Release Notes for Cisco Identity Services Engine, Release 1.1.x
Transcription
Release Notes for Cisco Identity Services Engine, Release 1.1.x
Release Notes for Cisco Identity Services Engine, Release 1.1.x Revised: January 9, 2015, OL-26136-01 These release notes describe the features, limitations and restrictions (caveats), and related information for Cisco Identity Services Engine (Cisco ISE), Release 1.1.1, 1.1.2, 1.1.3, and 1.1.4. These release notes supplement the Cisco ISE documentation that is included with the product hardware and software release. Cisco Identity Services Engine, Release 1.1.4 Cisco ISE, Release 1.1.4 provides support for the Cisco SNS-3400 Series appliance. In addition to the hardware support for installation on the SNS-3400 Series appliance, Cisco ISE 1.1.4 supports all the features in Cisco ISE 1.1.3. You can also install Cisco ISE 1.1.4 on previously supported appliances, such as ISE-3315-K9, ISE-3355-K9, and ISE-3395-K9. Cisco Identity Services Engine, Release 1.1.3 Cisco ISE, Release 1.1.3 features critical bug fixes derived from Cisco ISE, Release 1.0.4, 1.1, 1.1.1, and 1.1.2 while rolling patch fixes for Cisco ISE, Release 1.1.1 and 1.1.2 into 1.1.3. Cisco Identity Services Engine, Release 1.1.2 Cisco ISE, Release 1.1.2 features critical bug fixes derived from Cisco ISE, Release 1.0.4, 1.1, and 1.1.1, while rolling three patch fixes for Cisco ISE, Release 1.1.1 into 1.1.2. Cisco Identity Services Engine, Release 1.1.1 Cisco ISE, Release 1.1.1 features a number of important product function enhancements and new capabilities, as well as critical bug fixes derived from Cisco ISE, Release 1.0.4 and 1.1. Cisco Systems, Inc. www.cisco.com Contents Contents • Introduction, page 3 • Node Types, Personas, Roles, and Services, page 3 • Hardware Requirements, page 5 • FIPS Compliance, page 8 • Installing Cisco ISE Software, page 8 • Upgrading Cisco ISE Software, page 14 • Cisco Secure ACS to Cisco ISE Migration, page 18 • Cisco ISE License Information, page 18 • New Features in Cisco ISE, Release 1.1.4, page 18 • New Features in Cisco ISE, Release 1.1.3, page 18 • New Features in Cisco ISE, Release 1.1.2, page 18 • New Features in Cisco ISE, Release 1.1.1, page 19 • Cisco ISE Install Files, Updates, and Client Resources, page 22 • Support for Windows 8.1 and Mac OS X 10.9, page 25 • Cisco ISE, Release 1.1.4 Patch Updates, page 25 • Cisco ISE, Release 1.1.3 Patch Updates, page 44 • Cisco ISE, Release 1.1.2 Patch Updates, page 64 • Cisco ISE, Release 1.1.1 Patch Updates, page 74 • Cisco ISE Antivirus and Antispyware Support, page 80 • Cisco ISE Release 1.1.x Open Caveats, page 80 • Cisco ISE Release 1.1.x Resolved SPW Caveats, page 122 • Cisco ISE Release 1.1.4 Resolved Caveats, page 123 • Cisco ISE Release 1.1.3 Resolved Caveats, page 126 • Cisco ISE Release 1.1.2 Resolved Caveats, page 130 • Cisco ISE Release 1.1.1 Resolved Caveats, page 132 • Known Issues, page 133 • Documentation Updates, page 136 • Related Documentation, page 139 Release Notes for Cisco Identity Services Engine, Release 1.1.x 2 OL-26136-01 Introduction Introduction The Cisco ISE platform is a comprehensive, next-generation, contextually-based access control solution. Cisco ISE offers authenticated network access, profiling, posture, guest management, and security group access services along with monitoring, reporting, and troubleshooting capabilities on a single physical or virtual appliance. Cisco ISE ships on a range of physical appliances with different performance characterization and also allows the addition of more appliances to a deployment for performance, scale, and resiliency. Cisco ISE has a highly available and scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. Cisco ISE also allows for configuration and management of distinct Cisco ISE personas and services. This feature gives you the ability to create and apply Cisco ISE services where they are needed in the network, but still operate the Cisco ISE deployment as a complete and coordinated system. Node Types, Personas, Roles, and Services Cisco ISE provides a highly available and scalable architecture that supports both standalone and distributed deployments. In a distributed environment, you configure one primary Administration node and the rest are secondary nodes. The topics in this section provide information about Cisco ISE terminology, supported node types, distributed deployment, and the basic architecture. Cisco ISE Deployment Terminology Table 1 describes some of the common terms used in Cisco ISE deployment scenarios. Table 1 Cisco Cisco ISE Deployment Terminology Term Description Service A service is a specific feature that a persona provides such as network access, profiler, posture, security group access, and monitoring. Node A node is an individual instance that runs the Cisco ISE software. Cisco ISE is available as an appliance and also as a software that can be run on a VMware server. Each instance (either running on a Cisco ISE appliance or on a VMware server) that runs the Cisco ISE software is called a node. Node type A node can be of two types: ISE node and Inline Posture node. The node type and persona determine the type of functionality provided by that node. Persona The persona or personas of a node determine the services provided by a node. A Cisco ISE node can assume any or all of the following personas: Administration, Policy Service, and Monitoring. Role Determines if a node is a standalone, primary, or secondary node. Applies only to Administration and Monitoring nodes. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 3 Node Types, Personas, Roles, and Services Types of Nodes and Personas A Cisco ISE network has only two types of nodes: • Cisco ISE node—An ISE node could assume any of the following three personas: – Administration—Allows you to perform all administrative operations on Cisco ISE. It handles all system-related configuration and configurations related to functionality such as authentication, authorization, auditing, and so on. In a distributed environment, you can have only one or a maximum of two nodes running the Administration persona. The Administration persona can take on any one of the following roles: standalone, primary, or secondary. If the primary Administration node goes down, you have to manually promote the secondary Administration node. There is no automatic failover for the Administration persona. – Policy Service—Provides network access, posture, guest access, and profiling services. This persona evaluates the policies and makes all the decisions. You can have more than one node assuming this persona. Typically, there would be more than one Policy Service persona in a distributed deployment. All Policy Service personas that reside behind a load balancer share a common multicast address and can be grouped together