
of 1.2. Operational restore will be completed successfully.
CSCun23340
Randomly created guest users are not shown for exporting and printing the user
information in Firefox.
CSCun23357
Uploaded guest users are not shown in Firefox.
OL-27043-01
101
Table 24
Caveat
Description
CSCun53951
ISE presents self-signed cert instead of CA-signed cert even though the GUI shows
the CA-signed cert marked for HTTPS use.
The standalone ISE node has 2 certificates in its local certificate store: a self signed
one and a CA signed one.
The CA signed certificate is marked to be used for HTTPS and EAP. This node
presents the CA signed certificate when the GUI is accessed.
Once the above ISE node is registered to the primary, it starts presenting the self
signed cert.
Workaround After registration, choose the self-signed cert in the GUI, so that the
node presents the CA signed cert.
CSCun65239
The desktop device does not display sessionExpired page when the “change
password” and “device registration” options are enabled.
The mobile portal does not display sessionExpired page when session is terminated.
This occurs when the following options are enabled:
•
Guest users should agree to an acceptable use policy - Every Login
•
Enable Mobile Portal
•
Allow guest users to change password
•
Guest users should be allowed to do self service
Workaround If the login page loops after the session has expired, disconnect and
reconnect SSID/network. Then have the client redirect to the guest portal by
entering an external URL in the address bar so they get a new session ID.
1.
Disable mobile portal option.
2.
Disable the following options:
– Require guest users to change password at expiration and first login
– Guest users should be allowed to do device registration
CSCun75689
ISE is unable to save a Scheduled Report using UTF-8 characters in the report name.
You will receive the following message: “Schedule name should only contain
alphanumeric and _ - . characters.”
Workaround Rename the Schedule Report with non-UTF-8 characters.
CSCuo40057
EAP-Chaining authorization is stuck with out successful certificate renewal.
Workaround In order to identify EAP-Chaining with expired cert functionality, you
can have a rule which reads: if Network Access.UseCase EQUALS EAP-Chaining
AND CertRenewalRequired then DenyAccess.
CSCuo54649
An endpoint consuming advanced features will show against both Advanced and
Plus license if both licenses are available in the system.
Workaround Refer to Current Licenses page instead of details of licenses installed.
102
OL-27043-01
Table 24
Caveat
Description
CSCuo56327
Since Plus license support was introduced in Cisco ISE 1.2 patch 8, the Plus license
will be removed if admin removes Cisco ISE 1.2 patch 8 or Cisco ISE 1.2.1.
CSCuo62507
Once the disk space is been reached to more than 80 % aggressive purging will be
triggered automatically from the back-end. If admin tried to perform the CLI
purging while backend purge is in progress. Data will be partially purged.
Workaround Once Both process is completed. Again triggered the CLI PURGE. All
the data will be purged successfully as per the threshold which we set.
CSCuo88056
Guest Action word is displayed instead of sponsor name in the Reports after Guest
Password is changed.
Workaround Guest user can change his password after login to the Guest portal, so
that Sponsor name will be displayed properly in the reports.
CSCuo88459
Apple iOS device, after certificate Renewal gets stuck and will always be redirected
to CWA URL or wi-fi interface is down.
Workaround Click on the Wi-fi, and select the option forget this network and try
reconnecting to the same network, Please do the steps in the below mentioned order
Device will ask user to select the authentication Method select EAP-TLS and select
the user certificate. Enter the user name with the user name and click connect.
CSCuo89783
When we trigger a backup to invalid repository, the backup fails and no alarm is
generated.
Workaround Can check the backup status in Administration > System > Backup &
Restore Page.
CSCup00209
Guest user name is not displayed for Guest attribute value, instead “Self
Registration” word / Internal Sponsor name is shown under Guest Sponsor mapping
and Guest Sponsor Detail reports respectively.
Workaround Guest user can be created by Sponsor via Sponsor Portal.
CSCup08066
Performing a backup preserves alarm notifications. In Cisco ISE 1.2.1, this causes
alarms to trigger in the dashboard.
CSCup10918
Consistency issue in French localization. “Vous devez renouveler l'inscription de
votre périphérique pour continuer à utiliser le réseau sécurisé” should be “Vous
devez renouveler l'enregistrement de votre périphérique pour continuer à utiliser le
réseau sécurisé.”
CSCup23595
Exporting endpoints results in an empty file if filtering by IP address.
Workaround Export endpoints using the “Export Selected” option.
CSCup39916
Exporting endpoints with the _ special character in the profile name results in an
empty file.
Workaround Export endpoints using the “Export Selected” option.
OL-27043-01
103
Table 24
Caveat
Description
CSCup44205
CoA session quarantine doesn't do any action but gives successfully applied
message.
Workaround Disable EPS services for ASA COA users. Quarantine option will not
be displayed in MnT.
CSCup52657
Error messages occur when the servers are placed in the following deployment and
APIs are executed for the Secondary MnT IP address:
PAP(P)+MnT(S)+PDP- Node 1
PAP(S)+MnT(P)- Node 2
Workaround Change the deployment as follows:
PAP(P)+MnT(P)+PDP
PAP(S)+MnT(S)
CSCup68428
CoA session re-authentication is successful the first time, but the session is
terminated for second re-authentication if Posture isn’t completed.
Workaround Issue the ASA CaA re-authentication once Posture is completed.
CSCup94688
When trying to add or delete IP addresses for admin access, the Save and Reset
buttons functionalities are not properly implemented.
Workaround No functional/Flow impact. Just Add and Delete will do it.
CSCty46687
The Cisco Identity Services Engine (ISE) is affected by a cross-site scripting (XSS)
vulnerability.
CSCty46691
The Cisco Identity Services Engine (ISE) is vulnerable to SQL injection.
CSCty60811
Clients are not redirected to the Posture Remediation page to download the NAC
agent.
CSCtz29311
SecPAP promotion is slow with FCS 1.1(alpha data) to 1.1.1.183 upgrades.
CSCtz99443
Node replication status in the deployment page always shows 'IN-PROGRESS'
message to the Secondary nodes that are deployed over WAN.
CSCua10173
Changing or disabling alert rules or criteria triggers HTTP Status 400 - Request not
processed message.
CSCub19047
Characters such as Hyphen (-) and dot (.) are not supported as part of the VLAN
ID\Name.
CSCub35768
ISE Upgrade from 1.0 to 1.1 failed because data access permission to the user is
denied.
CSCub64247
Cisco Application Deployment Engine (ADE) OS does not accept users with
passwords containing front slash.
CSCub87687
Language templates in the guest portal sets a limit of 4000 characters.
CSCub99130
Corruption of database results in the loss of ISE certificates and keys.
CSCuc26772
Network devices are not displayed in the navigation pane when the Network Device
Group is selected.
104
OL-27043-01
Table 24
Caveat
Description
CSCud20339
Onboarding a device using single/dual SSID with Transport Layer Security (TLS)
profiles fails.
CSCud46215
Detailed authentication failure message is not displayed for sponsor user group.
CSCud52161
Active Directory (AD) operation failure because of an unspecified error in ISE.
CSCud79538
ISE fails with two active certificates.
CSCud86135
During initialization failure ISE sends wrong alarms.
CSCud92384
Incorrect error messages displayed when ISE application server is down.
CSCue14481
“Internal error” message displayed when the number of guest user accounts created
is 100,000.
CSCue23875
The monitoring database stops adding new entries for operating system strings that
exceed the maximum value of 100 characters.
CSCue27949
The reset-passwd command does not allow the usage of special characters.
CSCue30432
Launch program remediation does not allow the usage of double quotes.
CSCue33447
Editing authorization profile by adding static Internal Protocol (IP) address or host
name changes the redirect back to 'Default' and the 'Value' is empty.
CSCue46758
Identity Services Engine (ISE): 86107-Session cache entry missing during guest
authentication.
CSCuf33854
Nessus 53491 - Secure Sockets Layer (SSL)/ Transport Layer Security (TLS)
renegotiation DoS OpenSSL reported medium vulnerabilities.
CSCuf60933
Slow GUI with large Cisco Telepresence System (CTS) Egress Matrix.
CSCuf84159
Identity Services Engine (ISE) admin access does not work with External RSA
authentication.
CSCug20348
Machine authentication with Active Directory (AD) fail with MNT error “24485
Machine authentication against Active Directory has failed because of wrong
password” and does not reflect the issue.
CSCug27409
Import of comma-separated value (CSV) file for Network Devices failed in ISE
1.1.3.
CSCug34679
Identity Services Engine (ISE) drops keep alive authentications coming from
wireless LAN controller (WLC) marking ISE as dead.
CSCug51137
User authentication over 3 days failed with Uncaught exception.
CSCug51530
Failed to send message: Socket closed, MsgType: 901.
CSCug90087
Database lock not removed after execution of reset monitoring database command.
CSCuh23877
“Identity Store Unavailable” alarm not getting triggered after authentication failed.
CSCuh41473
Active Directory (AD) group not saved as external admin group if containing a "!"
character.
CSCuh47459
Connection error on Backup and Restore page after successful restore and backup.
CSCuh50486
Identity Services Engine (ISE) validates only if Domain Name Server (DNS) entry
for the host exists, but not for Internet Protocol (IP) address.
CSCuh54734
Acknowledgment of alarms does not work when the instances are over 1000
occurrences.
OL-27043-01
105
Table 24
Caveat
Description
CSCuh57033
Error message not displayed to mobile users in Central WebAuth (cwa) with invalid
credentials.
CSCuh79430
Machine Access Restriction (MAR) Cache on Access Control Server (ACS) not
corrected when Machine removed from Active Directory (AD).