to form a node group. If one of the nodes in a node group fails, the other nodes in that group process the requests of the node that has failed, thereby providing high availability. Note At least one node in your distributed setup should assume the Policy Service persona. – Monitoring—Enables Cisco ISE to function as the log collector and store log messages from all the Administration and Policy Service personas on the ISE nodes in your network. This persona provides advanced monitoring and troubleshooting tools that you can use to effectively manage your network and resources. A node with this persona aggregates and correlates the data that it collects to provide you with meaningful information in the form of reports. Cisco ISE allows you to have a maximum of two nodes with this persona that can take on primary or secondary roles for high availability. Both the primary and secondary Monitoring personas collect log messages. In case the primary Monitoring persona goes down, the secondary Monitoring persona automatically assumes the role of the primary Monitoring persona. Note • Note At least one node in your distributed setup should assume the Monitoring persona. It is recommended that the Monitoring persona be on a separate, designated node for higher performance in terms of data collection and report launching. Inline Posture node—A gatekeeping node that is positioned behind network access devices such as wireless LAN controllers (WLCs) and virtual private network (VPN) concentrators on the network. Inline Posture enforces access policies after a user has been authenticated and granted access, and handles Change of Authorization (CoA) requests that a WLC or VPN are unable to accommodate. Cisco ISE allows up to 10,000 Inline Posture Nodes in a deployment. You can pair two Inline Posture nodes together for high availability as a failover pair. An Inline Posture node is dedicated solely to that service, and cannot operate concurrently with other ISE services. Likewise, due to the specialized nature of its service, an Inline Posture node cannot assume any persona. Inline Posture nodes are not supported on VMware server systems. Release Notes for Cisco Identity Services Engine, Release 1.1.x 4 OL-26136-01 Hardware Requirements Note Each ISE node in a deployment can assume more than one of the three personas (Administration, Policy Service, or Monitoring) at a time. By contrast, each Inline Posture node operates only in a dedicated gatekeeping role. The following table lists the recommended minimum and maximum number of nodes/personas in a distributed deployment: Table 2 Deployment Nodes/Personas Node / Persona Minimum Number in a Deployment Maximum Number in a Deployment Admin 1 2 (Configured as an HA pair) Monitor 1 2 (Configured as an HA pair) Policy Service 1 Inline Posture 0 • 2 — when all personas (Admin/Monitor/Policy Service) are on same appliance • 5 — when Admin and Monitor personas are on same appliance • 40 — when each persona is on a dedicated appliance 10k for maximum NADs per deployment • One primary Administration node and one secondary Administration node • One primary Monitoring node, with an optional secondary node • One or more Policy Service nodes • One primary Inline Posture node, with an optional secondary node You can change the persona of a node. See the “Setting Up ISE in a Distributed Environment” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x for information on how to configure these personas on Cisco ISE nodes. Hardware Requirements This section describes the following topics: Note • Supported Hardware, page 6 • Supported Virtual Environments, page 8 • Supported Devices, Browsers, and Agents, page 8 • Supported Microsoft Active Directory, page 8 For more details on Cisco ISE hardware platforms and installation, see the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 5 Hardware Requirements Supported Hardware Cisco ISE software is packaged with your appliance or image for installation. After installation, you can configure Cisco ISE as any of the specified component personas (Administration, Policy Service, and Monitoring) or as an Inline Posture node on the platforms that are listed in Table 3. Table 3 Supported Hardware and Personas Hardware Platform Persona Cisco ISE-3315-K9 (small) Any Cisco ISE-3355-K9 (medium) Cisco ISE-3395-K9 (large) Cisco SNS-3415-K9 Cisco SNS-3495-K9 Configuration • 1x Xeon 2.66 GHz quad-core processor • 4 GB RAM • 2 x 250 GB SATA1 HDD2 • 4x 1 GB NIC3 • 1x Nehalem 2.0 GHz quad-core processor • 4 GB RAM • 2 x 300 GB 2.5 in. SATA HDD • RAID4 (disabled) • 4x 1 GB NIC • Redundant AC power • 2x Nehalem 2.0 GHz quad-core processor • 4 GB RAM • 4 x 300 GB 2.5 in. SAS II HDD • RAID 1 • 4x 1 GB NIC • Redundant AC power Any • Cisco UCS C220 M3 Inline Posture is not supported • Single socket Intel E5-2609 2.4Ghz CPU, 4 total cores, 4 total threads • 16-GB RAM • 1 x 600-GB disk • No RAID • 4 GE network interfaces • Cisco UCS C220 M3 • Dual socket Intel E5-2609 2.4Ghz CPU, 8 total cores, 8 total threads • 32-GB RAM • 2 x 600-GB disk • RAID 0+1 • 4 GE network interfaces Any Any Stand-alone Administration, Monitoring, and Policy Service Inline Posture is not supported Release Notes for Cisco Identity Services Engine, Release 1.1.x 6 OL-26136-01 Hardware Requirements Table 3 Supported Hardware and Personas (continued) Hardware Platform Persona Configuration Cisco ISE-VM-K9 (VMware) Stand-alone Administration, Monitoring, and Policy Service (no Inline Posture) • CPU—Intel Dual-Core; 2.13 GHz or faster • Memory—4 GB RAM5 • Hard Disks (minimum allocated memory): – Stand-alone—600 GB – Administration—200 GB – Policy Service and Monitoring—600 GB – Monitoring—500 GB – Policy Service—100 GB Note For an evaluation and demo purposes, the minimum required disk space is 60 GB to support 100 endpoints. Cisco does not recommend allocating any more than 600 GB maximum space for any node. • NIC—1 GB NIC interface required (you can install up to 4 NICs) • Supported VMware versions include: – ESX 4.x – ESXi 4.x – ESXi 5.x 1. SATA = Serial Advanced Technology Attachment 2. HDD = hard disk drive 3. NIC = network interface card 4. RAID = redundant array of independent disks 5. Memory allocation of less than 4GB is not supported for any VMware appliance configuration. In the event of a Cisco ISE behavior issue, all users will be required to change allocated memory to at least 4GB prior to opening a case with the Cisco Technical Assistance Center. If you are moving from Cisco Secure Access Control System (ACS) or Cisco NAC Appliance to Cisco ISE, the Cisco Secure ACS 1121 and Cisco NAC 3315 appliances support small deployments, Cisco NAC 3355 appliances support medium deployments, and Cisco NAC 3395 appliances support large deployments. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 7 FIPS Compliance Supported Virtual Environments Cisco ISE supports the following virtual environment platforms: • VMware ESX 4.x • VMware ESXi 4.x • VMware ESXi 5.x Supported Devices, Browsers, and Agents Refer to Cisco Identity Services Engine Network Component Compatibility, Release 1.1.x for information on supported devices, browsers, and agents. Supported Microsoft Active Directory Cisco ISE, Release 1.1.0 to 1.1.2 is tested with Microsoft Active Directory servers 2003, 2003 R2, 2008, and 2008 R2 at all functional levels. Cisco ISE, Release 1.1.3 is tested with Microsoft Active Directory server 2012 at all functional levels. Microsoft Active Directory version 2000 or its functional level is not supported by Cisco ISE. FIPS Compliance Product Cisco Identity Services Engine, Release 1.1.x uses embedded FIPS 140-2 validated cryptographic modules Cisco Common Cryptographic Module (Certificate #1643) and Network Security Services (NSS) Cryptographic Module (Certificate #1497) running on a Cisco ADE-OS platform. For details of the FIPS compliance claims, read the compliance letter for Cisco Identity Services Engine (ISE) 1.1 listed under Current Certifications at the following URL: http://wwwin.cisco.com/osp/gov/ggsg_eng/gct/fips.shtml. Installing Cisco ISE Software The following steps summarize how to install new Cisco ISE Release 1.1.x DVD software on supported hardware platforms (see Supported Hardware, page 6 for support details). With Cisco ISE Release 1.1.x, installation occurs in two phases: 1. The software is installed using the following options: • For the Cisco ISE 3300 Series appliance, the software is installed from the DVD. When the installation completes, the DVD is ejected from the appliance. • For the Cisco ISE 3400 Series appliance (SNS 3415 or 3495 Hardware), the software is installed using CIMC or by creating a bootable USB drive to begin the installation process. Release Notes for Cisco Identity Services Engine, Release 1.1.x 8 OL-26136-01 Installing Cisco ISE Software Note 2. For more information on using CIMC, refer to the following section in the ISE 1.1.4 Installation Guide: http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_ins.html#wp11 36661. Also, see Configuring CIMC, page 11. For more information on the USB boot option, see Creating a Bootable USB Drive, page 14. The administrator logs in and performs the initial configuration. You can re-image a Cisco SNS-3400 series appliance over the Cisco Integrated Management Controller Interface (CIMC) or with a USB key installation. You can download the ISE_114_USB_Installation_tools.zip file from the Cisco download page, unzip the file, and follow the instructions in the README.txt that is included with the zip file to create a bootable USB key. The following sections describe how to configure CIMS and the process of creating a bootable USB key: • Configuring CIMC, page 11 • Creating a Bootable USB Drive, page 14 For more information on the Installation of ISE 3400 Series hardware, refer to the following sections in the ISE 1.1.4 Installation Guide: Note • http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_b-hw_ins_3400.html • http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_ins.html#wp1136661 When using virtual machines (VMs), Cisco recommends that the guest VM have the correct time set using an NTP server before installing the .ISO image on the VMs. Step 1 Log into Cisco Download Software at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You might be required to provide your Cisco.com login credentials. Step 2 Navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software. Step 3 Download the appropriate Cisco ISE .ISO image (for example. ise-1.1.1.268.i386.iso) and burn the image as a bootable disk to a DVD-R. Step 4 Insert the bootable device. Step 5 • For the Cisco ISE 3300 Series appliance, insert the DVD into the DVD-R drive of each appliance, and reboot the appliance to initiate the Cisco ISE DVD installation process. • For the Cisco ISE 3400 Series appliance, use the USB boot option to initiate the Cisco ISE installation process. For more information on the USB boot option, see Creating a Bootable USB Drive, page 14. For more information on CIMC, see Configuring CIMC, page 11. (If necessary) Install a valid FlexLM product license file and perform Cisco ISE initial configuration according to the instructions in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x. Before you run the setup program, ensure that you know the configuration parameters listed in Table 4. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 9 Installing Cisco ISE Software Table 4 Identity Services Engine Network Configuration Parameters for Setup Prompt Description Example Hostname Must not exceed 19 characters. Valid characters include upper- and lower-case alphanumeric characters (A-Z, a-z, 0-9) with the requirement that the first character must be an alphabetic character. isenode1 (eth0) Ethernet interface address Must be a valid IPv4 address for the eth0 Ethernet interface. 10.12.13.14 Netmask Must be a valid IPv4 address for the netmask. 255.255.255.0 Default gateway Must be a valid IPv4 address for the default gateway. 10.12.13.1 DNS domain name Cannot be an IP address. Valid characters include ASCII characters, mycompany.com any numbers, hyphen (-), and period (.). Primary name server Must be a valid IPv4 address for the primary Name server. 10.15.20.25 Add/Edit another name server Must be a valid IPv4 address for an additional Name server. (Optional) Allows you to configure multiple Name servers. To do so, enter y to continue. Primary NTP server Must be a valid NTP server in a domain reachable from Cisco ISE.1 clock.nist.gov Add/Edit another NTP server Must be a valid NTP server in a domain reachable from Cisco ISE.1 (Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue. System Time Zone Must be a valid time zone. Refer to the Cisco Identity Services Engine PST CLI Reference Guide, Release 1.1.x for a table of time zones that Cisco ISE supports. The default value is UTC.2 Note The table lists the frequently used time zones. You can run the show timezone command from the Cisco ISE CLI for a complete list of supported time zones. Username admin (default) Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default, you must create a new username, which must be from 3 to 8 characters in length, and be composed of valid alphanumeric characters (A-Z, a-z, or 0-9). Password MyIseYP@@ss Identifies the administrative password used for CLI access to the Cisco ISE system. You must create this password (there is no default). The password must be a minimum of six characters in length and include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9). Release Notes for Cisco Identity Services Engine, Release 1.1.x 10 OL-26136-01 Installing Cisco ISE Software Table 4 Identity