CSCuh79607
Identity Services Engine (ISE) Active Directory (AD) group matching fails due to
forward slash in AD group name.
CSCuh86591
Identity Services Engine (ISE) Simple Network Management Protocol (SNMP)
profiling failed when connected to 48 ports stacked under 24 ports switch master.
CSCuh87451
Browser redirected to the guest portal when declining acceptable use policy (AUP)
through a Device Registration Web Authentication (DRW).
CSCuh89530
404 Error on MnT GUI and wrong persona in deployment page after customer
database restore.
CSCuh96440
Could not determine prior Cisco Agent Installation on Windows or MAC OS X
machines in pre-posture state.
CSCui01605
Admin cannot duplicate and save policy-set if existing policy set has user defined
simple condition.
CSCui09203
Identity Services Engine (ISE) fails When accounting message with long class
string.
CSCui15711
Internal error encountered while creating guest user with a time profile that was
deleted and recreated with the same name.
CSCui16843
Operational backup or restore failed when primary monitoring node is not reachable
due to power down or inner shut down.
CSCui25164
Identity Services Engine (ISE) sponsors cannot view accounts that it created after
change of group.
CSCui48401
Spaces in email when creating user in sponsor portal caused error in Identity
Services Engine (ISE).
CSCui53920
Identity Services Engine (ISE) 1.2 dashboard metric % posture compliance is
wrongly calculated for posture status other than “Complaint” or “Not Applicable”.
CSCui63474
Dynamic Host Configuration Protocol (DHCP) Switched Port Analyzer (SPAN) not
starting unless Internet Protocol (IP) is assigned to the interface.
CSCui65057
Current iso-to-usb.sh script does not set the proper path for syslinux when used on
CentOS 6.4.
CSCui65835
Devices in the network device list is not visible when customer logs in with Active
Directory (AD) credentials in to Web GUI.
CSCui72087
Default access restrictions not securely enforced on several pages existing within
the Inbox, Alarms, and Schedule pages.
CSCui82602
Guest Cache Issues for Identity Groups.
CSCui82615
Guest account cache issues for time profiles set by the sponsor.
CSCuj19173
MemberOf attribute fails with regular expression if group belong to an
Organizational Unit (OU) in Active Directory (AD).
CSCuj20969
Network Device Session status report fails for a switch with message “SNMP
information is not configured for this device in ISE.”
106
OL-27043-01
Table 24
Caveat
Description
CSCuj30442
ISE Application Deployment Engine (ADE) does not allow the deletion of certain
files from local repository.
CSCuj30585
ISE Client Provisioning Portal (CPP) allows MAC configuration for WebAgent.
CSCuj42566
ISE guest reporting does not identify the sponsor who effects changes to a guest
account.
CSCuj58037
iPEP ISE 1.2 in routed mode does not use service Internet Protocol (IP) for RADIUS
packets.
CSCuj61976
Admin Graphical User Interface (GUI) fails to display certain GUI pages when
using Firefox 25.
CSCuj63421
Creating ISE shared reports via interactive viewer is broken.
CSCuj64008
Profiler feed service policy for Amazon Kindle Fire tablet to be devised.
CSCuj68540
Monitoring (MnT) schema upgrade script is logging INFO messages as ERROR and
WARNING.
CSCuj71399
Performing backup through the GUI or CLI throws “A backup or restore is already
in progress” error.
CSCuj71819
Accented characters in guest username displayed in HEX format in ISE GUI.
CSCuj76383
Admin user receives two email notifications for password expiry.
CSCuj88351
Loading a corrupted Certificate Authority (CA) certificate on startup causes config
rollback with related problems.
CSCuj99801
External RESTful Services (ERS) error codes are not consistent for the same action
pertaining to different categories.
CSCuj99912
ISE 1.2 External RESTful Services (ERS) filter by name for Security Group Tag
(SGT) category fails.
CSCul00148
Start and end time profiles display according to ISE timezone instead of Guest
timezone.
CSCul00743
The Operation > Authentication page is blank for invalid characters in username.
CSCul00985
Ubuntu laptop users without posture checks are redirected to the Client Provisioning
Portal (CPP) page after Centralized Web Authentication (CWA).
CSCul02830
Active Directory (AD) test connection fails for domain\user-ID.
CSCul05429
Authorization rule does not match CVPN3000/ASA/PIX7x-Tunnel-Group-Name.
CSCul05764
Incorrect references when Certificate Authority (CA) ID Store Name is changed.
CSCul08673
Export of custom report for a date range failed.
CSCul30358
Active Base license count exceeds the allowed license count.
CSCul37463
Scheduled backup does not work on upgrading from previous version to 1.2.
CSCul45573
Network Access Device (NAD) config does not accept % in RADIUS shared
secret/SNMP community string.
CSCul47387
Character limit should be increased for policy rule name.
CSCul53156
Device Registration page is blank when used with AddTrust certificates.
CSCul56940
Endpoint profiling is incorrect when two Cisco or Linksys routers are connected to
a Multi-Domain Authentication (MDA) port.
OL-27043-01
107
Table 24
Caveat
Description
CSCul65329
ADclient cache is not cleared via the application configure ise command.
CSCul82600
Unable to delete custom attribute even after deleting the linked authentication
policy.
CSCul86934
On executing the reset-config command, ISE Secure Shell (SSH) sessions are
allowed only from allowed Internet Protocol (IP) access subnets.
CSCul88799
Cisco Integrated Management Controller (CIMC) KVM console displays “Out of
Range” against a green background, on entering the “terminal length X” command.
CSCul92356
Devices registered by Guest users fall into the Unknown group.
CSCul94611
ISE Dashboard fails to display live consolidated and correlated statistical data.
CSCul94858
Certificate Revocation List (CRL) retrieval does not use globally configured proxy
server.
CSCul95195
Custom Supplicant Provisioning Wizard (SPW) for Telstra RADIUS proxy with
differentUserName and nonBroadCast options unchecked.
CSCul96935
An hour difference between Graphical User Interface (GUI) and Command Line
Interface (CLI) during daylight savings time.
CSCum05014
ISE does not display endpoint profiling policies in the Graphical User Interface
(GUI)
CSCum41336
ISE reports fail on Network Control System (NCS) platform cross launch.
CSCum41378
Static profile assignments to an endpoint Identity group for some devices are
removed resulting in device reprofiling.
CSCum46269
Active endpoints count on the dashboard does not match the actual active endpoints,
when there is a surge of endpoints.
CSCum48676
ISE 1.2 does not display information in the System Summary Applet on the
dashboard if the Logging Category is set to a severity level other than INFO.
CSCum49249
External RESTful Services (ERS) Application Programming Interface (API) does
not list all endpoints as specified in the Software Development Kit (SDK) guide.
CSCum53319
Diagnostics for failure to download the Certificate Revocation List (CRL) should be
precise.
CSCum58581
MAC OSX 10.9 device is not redirected to the Bring Your Own Device (BYOD)
flow when using the guest device registration page.
CSCum60924
Extensible Authentication Protocol (EAP) chaining mode does not allow more than
one value for the EapAuthentication attribute.
CSCum68149
The Live Authentication Report page does not display the accurate currenttime and
currentdate attributes.
CSCum69229
Create Random Accounts setting using Google Chrome does not display the desired
results.
CSCum70441
Incorrect value is displayed for the GET request sent to find the total internal users
in ISE External RESTful Services (ERS) Application Programming Interface (API).
CSCum72386
Endpoints delete all confirmation messages when “No” button is deactivated.
CSCum73765
Profiling with SNMP v3 Query fails when triggered by SNMP trap/RADIUS
Accounting probe.
108
OL-27043-01
Table 24
Caveat
Description
CSCum86183
Notifications for license expiry alarm are received from deregistered nodes.
CSCum86331
ISE does not allow comma in Organizational unit name (OU) or Organization name
(O) fields when creating a Certificate Signing Request (CSR).
CSCum95069
Inline Posture Node (IPN) sends only username for authorization when Extensible
Authentication Protocol (EAP) chaining is configured.
CSCun00882
ISE does not create logs of erroneous usernames in the sponsored guest portal.
CSCun21197
In a simple authentication condition, if the operator “Ends with” or “Not ends with”
is used, it is not saved properly.
CSCun23340
Randomly created guest users are not displayed in Firefox.
CSCun23357
Uploaded guest users are not displayed in Firefox.
CSCun25832
Unable to activate expired guest accounts.
CSCun28218
ISE: Java Memory Leak outside of Heap space.
CSCun31175
Registered endpoint report does not include manually added devices.
CSCun33755
Unable to create the required number of Guest accounts from the sponsor portal.
CSCun33774
The status of a new guest user account that is created in the sponsor portal is Active
instead of Awaiting Initial Login.
CSCun42967
ISE 1.2: The SNMP process stops randomly.
CSCun45607
ISE incorrectly authenticates users based on the authorization PAC file.
CSCun46242
Deletion of the Thawte Primary Root CA from ISE results in failure of provisioning
and posture updates.
CSCun48940
ISE Radius authentication over Gig1 stops if Gig0 down.
CSCun53951
ISE presents self-signed certificate instead of CA-signed certificate.
CSCun57304
The KRON command is not working for backup logs.
CSCun59740
ISE 1.2: Only 5000 entries are displayed when viewing Guest Live reports.
CSCun81620
Editing a guest condition in PAN applies the same changes to the previously
condition.
CSCun89615
ISE duplicate attributes cause failure to locate network devices.
CSCun89771
Running ISE reports for 30 days generates only up to 100 pages.
CSCun92193
In Certificate Authentication Profile (CAP), ISE selects incorrect information from
the SAN field for multiple entries.
CSCun94882
ISE 1.2: Change of Network Device Group name does not reflect in CSV export.