Services Engine Network Configuration Parameters for Setup (continued) Prompt Description Database Administrator Password Identifies the Cisco ISE database system-level password. You must ISE4adbp@ss create this password (there is no default). The password must be a minimum of 11 characters in length and include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9). Note Database User Password Example Once you configure this password, Cisco ISE uses it “internally.” That is, you do not have to enter it when logging into the system at all. Identifies the Cisco ISE database access-level password. You must ISE5udbp@ss create this password (there is no default). The password must be a minimum of 11 characters in length and include at least one lowercase letter (a-z), at least one uppercase letter (A-Z), and at least one number (0-9). Note Once you configure this password, Cisco ISE uses it “internally.” That is, you do not have to enter it when logging into the system at all. 1. Changing the NTP server specification after Cisco ISE installation will likely affect the entire deployment. 2. Changing the time zone specification after Cisco ISE installation will likely affect the entire deployment. Note For additional information on configuring and managing Cisco ISE, use the list of documents in Release-Specific Documents, page 139 to access other documents in the Cisco ISE documentation suite. Configuring CIMC You can perform all operations on the Cisco ISE 3400 series appliances through the CIMC. To do this, you must first configure an IP address and IP gateway to access the CIMC from a web-based browser. Step 1 Plug in the power cord. Step 2 Press the Power button to boot the server. Watch for the prompt to press F8 as shown in TBD. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 11 Installing Cisco ISE Software Step 3 During boot up, press F8 when prompted to open the BIOS CIMC Configuration Utility. The following screen appears. Step 4 Set the NIC mode to your choice for which ports to use to access the CIMC for server management (see Figure 1-3 on page 1-3 for identification of the ports): – Dedicated—The 1-Gb Ethernet management port is used to access the CIMC. You must select NIC redundancy None and select IP settings. – Shared LOM (default)—The two 1-Gb Ethernet ports are used to access the CIMC. This is the factory default setting, along with Active-active NIC redundancy and DHCP enabled. – Cisco Card—The ports on an installed Cisco UCS P81E VIC are used to access the CIMC. You must select a NIC redundancy and IP setting. Release Notes for Cisco Identity Services Engine, Release 1.1.x 12 OL-26136-01 Installing Cisco ISE Software Note Step 5 The Cisco Card NIC mode is currently supported only with a Cisco UCS P81E VIC (N2XX-ACPCI01) that is installed in PCIe slot 1. Refer to the following section in the Cisco UCS C220 Server Installation and Service Guide: Special Considerations for Cisco UCS Virtual Interface Cards. Use this utility to change the NIC redundancy to your preference. This server has three possible NIC redundancy settings: – None—The Ethernet ports operate independently and do not fail over if there is a problem. – Active-standby—If an active Ethernet port fails, traffic fails over to a standby port. – Active-active—All Ethernet ports are utilized simultaneously. Step 6 Choose whether to enable DHCP for dynamic network settings, or to enter static network settings. Note Step 7 Optional: Use this utility to make VLAN settings, and to set a default CIMC user password. Note Step 8 Before you enable DHCP, your DHCP server must be preconfigured with the range of MAC addresses for this server. The MAC address is printed on a label on the rear of the server. This server has a range of six MAC addresses assigned to the CIMC. The MAC address printed on the label is the beginning of the range of six contiguous MAC addresses. Changes to the settings take effect after approximately 45 seconds. Refresh with F5 and wait until the new settings appear before you reboot the server in the next step. Press F10 to save your settings and reboot the server. Note If you chose to enable DHCP, the dynamically assigned IP and MAC addresses are displayed on the console screen during boot up. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 13 Upgrading Cisco ISE Software Creating a Bootable USB Drive The Cisco ISE 1.1.4 ISO image contains an “images” directory that has a Readme file and a script to create a bootable USB to install Cisco ISE 1.1.4. Before You Begin • Ensure that you have read the Readme in the “images” directory • You need the following: – Linux machine with RHEL-5 or above, CentOS 5.x or above. If you are going to use your PC or MAC, ensure that you have installed a Linux VM on it. – An 8-GB USB drive – The iso-to-usb.sh script Step 1 Plug in your USB drive into the USB port. Step 2 Copy the iso-to-usb.sh script and the Cisco ISE 1.1.4 ISO image to a directory on your linux machine. Step 3 Enter the following command: iso-to-usb.sh source_iso usb_device For example, # ./iso-to-usb.sh ise-1.1.4.218.i386.iso /dev/sdb where iso-to-usb.sh is the name of the script, ise-1.1.4.218.i386.iso is the name of the ISO image, and /dev/sdb is your USB device. Step 4 A screen appears prompting you to specify the type of appliance (Cisco SNS 3415 or Cisco SNS 3495) that you want to install. Step 5 Enter a value corresponding to your appliance type to create a bootable USB drive. Step 6 Enter Y to continue. Step 7 A success message appears. Step 8 Unplug your USB drive. Upgrading Cisco ISE Software If you installed Cisco Identity Services Engine Release 1.0 or Cisco Identity Services Engine Maintenance Release 2 (MR2) previously and are planning to upgrade to the latest Cisco ISE release, review the open caveats in this section before following the upgrade instructions in the “Upgrading Cisco ISE” chapter of the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x. Note When you upgrade to Cisco ISE, Release 1.1.x, you may be required to open some network ports you may not have been using in previous releases of Cisco ISE. Ensure you consult the table of required ports to open in Cisco ISE in the “Cisco ISE 3300 Series Appliance Ports Reference” appendix of the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x. This section covers the following upgrade issues: • Upgrade from Cisco ISE, Release 1.1.3 to release 1.1.4, page 15 • Upgrade from Cisco ISE, Release 1.1.2 to release 1.1.3, page 15 Release Notes for Cisco Identity Services Engine, Release 1.1.x 14 OL-26136-01 Upgrading Cisco ISE Software • Upgrade from Cisco ISE, Release 1.1.1 to release 1.1.3, page 15 • Upgrade from Cisco ISE, Release 1.1.1 to release 1.1.2, page 15 • Upgrade from Cisco ISE, Release 1.1 to release 1.1.1, page 16 • Upgrade from Cisco ISE, Release 1.0.4 to 1.1.1 with Inline Posture, page 16 • Upgrade from Cisco ISE, Release 1.0.3.377, page 17 Upgrade from Cisco ISE, Release 1.1.3 to release 1.1.4 Prerequisite Before you upgrade, ensure that you delete all policies that use the “Blacklist_Access” authorization profile. For more details, refer to CSCub17140, page 111. You can upgrade from Cisco ISE, Release 1.1.3 to release 1.1.4 normally, as described in the upgrade instructions in the Cisco Identity Services Engine Upgrade Guide, Release 1.1.x. Upgrade from Cisco ISE, Release 1.1.2 to release 1.1.3 Prerequisite Before you upgrade, ensure that you delete all policies that use the “Blacklist_Access” authorization profile. For more details, refer to CSCub17140, page 111. You can upgrade from Cisco ISE, Release 1.1.2 to release 1.1.3 normally, as described in the upgrade instructions in the Cisco Identity Services Engine Upgrade Guide, Release 1.1.x. Upgrade from Cisco ISE, Release 1.1.1 to release 1.1.3 Prerequisite Before you upgrade, ensure that you delete all policies that use the “Blacklist_Access” authorization profile. For more details, refer to CSCub17140, page 111. Before you can upgrade to Cisco ISE, Release 1.1.3, you must first be sure you have upgraded your machine to Cisco ISE, Release 1.1.1 with patch 3 applied. For specific instructions on performing the upgrade procedure, see the Cisco Identity Services Engine Upgrade Guide, Release 1.1.x. Upgrade from Cisco ISE, Release 1.1.1 to release 1.1.2 Prerequisite Before you upgrade, ensure that you delete all policies that use the “Blacklist_Access” authorization profile. For more details, refer to CSCub17140, page 111. Before you can upgrade to Cisco ISE, Release 1.1.2, you must first be sure you have upgraded your machine to Cisco ISE, Release 1.1.1 with patch 3 applied. For specific instructions on performing the upgrade procedure, see the Cisco Identity Services Engine Upgrade Guide, Release 1.1.x. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 15 Upgrading Cisco ISE Software Upgrade from Cisco ISE, Release 1.1 to release 1.1.1 Prerequisite Before you upgrade, ensure that you delete all policies that use the “Blacklist_Access” authorization profile. For more details, refer to CSCub17140, page 111. Before you can upgrade to Cisco ISE, Release 1.1.1 from Release 1.1, you must first be sure you have applied Cisco Identity Services Engine Cumulative Patch 3 to your Release 1.1 machine(s). For information on obtaining Cisco ISE, Release 1.1 patch 3, see the Release Notes for the Cisco Identity Services Engine, Release 1.1. For specific instructions on performing the upgrade procedure, see the Cisco Identity Services Engine Upgrade Guide, Release 1.1.x. Upgrade from Cisco ISE, Release 1.0.4 to 1.1.1 with Inline Posture In Cisco ISE 1.1.1, the Inline Posture node uses certificate based authentication and cannot connect to the Administrative ISE node. Therefore you are required to disconnect the Inline Posture node from the deployment prior to starting the upgrade procedure, then reconfigure the Inline Posture node after the upgrade. To do so, follow the procedure outlined in this section. Warning You must have the proper certificates in place for your Inline Posture deployment to mutually authenticate. Prerequisite Record all the configuration data for your Inline Posture node before you de-register the node. Alternatively, you can save screenshots of each of the Inline Posture tabs (in the Admin user interface) to record the data. Having this data on hand speeds up the process of re-registering the Inline Posture node to complete the following task. To upgrade to Cisco ISE 1.1.1 with Inline Posture, complete the following steps: Step 1 From the Cisco Administration ISE node, de-register the Cisco Inline Posture node. Note You can verify that the Inline Posture node has returned to ISE node status by going to the CLI and entering the following command: show application status ise If you discover that the node has not reverted to an ISE node, then you can enter the following at the command prompt: pep switch outof-pep However, it is recommended that you only do this as a last resort. Step 2 Upgrade the Cisco Administration ISE node to 1.1.1, as described in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x. Step 3 Import CA root certificate, make CSR, create certificates on the Administration ISE node. Note Step 4 Certificates must have extended key usage for both client authentication and server authentication. For an example of this type of extended key usage, see the Microsoft CA Computer template. Perform a fresh installation of ISE 1.1.1 on the ISE node (that was the former Inline Posture node), as described in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x. Release Notes for Cisco Identity Services Engine, Release 1.1.x 16 OL-26136-01 Upgrading Cisco ISE Software Step 5 Import CA root certificate, make CSR, create certificates on the ISE node (that was the former Inline Posture node), now in standalone mode. Note Certificates must have extended key usage; client authentication and server authentication. For example, select the computer template from Microsoft CA. Step 6 Register the newly upgraded ISE Node as an Inline Posture node. Step 7 Reconfigure the Cisco Inline Posture node. Upgrade from Cisco ISE, Release 1.0.3.377 Prerequisite Before you upgrade, ensure that you delete all policies that use the “Blacklist_Access” authorization profile. For more details, refer to CSCub17140, page 111. There is a known issue regarding default “admin” administrator user interface access following upgrade from Cisco Identity Services Engine Release version 1.0.3.377. This issue can affect Cisco ISE customers who have not changed their default “admin” account password for administrator user interface login since first installing Cisco Identity Services Engine Release 1.0.3.377. Upon upgrading, administrators can be “locked out” of the Cisco ISE administrator user interface when logging in via the default “admin” account where the password has not yet been updated from the original default value. To avoid this issue, Cisco recommends you do one or more of the following: Note 1. Verify they have changed password per the instructions in the “Managing Identities” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x prior to upgrade. 2. Disable or modify the password lifetime setting in the Administration > System > Admin Access > Password Policy page of the administrator user interface prior to upgrade to ensure the upgraded policy behavior does not impact the default “admin” account. 3. Enable password lifetime setting reminders in the Administration > System > Admin Access > Password Policy page to alert admin users of imminent expiry. Administrators should change the password when notified. Although the above conditions apply to all administrator accounts, the change in behavior from Cisco ISE version 1.0.3.377 only impacts the default “admin” account. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 17 Cisco Secure ACS to Cisco ISE Migration Cisco Secure ACS to Cisco ISE Migration Complete instructions for moving your Cisco Secure ACS 5.1 or 5.2 database to Cisco ISE, Release 1.1.x are covered in the Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.1.x. Note You must upgrade your Cisco Secure ACS deployment to Release 5.1 or 5.2 before you attempt to perform the migration process to Cisco Identity Services Engine. After you have moved your Cisco Secure ACS 5.1 or 5.2 database over, you will notice some differences in existing data types and elements as they appear in the new Cisco ISE environment. Microsoft Windows Internet Explorer (IE8 and IE7) browsers are not currently supported in this release. Cisco ISE License Information For detailed information on license types and obtaining licenses for Cisco ISE, see “Performing Post-Installation Tasks” chapter of the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x. New Features in Cisco ISE, Release 1.1.4 Cisco ISE, Release 1.1.4 provides support for the Cisco SNS 3400 Series appliance. For details on the installing and configuring the Cisco SNS 3400 Series appliance, refer to the ISE 1.1.4 Installation Guide at the following location: • http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_install_guide.html New Features in Cisco ISE, Release 1.1.3 Cisco ISE, Release 1.1.3 features critical bug fixes derived from Cisco ISE, Release 1.0.4, 1.1, 1.1.1, and 1.1.2 while rolling patch fixes for Cisco ISE, Release 1.1.1 and 1.1.2 into 1.1.3. New Features in Cisco ISE, Release 1.1.2 Cisco ISE, Release 1.1.2 offers the following features and services: • Global Setting for Endpoint Attribute Filter, page 18 Global Setting for Endpoint Attribute Filter In Cisco ISE, Release 1.1.2, you can globally configure endpoint attribute filtering to help Cisco ISE reduce the amount of profiling traffic replicated in the local database. This enhancement introduces a new function called a “whitelist,” which drops any attributes that are not present in the whitelist to ensure Cisco ISE database replication takes place as efficiently as possible. The whitelist is a dynamic list of attributes based on the attribute(s) you use in your profiling policies. When profiling is enabled, the Release Notes for Cisco Identity Services Engine, Release 1.1.x 18 OL-26136-01 New Features in Cisco ISE, Release 1.1.1 Policy Service nodes in your deployment collect information from various probes and send it to the Administration ISE node. The Administration ISE node then stores and replicates this information. Earlier releases of Cisco ISE do not feature any control over which attributes can be saved, and as a result, would collect a significant amount of unnecessary information. New Features in Cisco ISE, Release 1.1.1 Cisco ISE, Release 1.1.1 offers the following features and services: • New Default Authorization Profile (“Blacklist”), page 19 • Dictionary Attribute-to-Attribute Authorization Policy Configuration, page 19 • New Device Registration Task Navigator, page 20 • Native Supplicant Provisioning Profile Configuration Page, page 20 • Enhanced Client Provisioning Policy Configuration, page 20 • SCEP Authority Profile Configuration Page, page 20 • RADIUS Proxy Attribute, page 20 • EAP Chaining, page 21 • EAP-TLS as an Inner Method for EAP-FAST, page 21 • Device Registration Portal, page 21 • New Reports in Cisco ISE, Release 1.1.1, page 21 • Change of Authorization, page 21 • Creating Activated Guests, page 22 For more information on key features of Cisco ISE, see the “Overview of Cisco ISE” chapter in the Cisco Identity Services Engine User Guide, Release 1.1.x. New Default Authorization Profile (“Blacklist”) The Cisco ISE administrator can now “blacklist” wireless user devices that get “lost,” or otherwise become unusable or are taken out of circulation, until the device is reinstated or is completely removed from the network. Cisco ISE removes “blacklisted” devices from the network, and they are not allowed on the network again until the device is reinstated. In order to set up the authorization policy in Cisco ISE, you also must ensure you add a compatible dynamic ACL on any associated network access devices in your deployment to manage these wireless users. This new default authorization profile is available in the Policy > Authorization Policy page of the Cisco ISE administrator user interface. Dictionary Attribute-to-Attribute Authorization Policy Configuration In Cisco ISE, Release 1.1.1, you now have the option, when constructing policy conditions in an authorization policy, to specify another dictionary attribute to which you can associate the source attribute during policy configuration. Traditionally, you could only specify a text entry following the requisite operators when setting conditions in authorization policies. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 19 New Features in Cisco ISE, Release 1.1.1 This enhancement affects the Policy > Authorization Policy page of the Cisco ISE administrator user interface. New Device Registration Task Navigator The Device Registration Task Navigator in Cisco ISE, Release 1.1.1 provides a visual path through the various Cisco ISE administration and configuration processes that are necessary to enable administrators to set up Cisco ISE to provide multiple, configurable device support for end users. (As with previous Task Navigator implementation, the linear presentation of the Task Navigator outlines the order in which the tasks should be completed, while also providing direct links to the pages that are needed to perform the tasks.) Native Supplicant Provisioning Profile Configuration Page In Cisco ISE, Release 1.1.1, you can now configure native supplicant profiles for client provisioning, in addition to the existing “ISE Posture Agent Profiles” that are currently available in Cisco ISE, Releases 1.0.4 and 1.1. This profile type allows you to specify settings for user registration via personal devices like iPhones, iPads, and Android devices. Enhanced Client Provisioning Policy Configuration In Cisco ISE, Release 1.1.1, you can now create or edit client provisioning policies to allow for expanded personal device support, including iPhones, iPads, and Android devices. For specific personal device support, you can configure the policy to upload the appropriate configuration wizard that is necessary to enable the personal device to negotiate and register with Cisco ISE. SCEP Authority Profile Configuration Page To support enhanced personal device registration functions, Cisco ISE Release 1.1.1 enables you to configure one or more Simple Certificate Enrollment Protocol (SCEP) authority profiles. Cisco ISE verifies and maintains connectivity with the SCEP authority servers that you specify, and it even performs load balancing among multiple servers to ensure optimal connectivity for users when they access the network using their personal devices. RADIUS Proxy Attribute The RADIUS proxy attribute in Cisco ISE, Release 1.1.1 is used to enhance the RADIUS sequence flows and processing. When the “Access-Accept” packet is received from an external RADIUS server, Cisco ISE continues to the configured authorization policy for further decision-making that is based on additional attributes and groups that are queried from Active Directory and LDAP. Release Notes for Cisco Identity Services Engine, Release 1.1.x 20 OL-26136-01 New Features in Cisco ISE, Release 1.1.1 EAP Chaining In Cisco ISE, Release 1.1.1, Extensible Authentication Protocol (EAP) chaining solution allows you to authenticate both the machine and user in the same EAP-FAST authentication in a configurable order. When an EAP-FAST authentication result is determined, Cisco ISE allows you to apply an authorization policy, depending on the result of both authentications. When EAP chaining is turned off, Cisco ISE performs the usual EAP-FAST authentication. EAP-TLS as an Inner Method for EAP-FAST This feature in Cisco ISE, Release 1.1.1 allows you to use the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) protocol as an inner method for the EAP-FAST protocol. The implementation is the same as using EAP-TLS as the inner method for Protected Extensible Authentication Protocol (PEAP). Device Registration Portal The device registration portal is a standalone portal that can be completely customized to suit your organization. A network access user who is configured as an employee in an organization can access the portal which allows the user to bring personal devices into an enterprise network. This is done through an employee authentication and device registration process. Employees can manage their devices to add, edit, reinstate, and delete their devices through this portal. Cisco ISE adds these devices to the endpoints database and profiles them like any other endpoint. Cisco ISE administrators can manage the registered endpoints from the administrator user interface, by using the identities list and reports. A default authorization policy exists in Cisco ISE that does not allow devices to access an enterprise network when they are marked “lost” in the device registration portal, and identified as blacklisted in an endpoint identity group. An employee can also reinstate a blacklisted device in the device registration portal, and register again to access the network. New Reports in Cisco ISE, Release 1.1.1 Cisco ISE, Release 1.1.1 offers the following new reports: • Supplicant Provisioning Report—This report provides information about a list of endpoints that are registered through the Asset Registration Portal (ARP) for a specific period of time. • Registered Endpoint Report—This report provides information about a list of endpoints that are registered through the Asset Registration Portal (ARP) by a specific user for a selected period of time. Change of Authorization Cisco ISE triggers a CoA when an endpoint is added or removed from an endpoint identity group that is used by an authorization policy. A CoA is also triggered when an endpoint identity group assignment changes due to either dynamic profiling or a static assignment. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 21 Cisco ISE Install Files, Updates, and Client Resources Creating Activated Guests Sponsor user can create activated guests by assigning them to the ActivatedGuest identity group. This is a default identity group in Cisco ISE 1.1.1. Sponsor user should belong to a sponsor group that allows for assigning of guests to ActivatedGuest identity group. Cisco ISE Install Files, Updates, and Client Resources There are three resources you can use to download installation packages, update packages, and other client resources necessary to provision and provide policy service in Cisco ISE: • Cisco ISE Downloads from the Cisco Download Software Center, page 22 • Cisco ISE Live Updates, page 23 • Cisco ISE Offline Updates, page 23 Cisco ISE Downloads from the Cisco Download Software Center In addition to the .ISO installation package required to perform a fresh installation of Cisco ISE as described in Installing Cisco ISE Software, page 8, you can use the same software download location to retrieve other vital Cisco ISE software elements, like Windows and Mac OS X agent installers and AV/AS compliance modules. Use this portal to get your first software packages prior to configuring your Cisco ISE deployment. Downloaded agent files may be used for manual installation on a supported endpoint or used with third-party software distribution packages for mass deployment. To access the Cisco Download Software Center and download the necessary software from Cisco: Step 1 Log into Cisco Download Software at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You might be required to provide your Cisco.com login credentials. Step 2 Navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software. Choose from the following Cisco ISE installers and software packages available for download: Step 3 • Cisco ISE installer .ISO image • Windows client machine agent installation files (including MST and MSI versions for manual provisioning) • Mac OS X client machine agent installation files • AV/AS compliance modules Click Download Now or Add to Cart for any of the software items you require to set up your Cisco ISE deployment. Release Notes for Cisco Identity Services Engine, Release 1.1.x 22 OL-26136-01 Cisco ISE Install Files, Updates, and Client Resources Cisco ISE Live Updates Cisco ISE Live Update locations allow you to automatically download agent, AV/AS support, and agent installer helper packages that support the client provisioning and posture policy services. These live update portals should be configured in ISE upon initial deployment to retrieve the latest client provisioning and posture software directly from Cisco.com to the ISE appliance. Prerequisite If the default Update Feed URL is not reachable and your network requires a proxy server, you may need to configure the proxy settings in the Administration > System > Settings > Proxy before you are able to access the Live Update locations. For more information on proxy settings, see the “Specifying Proxy Settings in Cisco ISE” section in the “Configuring Client Provisioning Policies” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. Client Provisioning and Posture Live Update portals: • Client Provisioning—https://www.cisco.com/web/secure/pmbu/provisioning-update.xml The following software elements are available at this URL: – Windows