CSCun95554
The monitoring node stops logging for email notification configured on ISE.
CSCun96746
ISE self registering guest users do not inherit specified time profile.
CSCun97251
ISE 1.1.4: Cannot find machine with DNS suffix which does not exist on the
Domain Controller Group List.
CSCun98217
Cross-Domain referer leakage in Admin portal.
CSCuo00404
ISE 1.2: ACL syntax checker is incorrect.
CSCuo05180
Cannot authorize external certificate authenticated users by using the device's
identity group as an “other condition”.
OL-27043-01
109
Table 24
Caveat
Description
CSCuo05345
Cannot match an Authorization policy rule configured with an “other condition” of
IdentityGroup:Name.
CSCuo14398
ISE 1.2: ISE disregards the current password policy when editing an internal user.
CSCuo14953
ISE: MobileIron MDM test connection passes but Save fails.
CSCuo16506
Internal users cannot change their password in the guest portal.
CSCuo19521
Repository in the WebGUI with special characters fails.
CSCuo24274
SNMP should run in all interfaces not only in Gig0.
CSCuo24384
ISE: Guest:Mobile Portal in Custom portals does not follow browser local language.
CSCuo39832
ISE takes IP address from same subnet and has incorrect ARP entries.
CSCuo41482
GUI admin Active Directory (AD) login fails with HTTP error 500.
CSCuo41713
Identity Services Engine (ISE) 1.2: Installation of patch 5 in distributed deployment
caused first time login users to go active.
CSCuo54987
Identity Services Engine (ISE) does not drop Radius packet if value is too large for
database.
CSCuo58786
Authentication, authorization, and accounting (AAA) services not available during
purging of guest users.
CSCuo60767
Identity Services Engine (ISE) UTF-8 character encoding displayed garbage
characters on screen for profiler attribute.
CSCuo62245
Failed to purge data from the operations database.
CSCuo63358
Incorrect success message being displayed, when provisioning Apple iOS Device
through supplicant portal in Bring Your Own Device (BYOD) SSID.
CSCuo64251
Unable to manage ISE AD user device as it does not show up in “My Devices”
portal.
CSCuo66847
When a user edits a saved scheduled report, it ceases to exist.
CSCuo67423
Reconfiguring the IP address of an iPEP node with the service IP that was
previously used results in missing tabs in high availability configuration.
CSCuo68012
ISE services fail to start when time zone is set to Asia/Riyadh89.
CSCuo78051
A custom portal setting is saved but the configured setting fails to reflect in the GUI.
CSCuo78457
An SNMP probe that is configured to match a profile using the “CONTAINS”
operator fails.
CSCuo78949
Changing the password policy in the GUI of Primary PAP server does not change
the password policy in the iPEP server.
CSCuo79012
Unable to support SNMP triggered queries with NAD using iOS version with
deprecated STACK-MIB.
CSCuo80929
An “value too large” error message is displayed for guest usernames with special
characters.
CSCuo93398
Unable to integrate the Active Directory (AD) with ISE using the admin GUI.
CSCuo94313
Unable to pull Lightweight Directory Access Protocol (LDAP) groups for
admin/service accounts containing the “+” sign in the password.
110
OL-27043-01
Table 24
Caveat
Description
CSCuo95635
Change of Endpoint Device Group name appears correctly in the Identity Group
Assignment option but fails in the Identity Group.
CSCuo95660
Endpoints exported to comma-separated values (CSV) file displays an incorrect
endpoint device group name.
CSCuo97007
Failed to start database during initial setup for Identity Services Engine (ISE).
CSCuo99160
Identity Services Engine (ISE) 1.2: Failed registration and GUI error thrown when
Policy Service Node (PSN) failed to ping Primary Administration Node (PAN)
during registration.
CSCup03116
Identity Services Engine (ISE) 1.2: Editing NDG does not update AuthC/AuthZ
conditions.
CSCup05013
Identity Services Engine (ISE) 1.2: p8 IOS-XE switch profiled as unknown
endpoint.
CSCup08017
Accidental Ctrl + C should not break Restore/Upgrade during important operations.
CSCup15453
Identity Services Engine (ISE) Guest Sponsor Mapping Report causes CPU on
primary MnT node to increase dramatically.
CSCup16700
Reset password does not check for valid user before asking for new password.
CSCup17245
“Value our of range” error displayed when editing a guest account.
CSCup20844
Identity Services Engine (ISE) NAC agent does not popup if machine and user
authentication is connected to switch sw: 15.2(1)E.
CSCup22534
Multiple vulnerabilities in OpenSSL/CiscoSSL released during June 2014.
CSCup27305
Identity Services Engine (ISE) 1.2: DACL Validator does not enforce source must
be “any”.
CSCup32455
Identity Services Engine (ISE) 1.2: Password for admin user detected in clear text
in the file support\dbexport\ise-dbimport.sh.
CSCup38457
Importing guest account using comma-separated value (CSV) failed through
sponsor portal.
CSCup42129
Swiss/posture INFO logs filling ise-psc.log and not moving to DEBUG level.
CSCup45530
Identity Services Engine (ISE) External RESTful Services (ERS): Cannot modify
staticProfileAssignment field without specifying the endpoint's current profileId.
CSCup45594
Identity Services Engine (ISE): External RADIUS server is not persistent after
failover.
CSCup47501
Identity Services Engine (ISE) 1.2.1: Inline Posture Enforcement (iPEP) node
interface driver booting out of order with no response when cable remains plugged
into interface Gig Etho.
CSCup47873
Identity Services Engine (ISE) upgrade failed due to LOB corruption. (Please check
on this LOB term)
CSCup55211
Identity Services Engine (ISE) 1.2: Mobile Device Management (MDM) input
Validation with % in password cannot login.
CSCup57288
Bring Your Own Device (BYOD) DUAL SSID with native supplicant provisioning
results in a second entry in the live authentication log.
CSCup57871
ERS cannot filter by username, if it is a number.
OL-27043-01
111
Table 24
Caveat
Description
CSCup60155
Guest users are deleted when upgrading or restoring a backup from ISE 1.1.x to ISE
1.2.1.
CSCup64698
On IPN ISE 1.2, latency is caused by HDPARM process for every 10 minutes.
CSCup67195
While upgrading from ISE 1.2 to ISE 1.2.1, upgrade failure occurs in Step 3 due to
invalid certificate.
CSCup69753
After deleting a profile in Simple Certificate Enrollment Protocol (SCEP), an error
message is displayed when the associated Registration Authority (RA) certificate is
removed.
CSCup69985
ISE VM on which DB is restored is not accessible via SSH and GUI. Only ping and
console are available.
CSCup72664
In ISE 1.2, the guest account time profile is reset to one day.
CSCup80194
ISE deletes VLAN to SGT mappings while deploying IP-to-SGT mapping.
CSCup88564
Use a different name for a newly created time profile.
When the old time profile is deleted, you cannot reuse the same time profile name
for a newly created time profile.
CSCup89812
Upgrade from ISE 1.1.2 to ISE 1.2 fails because of posture rules.
CSCuq11966
Multi-nested custom profiles cannot be created.
CSCuq14441
Replication fails on deployment when custom portal is deleted.
CSCuq17787
ISE crashes when the value of Type Field Length is set to 2.
CSCuq22514
In ISE 1.2, when the authorization and authentication policies are set to Monitor
Only mode, the details of the policy names are not displayed.
CSCuq22636
ISE does not ask for LLDP attributes for triggered RADIUS or SNMP traps.
CSCuq24719
When upgrading to ISE 1.2 Patch 9, account start time is not updated in Sponsor
portal.
CSCuq32696
ISE Policy Service Node (PSN) removes proxy-state attributes from Inline Posture
Node (IPN/IPEP).
CSCuq35206
In ISE 1.2, the shutdown command is present in the running configuration of the
interface while the interface is operational.
CSCuq35663
Attribute retrieval for a user fails when AD sends back photo thumbnail.
CSCuq39743
Import guest users on ISE using sponsor bypass mandatory fields.
CSCuq40153
Quick filter option does not work when it is used to search endpoint profiles using
a MAC address.
CSCuq43889
IP address learned from SNMP query should trigger DNS probe.
CSCuq45219
Renewing Ticket Granting Ticket (TGT) fails if there are Read Only (RO) domain
controllers.
CSCuq48588
Replace cross-signed thawte Primary Root CA with its normal version.
CSCuq52277
Error occurs when there are too many node entries in Subject Alternative Name
(SAN) field in CA certificate.
CSCuq53846
A user logging in with an expired guest account is redirected to the default Cisco
branded portal without displaying an error message.
112
OL-27043-01
Table 24
Caveat
Description
CSCuq64817
DB import fails in ISE 1.2.
CSCuq83249
After upgrade from ISE 1.2 Patch 8 to ISE 1.2.1 Patch 1, guest user authentication
fails if they login after the time profile validity time.
CSCuq85679
Change of Authorization (CoA) is not sent from ISE to Wireless LAN Controller
(WLC) for guest users.
CSCuq85955
For an LWA deployment, ISE sends CoA disconnect with empty session ID.
CSCuq86420
Triggered SNMP Query via Radius traps not working.
CSCuq90710
Posture policies are not listed after creation.
CSCuq92558
PSNs move to Replication Stopped state when the application server does not start
normally.
CSCuq92574
In ISE 1.2.1, Bring Your Own Device (BYOD) profile installation fails.
CSCuq93969
Authorization profile using CWA returns to default when static host is used.
CSCuq95245
ISE 1.2, CoA fails when guest credentials are suspended in the Sponsor portal.
CSCuq96971
In ISE 1.2.1, Framed-Pool attribute is not available in the authorization profile.
CSCuq97996
MyDevices portal does not display MAC addresses added by the AD user.
CSCur00110
Sponsor login fails when child user group is added as a guest in the sponsor group.
CSCur03113
Local Web Authentication (LWA) language template is corrupted after upgrading to
ISE 1.2.1.
CSCur07303
ISE GUI 1.x (except ISE 1.3) does not allow to import more than 100 custom
portals.
CSCur09231
In ISE 1.2.1, if a sponsor account is configured to use Account Start Date, the
sponsor creates an account even after that date.
CSCur09439
SCEP EAP-TLS flow on OS X 10.9.5 fails to install the profile or provision
certificate.
CSCur11055
When running ISE 1.2.1, MNT Livelog does not display logs.
CSCur11083
MNT Livelog displays incorrect user details.
CSCur12480
In ISE 1.2.1 guest flow, redirection to the guest portal via PlayStation 3 browser
fails.
CSCur19320
Sponsor users who are not granted privileges are able to view and edit guest
accounts using the search criteria.
OL-27043-01
113
Open Agent Caveats
Table 25
Cisco ISE, Release 1.2, Open Agent Caveats
Caveat
Description
CSCti60114
The Mac OS X Agent 4.9.0.x install is allowing downgrade
The Mac OS X Agent is allowing downgrades without warnings.
Note
CSCti71658
Mac OS X Agent builds differ in minor version updates only. For example,
4.9.0.638 and 4.9.0.637.
The Mac OS X Agent shows user as “logged-in” during remediation
The menu item icon for Mac OS X Agent might appear logged-in before getting full
network accesses
The client endpoints are connecting to an ISE 1.0 network or NAC using
device-filter/check with Mac OS X Agent 4.9.0.x.
Workaround Please ignore the icon changes after detecting the server and before
remediation is done.
CSCtj22050
Certificate dialog seen multiple times when certificate is not valid
When the certificate used by the agent to communicate with the server is not trusted,
the error message can be seen multiple times.
Workaround Make sure you have a valid certificate installed on the server and that it
has also been accepted and installed on the client.
Note
CSCtj31552
The additional certificate error message is primarily informational in nature
and can be closed without affecting designed behavior.
Pop-up Login windows option not used with 4.9 Agent and Cisco ISE
When right clicking on the Windows taskbar tray icon, the Login option is still
present, but is not used for Cisco ISE. The login option should be removed or greyed
out.
Workaround There is no known workaround for this issue.
CSCtk34851
XML parameters passed down from server are not using the mode capability
The Cisco ISE Agent Profile editor can set parameter modes to merge or overwrite.
Mac OS X agent is not processing the mode correctly. Instead, the complete file is
overwritten each time.
Workaround To use a unique entry, the administrator must set up a different user
group for test purposes, or set the file to read only on the client machine and
manually make the necessary changes to the local file.
CSCtl53966
Agent icon stuck on Windows taskbar
The taskbar icon should appear when the user is already logged in.
Workaround Right-click on the icon in the taskbar tray and choose Properties or
About. After you close the resulting Cisco NAC Agent dialog, the taskbar icon goes
away.
114
OL-27043-01
Table 25
Cisco ISE, Release 1.2, Open Agent Caveats (continued)
Caveat
Description
CSCto33933
Login Success display does not disappear when user clicks OK
This can occur if the network has not yet settled following a network change.
Workaround Wait a few seconds for the display to close.
CSCto45199
“Failed to obtain a valid network IP” message does not go away after the user clicks
OK
This issue has been observed in a wired NAC network with IP address change that
is taking longer then normal. (So far, this issue has only been only seen on Windows
XP machines.)
Workaround None. The user needs to wait for the IP address refresh process to
complete and for the network to stabilize in the background.
CSCto48555
Mac OS X agent does not rediscover the network after switch from one SSID to
another in the same subnet
Agent does not rediscover until the temporary role (remediation timer) expires.
Workaround The user needs to click Complete or Cancel in the agent login dialog
to get the agent to appear again on the new network.
CSCto63069
The nacagentui.exe application memory usage doubles when using “ad-aware”
This issue has been observed where the nacagentui.exe memory usage changes from
54 to 101MB and stays there.
Workaround Disable the Ad-Watch Live Real-time Protection function.
CSCto84932
The Cisco NAC Agent takes too long to complete IP refresh following VLAN
change
The Cisco NAC agent is taking longer than normal to refresh IP address due to
double IP refresh by supplicant and NAC agent.
Workaround Disable the Cisco NAC Agent IP address change function if there is a
supplicant present capable of doing the same task.
CSCto97486
The Mac OS X VLAN detect function runs between discovery, causing a delay
VLAN detect should refresh the client IP address after a VLAN detect interval (5)
X retry detect (3) which is ~ 30 sec, however it is taking an additional 30 sec.
This issue has been observed in both a wired and wireless deployment where the
Cisco NAC agent changes the client IP address in compliant or non-compliant state
since Mac OS X supplicant cannot.
An example scenario involves the user getting a “non-compliant” posture state
where the Cisco ISE authorization profile is set to Radius Reauthentication (default)
and session timer of 10 min (600 sec). After 10 min the session terminates and a new
session is created in the pre-posture VLAN. The result is that the client machine still
has post-posture VLAN IP assignment and requires VLAN detect to move user back
to the pre-posture IP address.
Workaround Disconnect and then reconnect the client machine to the network.
OL-27043-01
115
Table 25
Caveat
Description
CSCtq02332
Windows agent does not display IP refresh during non-compliant posture status
The IP refresh is happening on the client machine as designed, but the Agent
interface does not display the change appropriately (for example, following a move
from preposture (non-compliant) to postposture (compliant) status).
Workaround There is no known workaround for this issue.
CSCtq02533
The Cisco NAC Agent takes too long to complete IP refresh following VLAN
change
The Cisco NAC agent is taking longer than normal to refresh IP address due to
double IP refresh by supplicant and Cisco NAC agent.
Workaround Disable the Cisco NAC Agent IP address change function if there is a
supplicant present capable of doing the same task.
CSCts80116
OPSWAT SDK 3.4.27.1 causes memory leak on some PCs
Client machines that have version 8.2.0 of Avira AntiVir Premium or Personal may
experience excessive memory usage.
Note
This has only been observed with version 8.2.0 of Avira AntiVir Premium
or Personal. Later versions of the application do not have this issue.
Workaround Install later version of Avira AntiVir Premium or Personal.
CSCty02167
IP refresh fails intermittently for Mac OS 10.7 guest users
This problem stems from the way Mac OS 10.7 handles certificates. Marking the
certificate as “trusted” in the CWA flow is not good enough to download the java
applet required to perform the DHCP refresh function.
Workaround The Cisco ISE certificate must be marked as “Always Trust” in the
Mac OS 10.7 Keychain.
CSCub62836
In Live Authentication page, certain UTF-8 characters do not display correctly
This only happens for a very limited set of characters.
Workaround Use RADIUS Authentications report instead, to view the same
information correctly.
CSCul10891
Upgrade from earlier version of NAC Agent to version 4.9.0.1013 fails to launch
Agent popup
After upgrading to NAC Agent version 4.9.0.1013 on Windows 8 or Windows 8.1
64-bit clients, the upgraded Agent might not launch automatically.
Workaround If the Agent does not launch automatically, then manually double-click
the NAC Agent UI shortcut on the desktop to launch the Agent.
116
OL-27043-01
Cisco ISE, Release 1.2.1, Resolved Caveats
Table 25
Caveat
Description
CSCum88173
Minimum compliance module version required for configuring SEP 12.1.x
definition check on Mac OS is 3.6.8616.2 and not 3.6.8501.2.
The minimum Compliance Module version required for configuring AV check in
NAC support charts for Symantec Endpoint Protection (SEP) 12.1 for Mac OS is
displayed as 3.5.8501.2. However, the version 3.5.8501.2 has issues in detecting the
definition date/version for SEP 12.1.x on Mac OS. As this issue is addressed in
Compliance Module 3.6.8616.2, administrators need to use 3.6.8616.2 as the
minimum Compliance Module needed for detecting SEP 12.1 definitions on Mac
OS.
CSCun60071
UI not visible for application launched by NAC agent during remediation
When Cisco ISE is configured to launch an application as a remediation, the
application gets launched and is available in the task manager, but the UI is not
visible to the user, irrespective of whether the user is logged in as admin or not.
Since Launch program remediation feature is modified from user privilege to system
privilege, NAC Agent allows UAC Elevation for all Launch program remediation
actions.
For more details, refer to CSCun60071.
CSCtw50782
Agent hangs awaiting posture report response from server
Workaround
The issue occurs with Mac OS X 10.7.2 clients.
Kill the CCAAgent Process and then start CCAAgent.app.
Perform the following:
CSCty51216
1.
Go to Keychain Access.
2.
Inspect the login Keychain for corrupted certificates, like certificates with the
name “Unknown” or without any data
3.
Delete any corrupted Certificates
4.
From the pull-down menu, select Preferences and click the Certificates tab
5.
Set OCSP and CRL to off.
Upgrading Mac OS X Agent version 4.9.0.638 to later versions fails.
Workaround
1.
Remove the “CCAAgent” folder from temporary directory
2.
Reboot the client
3.
Connect to Web login page and install the Agent from there
The following table lists the resolved caveats in Cisco ISE, Release 1.2.1.
OL-27043-01
117
Table 26
Caveat
Description
CSCtx94533
CSCty01787
CSCty87291
Admin Web Portal Requests ID certification When It’s Password authentication-only
CSCua69331
IE 8 + ChromeFrame BHO - CWA authorization profiles not displaying correctly.
CSCub18575
CSCud38634
Guest sponsor details shows wrong sponsor name.
CSCud70219
Log.xml files are not cleaned out regularly.
CSCud70397
Need support SCSI controller (VMware Paravirtual) for VMware install.
CSCud89273
CSCue14864
CSCue98728
No indication of character limit for 'Configure Email Notification' box
CSCuf24898
ISE repository max password length 16 characters.
CSCuf47491
Timestamp of core files not preserved in support bundle.
CSCuf76821
.trc and .trm files are not cleaned out regularly.
CSCug20065
Unable to enforce RBAC as desired to a custom administrator.
CSCug59579
Windows 8 not included in Client Provisioning
CSCug90502
ISE Blind SQL Injection Vulnerability.
CSCug96069
Replication status update fails for all nodes if the network is restored on PAP.
CSCuh01760
Misconfigured NAS criteria needs to be changed
CSCuh14228
CSCuh15572
Invalid license file, possibly license file has expired or is corrupt.
CSCuh20322
CSCuh23536
CSCuh25506
CSCuh25868
Authorization: re-editable text/string condition limited to 16 characters
CSCuh30587
CSCuh36333
CSCuh38253
IP columns sorts on char instead on num on.
CSCuh41450
CSCuh44972
DenyUsers oracle statement removed during upgrade.
CSCuh45239
CSCuh56170
MCPSS Mnt DB Sanity Check failed during upgrade from 1.1.2.145 to 1.2.
CSCuh56278
Local Web Authentication (LWA) Guest access by iOS 6 devices on ISE 1.2 fails
CSCuh65084
Scroll issue for small screens on Live Log page
CSCuh79596
CSCuh81511
ISE remote command execution
118
OL-27043-01
Table 26
Cisco ISE, Release 1.2.1, Resolved Caveats (continued)
Caveat
Description
CSCuh84099
ISE should verify non-printable characters in x.509 certs
CSCuh88637
Method “getAlarmsOccuredAfter” throws exception
CSCuh95845
After internal password change policies using NA conditions match default Policy.
CSCui02984
Sponsor authentication failed for Active Directory user with
Sponsor_Portal_Sequence.
CSCui14093
Oracle Critical Patch Update
CSCui15038
CSCui15042
BYOD Stress causes MNT to stop reporting current Authentication Sessions
CSCui15064
CSCui15354
ISE should remove ENDSW operators
CSCui15633
Sponsor portal login fails for some users
CSCui16528
CSCui21439
CSCui22884
CSCui23231
Certain custom ISE reports cannot be exported
CSCui26708
ISE node to node HTTP Basic Authentication username and password logged
CSCui30266
CSCui30275
Component of the administration page of the Cisco Identity Services Engine (ISE)
was vulnerable to a cross-site scripting (XSS) attack
CSCui34389
RADIUS accounting drop is not suppressed, flooding live log.
CSCui36160
CSCui36643
ISE Editing schedule report complains of existing report name in use.
CSCui38818
ISE 1.2 NFS repository configuration has extra colon after upgrade
CSCui40950
Guest login takes long time and times out.
CSCui42788
CSCui44324
CSCui45891
Upgrade logs are missing in ADE.log after upgrade failed
CSCui46739
Guest applet fails after update to Java 7 update 25.
CSCui48779
Clicking ‘Undo Latest’ on Feed Service page does not clean up rules in some
conditions.
CSCui48781
NSF Rule with complex condition - names are not unique per service
CSCui56071
CSCui57100
EAP-TLS auth fails with two sets of CRLs because CRL signature decrypt failed
CSCui57152
Endpoint Policy not updated for endpoints added using ERS API
CSCui57374
ISE iPEP Invalid RADIUS Authenticator error during high load
CSCui57882
CSCui57933
OL-27043-01
119
Table 26
Caveat
Description
CSCui57961
When editing an expired guest account that cannot be deleted, logs out.
CSCui58123
Upgrading to 1.2 with \"Select Condition\" in Posture Requirements
CSCui58390
Multiple names in SAN Field and ISE choose value randomly.
CSCui59370
Upgrade fails on Guest update sponsor user: email is null
CSCui62290
Develop REST APIs for ISE MnT alarms
CSCui65530
Upgrade failed with DuplicateEntityException for TimeProfile
CSCui67495
CSCui67511
CSCui71484
CSCui72269
ISE unable to understand SNMP attribute coming from Switch.
CSCui72330
HTML comments disclose potentially sensitive information
CSCui72658
Guest Portal cookies not set as Secure or HTTP Only.
CSCui74478
Self Service Flow checking for email address
CSCui74496
Domain Names should be validated before saving the Portal settings
CSCui74678
Getting Account Expiration Notification too early for the Guest accounts
CSCui75335
ISE 1.2 NAC agent fails posture due to ‘NAC Server not available.’
CSCui75669
Endpoint update calls from guest-portal causing replication issues
CSCui76932
Unable to Save Notification details while creation of Time Profile
CSCui77336
Customized URL ISE self registration not working.
CSCui78135
CSCui78802
Usability issues while validating security defect
CSCui78849
Warning message should be more meaning full while creating Time Profile
CSCui80340
Partner MDM performance improvements
CSCui81442
Domain Validation should be Case Insensitive
CSCui81825
Unable to Save Notification details while editing Sponsor Lang template.
CSCui82674
Unable to save and modified edited endpoint with Base license ONLY
CSCui82998
CSCui83009
Unable to push compliance module to NAC agent on Macs.
CSCui89741
ISE ERS API creates endpoint with invalid format MAC address.
CSCui90286
Able to create TimeProfile eventhough Notification time > duration
CSCui94488
RegisteredDevices.
CSCui96322
CSCui96960
MNT Livelog/Dashboard performance.
CSCuj01781
CSCuj03071
120
OL-27043-01
Table 26
Caveat
Description
CSCuj03131
CSCuj03697
Allow Tunnel attributes in policies
CSCuj03811
No suppression for misconfigured NAS when errors are alternating
CSCuj04748
Original URL preservation for BYOD provisioning and Guest flows
CSCuj05295
ISE App server crashed and stuck in initialized state with "null" in collection filter
CSCuj07535
CSCuj09430
CSCuj11040
CSCum97337
CSCuj11855
ISE gives little debugs when SCEP fails for Windows-related reasons
CSCuj13804
CSCuj14382
CSCuj15372
CSCuj16049
HA Licensing
CSCuj17272
Upgrade from 1.1.3 to 1.2 breaks identity source sequence instances
CSCuj19602
Sponsor portal banners do not work on upgraded ISE
CSCuj19882
CSCuj23727
Change in iOS 7 user-agent string for an iPod Touch breaks its BYOD flow
CSCuj25038
CSCuj26086
CSCuj80131
CSCuj26495
Restricted Characters in Policy Names carried forward after upgrade.
CSCuj28447
CSCuj28968
CSCuj34004
CSCuj36104
CSCuj36310
CSCuj38204
CSCuj39926
CSCuj45431
CSCuj45766
CSCuj47806
CSCuj48111
CSCuj49903
Downloading / viewing large logfiles from PDP causes out of memory error
CSCuj51094
CSCuj52520
Unable to login to CLI after ISE upgrade
OL-27043-01
121
Table 26
Caveat
Description
CSCuj54630
CSCuj57335
CSCuj60796
CSCuj61976
CSCuj62239
Rollback in case of upgrade failure is not cleaning temp tables, indexes
CSCuj63046
CSCuj63053
Cfg.xml,CM download doesn't happen if CP rule is Win8.1 Specific
CSCuj63516
Denial of Service Vulnerability exists in OpenSSH version
CSCuj65306
Cisco ISE 1.2 upgrade fails due to shared memory allocation failure
CSCuj65586
Need to optimize the way records are displayed in RADIUS Drop counters
CSCuj66093
CSCuj70022
CSCuj71439
Cisco ISE REST API - changing username returns password error
CSCuj72022
CSCuj82378
Downloaded captured TCP dump file for remote node is not of proper size
CSCuj82836
Manual CoA - Re-authorization is not working
CSCuj84194
Cisco ISE sometimes does not send DACL in authorization profile
CSCuj84427
Cisco ISE 1.2 Admin password alerts not functioning properly
CSCuj86717
Dot1x endpoint fails authentication with Reject Requests After Detection
CSCuj88222
Upgrade should check for CA certificates corruption
CSCuj88888
ISE 1.1.4 patches fail machine authentications in disjointed ActiveDirectory
namespaces
CSCuj90823
CSCuj91050
CSCuj91461
ISE 1.2 backup on host A, restore on same version on host B breaks database listener
CSCuj91764
Pre-upgrade checks
CSCuj95588
Reach context limit when multiple conversations use Tunnel attributes
CSCuj95908
Cisco ISE does not do domain stripping for Active Directory external store
CSCuj97669
DNS Resolution Failed for CNAME: "hostname" from the ISE node "hostname"
CSCuj97832
Cisco ISE hard disk filling up
CSCuj98726
CSCuj99951
Avaya Phones profiled as unknown
CSCul02821
CSCul02860
CSCul03127
CSCul03597
122
OL-27043-01
Table 26
Caveat
Description
CSCul03621
CSCul06431
CSCul06937
Do Sync check before upgrade of secondary PAP
CSCul09815
Upgrade should not proceed if node role type cannot be detected
CSCul10677
CSCul13757
CSCul13805
CSCul13812
CSCul13883
CSCul13905
CSCul13946
CSCul15967
CSCul16300
CSCul18169
CSCul18521
CSCul18555
CSCul20850
Port Patch 5 Guest changes to Patch 4
CSCul21337
CSCul23070
CSCul23252
CSCul25066
CSCul25956
Upgrade from 1.2 to 1.2.1 timeout and fail when previous upgrade fails
CSCul29344
CSCul29647
Cisco ISE 1.2 upgrade disables Cisco Root certs if they were installed before Cisco
ISE 1.2
CSCul35820
CSCul39011
CSCul42307
Upgrade fails when local disk fills up due to core dumps
CSCul42646
CSCul46893
CSCul48352
CSCul50495
CSCul50720
CSCul55934
Cisco ISE 1.2 Cannot Delete Guest Users Created Using Unavailable Timezone
Setting
CSCul57506
Restore process breaks Report functionality and UI Purge
OL-27043-01
123
Table 26
Caveat
Description
CSCul58758
CSCul58895
Cisco ISE 1.2 Patch 3 StartEnd time profiles do not work for guest import
CSCul62175
CSCul62723
Mobile Guest Portal: Success page redirects to http://10.86.149.92
CSCul65045
CSCul66218
CSCul66272
DynGate
CSCul69350
Cisco ISE 1.2.0 CFG database restore in Cisco ISE 1.2.1 fails
CSCul71176
CSCul71245
ISE Authorization with certificate serial number broken in 1.2 patch 2
CSCul71532
CSCul77732
CSCul77793
CSCul80050
Upgrade failed from Cisco ISE 1.1.3 to Cisco ISE 1.2.1
CSCul82658
CSCul84544
CSCul86970
CSCul87279
ISE 1.2 Patch 5 through GUI not pushed to secondary nodes in the deployment
CSCul87300
CSCul96698
Observed NullPExc intermittently while accessing create Guest Rest API
CSCul96763
Guest users are getting created with special characters through Rest API
CSCul97050
Issue with input validation for language Notification tag - Guest REST API
CSCum01290
CSCum10047
CSCum13453
CSCum26362
CSCum29186
Time
CSCum37237
CSCum37742
Randomly generated guest users allowed to log in after getting expired
CSCum40721
CSCum54099
CSCum57372
CSCum60054
Unable to download catalina.out logs from GUI
CSCum60501
Undefined is displaying in GUI instead of Log file name
124
OL-27043-01
Table 26
Caveat
Description
CSCum60627
CSCum69410
CSCum77223
CSCum79002
Upgrade Validation check to PKIX path building failed
CSCum82400
ISE 1.2 Posture upgrade failure
CSCum82815
Acceptable Use Policy Page Shouldn't Be Presented if ISE Knows Session is Expired
on Login
CSCum82829
CSCum85487
Data Purging audit report is not exporting
CSCum85930
CSCum86347
CSCum88817
CSCum92155
CSCum96035
Guest custom portal password change does not have error handling
CSCun00215
CSCun00427
ISE 1.2 match operator return true when LHS is NULL and RHS is constant
CSCun02007
iPEP exhibits slow data transfer rate and packet loss with traffic bursts when using
iPEP routed mode.
CSCun08410
CSCun11240
CSCun15601
CSCun25178
CSCun25815
ISE 1.2 marks DCs as 'Dead' while doing a 'CAPILdapFetch'
CSCun28502
CSCun36350
Patch info is shown after Cisco ISE Patch 7 CLI Rollback in standalone and
deployment
CSCun36594
CSCun38402
Exception in CLI after enabling ERS
CSCun41732
is Present
CSCun46032
Renew expired certificate
CSCun51094
CSCun60443
CSCun61928
CSCun67719
CSCun68637
CSCun70626
Locking issue after reset session database
OL-27043-01
125
Table 26
Caveat
Description
CSCun74285
CSCun74460
targets.
CSCun84251
CSCun93673
CSCun94304
CSCun94693
ISE upgrade to 1.2 fails with boot loader error
CSCun97606
CSCuo02708
CSCuo04860
CSCuo13099
CSCuo16503
CSCuo31160
Support Plus licenses in ISE 1.2.x
CSCuo32987
CSCuo34449
CSCuo38618
ISE 1.2 cannot join the unit to Distributed Deployment
CSCuo39442
CSCuo56780
CSCuo58919
seconds.
CSCuo63448
CSCuo63892
CSCuo73070
CSCuo76078
CSCuo75506
CSCuo88571
CSCup33018
CSCup50216
CSCup51902
CSCup63424
not accomplished.
CSCup99806
126
OL-27043-01
This section lists the caveats that have been resolved in this release.
•
Resolved Caveats, page 127
•
Resolved Agent Caveats, page 137
•
Resolved SPW Caveats, page 137
Resolved Caveats
Table 27
Cisco ISE, Release 1.2, Resolved Caveats
Caveat
Description
CSCtj81255
Two MAC addresses detected on neighboring switch of ACS 1121 Appliance.
CSCtn76441
Custom conditions are not updated under Rules in profiling policies.
CSCtn92594
Quickpicker filters are not working correctly during Client Provisioning policy
configuration.
CSCto32002
The Cisco ISE MAC address authentication summary report displays IP addresses
instead of MAC addresses.
CSCto87799
Guest authentication fails.
CSCtq06832
Time and Date conditions need to be updated correctly when changing time zones.
CSCtq09004
Windows 7 guest access not successful from IE8 and Chrome 10.
CSCtq53690
Scheduled Monitoring and Troubleshooting incremental backup switches off
following failed backup attempt.
CSCtr58811
Need to log out and log back in to get Advanced License functionality.
CSCtr66929
Selected month and year while configuring file “Date” condition.
CSCtr88091
You may experience slow response times for some user interface elements when
using Internet Explorer 8.
CSCts45441
Weird behavior with creating guest account using start-end time profile.
CSCtt17378
Failed to send notification from UTF-8 Email address.
CSCtu05540
Monitoring and Troubleshooting node does not show Active Directory External
Groups following authentication failure.
CSCtv17606
Monitoring and Troubleshooting requires an appropriate error message if
backup/restore process fails.
CSCtw79431
Exiting the Cisco Mac Agent while in “pending” state displays the wrong user
message.
CSCtw98454
Guest accounting report filter not working.
CSCtx01136
Cisco NAC Agent is not performing posture assessment.
CSCtx03427
Create Alarm Schedule returning XSS error messages.
CSCtx07670
Profiler conditions that are edited wind up corrupting Profiler policies.
CSCtx25213
IP table entry needs cleanup after deregistering a secondary node.
CSCtx31601
Cannot add Network Access user, but able to import users.
OL-27043-01
127
Table 27
Cisco ISE, Release 1.2, Resolved Caveats (continued)
Caveat
Description
CSCtx33747
RBAC admin cannot access deployment page and perform deployment-related
functions.
CSCtx51454
Unable to retrieve administrator users list.
CSCtx59957
A warning/pop-up appears while creating a Guest Time profile.
CSCtx74574
Device Configure Deployment option selected after upgrade from software Release
1.0 to Release 1.1.
CSCtx77149
Disk space issue.
CSCtx81905
Cisco ISE returns an error message while registering one node to another.
CSCtx90696
Cisco ISE does not work after updating the IP address.
CSCtx94533
CSCtx94839
Clicking on logout link on the AUP page of Device Registration Webauth flow
appears to do nothing.
CSCtx95251
Deployment page load exceeds six minutes when two or more nodes are
unreachable.
CSCtx97190
Cisco 3750 switch is profiled as “Generic Cisco Router”.
CSCty00899
LiveLog Reports cannot be opened.
CSCty01787
Error in Generating XML Output for EndPointIPAddress API.
CSCty02379
Cisco ISE runs out of space due to a backlog of pending messages in the replication
queue.
CSCty05157
The Cisco ISE dashboard is not working for administrator user names with more
than 15 non-English characters contained in the username.
CSCty10461
Cannot register a Cisco ISE node with UTF-8 characters in administrator name.
CSCty10692
Requirement is used by Policy-Need tooltip on OS.
CSCty15646
Monitoring and Troubleshooting debug log alert settings get reset to WARN.
CSCty16603
Administrator ISE node promotion fails, resulting in disabled replication status.
CSCty19010
Editing Cisco ISE failure reason information returns error message.
CSCty23790
Internet Explorer 8 is unable to import endpoints from LDAP.
CSCty40077
Shared Secret Key for Inline Posture node Network Access Device is not created or
updated.
CSCty51260
Active Directory "dn" attribute does not work for authorization policies.
CSCty59165
SNMPQuery Probe events queue runs out of memory.
CSCty80451
Failed to authenticate external admin (AD user) when configured user to change
password at the next log in.
CSCty87291
Admin Web Portal Requests ID certification When It’s Password authentication-only
CSCty98551
Race condition between CoA event and persistence event during initial endpoint
login.
CSCtz13306
Monitoring and Troubleshooting collector cannot collect posture audit logs to
generate report.
CSCtz28057
After upgrade to Release 1.1, Cisco ISE is still in “initializing” state.
128
OL-27043-01
Table 27
Caveat
Description
CSCtz41262
Authorization policy does not match when the MAC address uses the colon delimiter
(00:00:00:00:00:00).
CSCtz41452
Evaluation license counter incrementing when wireless license installed.
CSCtz49846
Cisco ISE does not contain the ASA attribute 146 Tunnel Group Name that is sent
on the Access Request.
CSCtz55815
Default Gateway is not changed if the new value is a part of old value.
CSCtz56691
Research In Motion (Blackberry) devices no longer work after upgrade to Cisco ISE,
Release 1.1.1.
CSCtz67814
Replication disabled for secondary node.
CSCua00821
Error messages appear when you configure Active Directory via the CLI.
CSCua03889
Guest users are asked to accept the Acceptable Use Policy twice when first logging
into Cisco ISE with password change.
CSCua05003
Service status is not correct if the ARP port number changes.
CSCua05433
The endpoint identity import function does not maintain correct identity group
membership.
CSCua25187
Employees whose user names are 41 digits long will not see their devices.
CSCub18575
CSCuc49317
When you have more than 60 authorization policy rules, creating a new rule takes
about 4 minutes.
CSCuc61075
With the RADIUS probe disabled, if you indicate a device as lost or reinstate in the
My Devices portal, CoA fails.
CSCuc63052
Policy Service node fails to load client certificate for secure syslog configuration.
CSCuc71592
In policy sets, authorization simple condition cannot be used in authorization policy
rules.
CSCuc82453
Monitoring data exported in a .csv file from the primary Administration node is
empty.
CSCuc87242
If you disable a sponsor user who has logged in to the sponsor portal, the sponsor
user’s account is not disabled until the end of the session.
CSCuc92010
Sponsor users who create guest user accounts cannot delete those accounts from the
Sponsor Portal.
CSCuc96884
Profiler Feed Service edit and save operations do not work in Internet Explorer 8.
CSCuc97133
Profiler log throws exceptions when you enable FIPS mode on the primary
Administration node and FIPS mode is not enabled on the secondary nodes until they
are restarted.
CSCud19143
Endpoint filtering does not work for the BYOD Registration and Device Registration
Status fields.
CSCud22608
The minimum length of admin and user passwords in the password policy by default
becomes four characters, instead of six.
CSCud31778
Policy set page takes a long time to load and save.
OL-27043-01
129
Table 27
Caveat
Description
CSCud32310
Current Active Sessions report displays an error when the Monitor persona runs on
remote node.
CSCud32485
Cannot log in to the sponsor portal after reinstating guest users and accepted the
Acceptable Use Policy (AUP).
CSCud38499
Replication of authorization policy fails in a distributed deployment setup if the
policy set name includes an underscore (_) character.
CSCud38623
MDM server’s Active status does not reflect the connectivity status.
CSCud38634
Guest sponsor details shows wrong sponsor name.
CSCud39871
Cannot save profiler configuration for a secondary node.
CSCud42216
Authentication request from Apple MAC systems that use the EAP-FAST protocol
with inner method GTC or TLS fails.
CSCud43467
Posture reassessment check functionality is not working when you enable posture
reassessment for a group of users. If a user moves to the compliant state, the user
gains access to the network, but posture reassessment does not happen, and the user’s
session gets terminated after a time interval.
CSCud70219
Log.xml files are not cleaned out regularly.
CSCud89273
CSCue14864
CSCuf03318
The Network Setup Assistant fails when the user tries to “Cancel” the Configure
Profile Tool.
CSCuf24898
ISE repository max password length 16 characters.
CSCuf47491
Timestamp of core files not preserved in support bundle.
CSCuf76821
.trc and .trm files are not cleaned out regularly.
CSCug20065
Unable to enforce RBAC as desired to a custom administrator.
CSCug59579
Windows 8 not included in Client Provisioning
CSCug59644
Trying dot1X authentication in an Activated Guest with “First Login” time profile
fails.
CSCug69311
Not able to connect to SFTP, which is required for secure backups.
CSCug82539
While moving the policies from one profiled node to another, the profiler does not
contain the policies in the policy cache.
CSCug90502
ISE Blind SQL Injection Vulnerability.
CSCug91963
Java process crashes when configuring host alias.
CSCug96069
Replication status update fails for all nodes if the network is restored on PAP.
CSCuh02759
While creating a support bundle, an error message appears as “node not reachable”.
CSCuh05950
Certificate missed and node disconnected after PAP promotion failed.
CSCuh07534
While downloading the debug logs from Administration node, an error appears as
“Node is not reachable. Please check the node's status”.
CSCuh13582
ISE applies wrong Authorization rule/ profile
CSCuh14228
130
OL-27043-01
Table 27
Caveat
Description
CSCuh20322
CSCuh23536
CSCuh25506
CSCuh30587
CSCuh36333
CSCuh41450
CSCuh45239
CSCuh56278
Local Web Authentication (LWA) Guest access by iOS 6 devices on ISE 1.2 fails
CSCuh65084
Scroll issue for small screens on Live Log page
CSCuh79596
CSCuh84099
ISE should verify non-printable characters in x.509 certs
CSCuh95845
After internal password change policies using NA conditions match default Policy.
CSCui02984
Sponsor authentication failed for Active Directory user with
Sponsor_Portal_Sequence.
CSCui08084
CSCui08084
CSCui15038
CSCui15064
CSCui16528
CSCui21439
CSCui21839
“Export Endpoints” Creates Empty File When Quick Filter is On
CSCui22884
CSCui26708
ISE node to node HTTP Basic Authentication username and password logged
CSCui30266
CSCui30275
Component of the administration page of the Cisco Identity Services Engine (ISE)
was vulnerable to a cross-site scripting (XSS) attack
CSCui34389
RADIUS accounting drop is not suppressed, flooding live log.
CSCui35514
'show tech' script in support bundle needs fixing
CSCui36160
CSCui36643
ISE Editing schedule report complains of existing report name in use.
CSCui40950
Guest login takes long time and times out.
CSCui42788
CSCui44324
CSCui46739
Guest applet fails after update to Java 7 update 25.
CSCui48779
Clicking ‘Undo Latest’ on Feed Service page does not clean up rules in some
conditions.
CSCui56071
OL-27043-01
131
Table 27
Caveat
Description
CSCui57100
EAP-TLS auth fails with two sets of CRLs because CRL signature decrypt failed
CSCui57152
Endpoint Policy not updated for endpoints added using ERS API
CSCui57882
CSCui57933
CSCui57961
When editing an expired guest account that cannot be deleted, logs out.
CSCui58390
Multiple names in SAN Field and ISE choose value randomly.
CSCui67495
CSCui67511
CSCui71484
CSCui72269
ISE unable to understand SNMP attribute coming from Switch.
CSCui72658
Guest Portal cookies not set as Secure or HTTP Only.
CSCui75335
ISE 1.2 NAC agent fails posture due to 'NAC Server not available.'
CSCui77336
Customized URL ISE self registration not working.
CSCui78135
CSCui82998
CSCui83009
Unable to push compliance module to NAC agent on Macs.
CSCui89741
ISE ERS API creates endpoint with invalid format MAC address.
CSCui94488
RegisteredDevices.
CSCui96322
CSCui96960
MNT Livelog/Dashboard performance.
CSCuj01781
CSCuj03071
CSCuj03131
CSCuj03697
Allow Tunnel* attributes in policies
CSCuj05295
ISE App server crashed and stuck in initialized state with "null" in collection filter
CSCuj07535
CSCuj09430
CSCuj11040
CSCum97337
CSCuj13804
CSCuj14382
CSCuj15372
CSCuj16049
HA Licensing
CSCuj19882
CSCuj25038
132
OL-27043-01
Table 27
Caveat
Description
CSCuj26086
CSCuj80131
CSCuj28447
CSCuj28968
CSCuj34004
CSCuj36104
CSCuj36310
CSCuj38204
CSCuj39926
CSCuj45431
CSCuj45766
CSCuj47806
CSCuj48111
CSCuj49903
Downloading / viewing large logfiles from PDP causes out of memory error
CSCuj51094
CSCuj54630
CSCuj57335
CSCuj60796
CSCuj61976
CSCuj62435
ISE 1.2 TrendMicro not listed for AV Remediation
CSCuj63046
CSCuj66093
CSCuj70022
CSCuj72022
CSCuj82836
Manual CoA - Re-authorization is not working
CSCuj84194
ISE sometimes does not send DACL in authorization profile
CSCuj84427
ISE 1.2 Admin password alerts not functioning properly
CSCuj90823
CSCuj91050
CSCuj95908
ISE does not do domain stripping for Active Directory external store
CSCuj97669
DNS Resolution Failed for CNAME:"hostname" from the ISE node "hostname"
CSCuj98726
CSCul02821
CSCul02860
CSCul03127
CSCul03597
OL-27043-01
133
Table 27
Caveat
Description
CSCul03621
CSCul06431
CSCul10677
CSCul13757
CSCul13805
CSCul13812
CSCul13883
CSCul13905
CSCul13946
CSCul15967
CSCul16300
CSCul18169
CSCul18521
CSCul18555
CSCul21337
CSCul23070
CSCul23252
CSCul25066
CSCul28451
CSCul29344
ISE 1.2 HTML Custom Pages for Different Portals Not Working.
CSCul35820
CSCul39011
CSCul42646
CSCul46893
CSCul48352
CSCul50495
CSCul50720
CSCul55934
ISE 1.2 Cannot Delete Guest Users Created Using Unavailable Timezone Setting
CSCul58758
Redirecting to 'null' page in the browser after LWA flow with WLC-5500
CSCul58758
CSCul58895
ISE 1.2 Patch 3 StartEnd time profiles do not work for guest import
CSCul62175
CSCul65045
CSCul66218
134
OL-27043-01
Table 27
Caveat
Description
CSCul66272
DynGate
CSCul71176
CSCul71532
CSCul77732
CSCul77793
CSCul82658
CSCul84544
CSCul86970
CSCul87300
CSCum01290
CSCum10047
CSCum13453
CSCum26362
CSCum29186
Time
CSCum37237
ISE No Sufficient Permission Error with Bulk Import of Guest Account
CSCum37237
CSCum40721
CSCum41138
CSCum54099
CSCum57372
CSCum60627
CSCum69410
CSCum77223
CSCum82815
Acceptable Use Policy Page Shouldn't Be Presented if ISE Knows Session is Expired
on Login
CSCum82829
CSCum85930
CSCum86347
CSCum88817
CSCum92155
CSCum96035
Guest Custom Portal Password Change Does Not Have Error Handling
CSCun00215
CSCun00427
CSCun08410
CSCun11240
OL-27043-01
135
Table 27
Caveat
Description
CSCun15601
CSCun25178
CSCun28502
CSCun36594
CSCun41732
is Present
CSCun51094
CSCun60443
CSCun61928
CSCun67719
CSCun68637
CSCun74285
CSCun74460
targets.
CSCun74636
CSCun84251
CSCun93673
CSCun94304
CSCun97606
CSCuo02708
CSCuo04860
CSCuo13099
CSCuo16503
CSCuo32987
CSCuo34449
CSCuo39442
CSCuo56780
CSCuo58919
seconds.
CSCuo63448
CSCuo63892
CSCuo73070
CSCuo76078
CSCuo75506
CSCuo88571
CSCup33018
136
OL-27043-01
Table 27
Caveat
Description
CSCup50216
CSCup51902
CSCup63424
not accomplished.
CSCup79399
CSCup88315
CSCup99806
CSCuq01548
CSCuq02222
The Simple Network Management Protocol (SNMP) Query probe failed to discover
endpoints using periodic polling.
CSCuq26320
CSCuq26320
EAP-FAST authenticated provisioning with Android does not work.
Resolved Agent Caveats
Table 28
Cisco ISE, Release 1.2, Resolved Agent Caveats
Caveat
Description
CSCto03644
Tray icon flickers click focus if user changes applications from login successfully.
CSCto19507
Mac OS X agent does not prompt for upgrade when coming out of sleep mode.
CSCto97422
Auto Popup does not happen after clicking Cancel during remediation failure.
CSCug26558
Live Authentications: Posture links redirect to wrong MAC address and empty report
CSCue98661
Cisco ISE NAC Agent on Windows 8 checks for AV that is not selected
CSCue41912
Posture: Cisco NAC Agent not triggering on Windows 8
Resolved SPW Caveats
Table 29
Cisco ISE, Release 1.2, Resolved SPW Caveats for Windows
Caveat
Description
SPW Version
CSCug95980
Cisco ISE NSP does not support SDIO based wireless adapters.
1.0.0.31
CSCug66885
Windows SPW-Trusted Root CA not set in network profile.
1.0.0.30
CSCud65260
DualSSID_Win7_PEAP_AutoLogin NSP not connecting to Closed
SSID.
1.0.0.29
CSCud01247
BYOD: Messages are not localized.
1.0.0.28
CSCud56448
PEAP Supplicant Provisioning does not set Validate Server
Certificate.
1.0.0.28
OL-27043-01
137
Table 29
Cisco ISE, Release 1.2, Resolved SPW Caveats for Windows
Caveat
Description
SPW Version
CSCue38943
BYOD: Characters corrupted. A vertical line appears at the end of
the Applying Configuration screen.
1.0.0.28
CSCue43405
Windows 8- Dual SSID is broken (MAB + PEAP), if wrong
networking password is entered in SPW.
1.0.0.28
CSCue43413
Login failure message displayed in dual SSID (MAB + PEAP).
1.0.0.28
CSCue47503
Win SPW v1.0.0.27 fails with Wired dual SSID (MAB > PEAP).
1.0.0.28
CSCud05296
NSP installation on Windows 8 failed.
1.0.0.26
Table 30
Cisco ISE, Release 1.2, Resolved SPW Caveats for Mac OS X
Caveat
Description
SPW Version
CSCuf61159
Wired MAC10.8.3-Fails to auto re-connect to network using new
profile.
1.0.0.21
CSCug16632
BYOD CR: SPW configures the profile and succeeds even when
PDP is down.
1.0.0.20
CSCug18081
NSP page does not show status of Mac SPW consistently.
1.0.0.20
CSCuf03318
Network Setup Assistant fails, if user clicks ‘Cancel’ in the Config 1.0.0.19
profile Tool.
CSCue53450
Cisco Network Setup Assistant copy right year should be changed. 1.0.0.19
CSCue62005
Macintosh SPW 1.0.0.17 is not able to configure wired adapters.
CSCud00349
Translation property file has new line character in the JA translation 1.0.0.17
property file.
CSCud64592
MAC OS X 10.6.8: Fails to connect to Closed SSID using the TSL 1.0.0.16
Profile.
CSCub29212
In MAC OS X 10.8, modify system network configuration needs
confirmation from system administrator.
1.0.0.15
CSCuc42511
Localization for NSP wizards - support for additional languages.
1.0.0.14
CSCub27769
Cisco ISE does not block both wired and wireless interface MAC
addresses for lost devices.
1.0.0.13
CSCub65963
Certificate Enrollment is vulnerable to session Hija.
1.0.0.12
CSCub29185
MAC 10.8: Agent and SPW fails to install, when “MAC App Store 1.0.0.11
and identified developers” is selected in the Security & Privacy
Preference Pane.
1.0.0.18
138
OL-27043-01
Documentation Updates
Documentation Updates
Table 31
Date
10/24/2014
Updates to Release Notes for Cisco Identity Services Engine, Release 1.2.x
Description
•
Added Open Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 12,
page 39
•
Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 12,
page 48
9/17/2014
page 32
9/15/2014
page 53
8/7/2014
page 55.
7/18/2014
page 35
7/3/2014
page 58
6/20/2014
6/2/2014
5/30/2014
3/26/2014
•
Updated Upgrading Cisco ISE Software, page 9
•
Added Enhancements in Cisco ISE Version 1.2.0.899—Cumulative Patch 8
Updated Support for Microsoft Active Directory, page 7
•
Cisco Identity Services Engine, Release 1.2.1
•
Added New Features in Cisco ISE, Release 1.2.1, page 12
•
Added Cisco ISE, Release 1.2.1, Resolved Caveats, page 117
•
page 65
•
Updated Open Caveats, page 91
2/21/2014
page 69
1/22/2014
page 72
12/20/2013
12/5/2013
11/27/2013
•
page 72
•
Added No iPEP Support in Cisco ISE 1.2.x Patches, page 10
•
page 79
•
•
Updated Open Agent Caveats, page 114
OL-27043-01
139
Related Documentation
Table 31
Date
10/29/2013
10/28/2013
9/19/2013
Updates to Release Notes for Cisco Identity Services Engine, Release 1.2.x
Description
•
Added Support for Windows 8.1 and Mac OS X 10.9 in Cisco ISE Version
1.2.0.899—Cumulative Patch 3, page 81
•
Updated Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 3,
page 81
page 81
•
Added New Features in Cisco ISE Version 1.2.0.899—Cumulative Patch 2,
page 86
•
page 89
8/1/2013
page 91
7/25/2013
Cisco Identity Services Engine, Release 1.2
Related Documentation
Release-Specific Documents
General product information for Cisco ISE is available at http://www.cisco.com/go/ise. End-user
documentation is available on Cisco.com at
http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html.
Table 32
Product Documentation for Cisco Identity Services Engine
Document Title
Location
Release Notes for the Cisco Identity Services
Engine, Release 1.2
http://www.cisco.com/en/US/products/ps11640/pr
od_release_notes_list.html
Cisco Identity Services Engine Network
Component Compatibility, Release 1.2
oducts_device_support_tables_list.html
Cisco Identity Services Engine User Guide,
Release 1.2
oducts_user_guide_list.html
Cisco Identity Services Engine Hardware
Installation Guide, Release 1.2
od_installation_guides_list.html
Cisco Identity Services Engine Upgrade Guide,
Release 1.2
Cisco Identity Services Engine, Release 1.2
Migration Tool Guide
Cisco Identity Services Engine Sponsor Portal
User Guide, Release 1.2
oducts_user_guide_list.html
Cisco Identity Services Engine CLI Reference
Guide, Release 1.2
od_command_reference_list.html
140
OL-27043-01
Obtaining Documentation and Submitting a Service Request
Table 32
Product Documentation for Cisco Identity Services Engine (continued)
Document Title
Location
Cisco Identity Services Engine API Reference
Guide, Release 1.2
od_command_reference_list.html
Cisco Identity Services Engine Troubleshooting
Guide, Release 1.2
od_troubleshooting_guides_list.html
Regulatory Compliance and Safety Information
for Cisco Identity Services Engine 3300 Series
Appliance, Cisco Secure Access Control System
1121 Appliance, Cisco NAC Appliance, Cisco
NAC Guest Server, and Cisco NAC Profiler
Cisco ISE In-Box Documentation and China
RoHS Pointer Card
oducts_documentation_roadmaps_list.html
Platform-Specific Documents
Links to other platform-specific documentation are available at the following locations:
•
Cisco ISE
http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html
•
Cisco UCS C-Series Servers
http://www.cisco.com/en/US/docs/unified_computing/ucs/overview/guide/UCS
_rack_roadmap.html
•
Cisco Secure ACS
•
Cisco NAC Appliance
•
Cisco NAC Profiler
•
Cisco NAC Guest Server
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS Version 2.0.
OL-27043-01
141
This document is to be used in conjunction with the documents listed in the “Related Documentation” section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of
Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The
use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any
examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only.
Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2014 Cisco Systems, Inc. All rights reserved.
142
OL-27043-01

Release Notes for Cisco Identity Services Engine, Release 1.2.x Contents

Transcription

Similar documents

Cisco Recruitment Session* When

Document 6501727

Cisco OS Bug Scrub Engineer

Cisco Identity Services Engine: Integration with SIEM and Threat

Nov. 23 (Sun.) 13 rd

MAXMAT Multidisciplinary diagnostic platform

crescent village - Prime Commercial, Inc.

Cisco.com AEM Integration and Migration

for VDI with VMware Horizon View VMware Horizon View and X-IO