and Mac OS X versions of the latest Cisco ISE persistent and temporal agents – ActiveX and Java Applet installer helpers – AV/AS compliance module files For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the “Downloading Client Provisioning Resources Automatically” section of the “Configuring Client Provisioning Policies” chapter in the Cisco Identity Services Engine User Guide, Release 1.1.x. • Posture—https://www.cisco.com/web/secure/pmbu/posture-update.xml The following software elements are available at this URL: – Cisco predefined checks and rules – Windows and Mac OS X AV/AS support charts – Cisco ISE operating system support For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the “Dynamic Posture Updates” section of the “Configuring Client Posture Policies” chapter in the Cisco Identity Services Engine User Guide, Release 1.1.x. If you do not enable the automatic download capabilities described above in Cisco ISE, you can choose offline updates. See Cisco ISE Offline Updates, page 23. Cisco ISE Offline Updates Cisco ISE offline updates allow you to manually download agent, AV/AS support, and agent installer helper packages that support the client provisioning and posture policy services. This option allows you to upload client provisioning and posture updates in environments where direct Internet access to Cisco.com from the ISE appliance is not available or not permitted by security policy. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 23 Cisco ISE Install Files, Updates, and Client Resources To upload offline client provisioning resources, complete the following steps: Step 1 Log into Cisco Download Software at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You might be required to provide your Cisco.com login credentials. Step 2 Navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software. Choose from the following Off-Line Installation Packages available for download: Step 3 • compliancemodule-<version>-isebundle.zip — Off-Line Compliance Module Installation Package • macagent-<version>-isebundle.zip — Off-Line Mac Agent Installation Package • nacagent-<version>-isebundle.zip — Off-Line NAC Agent Installation Package • webagent-<version>-isebundle.zip — Off-Line Web Agent Installation Package Click Download Now or Add to Cart for any of the software items you require to set up your Cisco ISE deployment. For more information on adding the downloaded Installation Packages to Cisco ISE, refer to “Adding Client Provisioning Resources from a Local Machine” section of the “Configuring Client Posture Policies” chapter in the Cisco Identity Services Engine User Guide, Release 1.1.x. You can update the checks, rules, antivirus and antispyware support charts for both the Windows and Macintosh operating systems, and operating systems information offline from an archive on your local system using the posture updates. For offline updates, you need to ensure that the versions of the archive files match the version in the configuration file. Use this portal once you have configured Cisco ISE and want to enable dynamic updates for the posture policy service. To upload offline posture updates, complete the following steps: Step 1 Go to https://www.cisco.com/web/secure/pmbu/posture-offline.html. The File Download window appears. From the File Download window, you can choose to save the posture-offline.zip file to your local system. This file is used to update the checks, rules, antivirus and antispyware support charts for both the Windows and Macintosh operating systems, and operating systems information. Step 2 Access the Cisco ISE administrator user interface and choose Administration > System > Settings > Posture. Step 3 Click the arrow to view the settings for posture. Step 4 Choose Updates. The Posture Updates page appears. Step 5 From the Posture Updates page, choose the Offline option. Step 6 From the File to update field, click Browse to locate the single archive file (posture-offline.zip) from the local folder on your system. Note The File to update field is a required (mandatory) field and it cannot be left empty. You can only select a single archive file (.zip) that contains the appropriate files. Archive files other than .zip (like .tar, and .gz) are not allowed. Release Notes for Cisco Identity Services Engine, Release 1.1.x 24 OL-26136-01 Support for Windows 8.1 and Mac OS X 10.9 Step 7 Click the Update Now button. Once updated, the Posture Updates page displays the current Cisco updates version information as a verification of an update under Update Information. Support for Windows 8.1 and Mac OS X 10.9 Cisco ISE 1.1.4 Patch 8 and 1.1.3 Patch 8 supports clients using the Windows 8.1 and Mac OS X 10.9 operating systems. See Cisco ISE Release 1.1.x Open Caveats, page 80 for workarounds for issues with Safari 7 and Internet Explorer 11. Cisco ISE, Release 1.1.4 Patch Updates The following patch releases apply to Cisco ISE release 1.1.4: • Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 12, page 25 • Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 11, page 26 • Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 10, page 27 • Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 9, page 27 • Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 8, page 30 • Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 7, page 31 • Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 6, page 33 • Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 5, page 33 • Resolved issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 4, page 34 • Resolved issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 3, page 34 • Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 2, page 38 • Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 1, page 42 Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 12 Table 5 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 12. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 25 Cisco ISE, Release 1.1.4 Patch Updates If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 5 Cisco ISE Patch Version 1.1.4.218—Patch 12 Resolved Caveats Caveat Description CSCur29078 ISE evaluation of SSLv3 POODLE vulnerability. This fix addresses an issue where SSLV POODLE vulnerability impact on third-party software was tested. CSCur00532 ISE evaluation for CVE-2014-6271 and CVE-2014-7169 (AKA ShellShock). This fix addresses an issue in ISE nodes that are SSH enabled. If SSH is enabled, a remote user with ISE CLI credentials will be able to exploit the vulnerability and run generic Linux commands. PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.5/7.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:U/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html Workaround Disable SSH and reload ISE node as follows: ise1/admin# configure terminal ise1/admin(config)# no service sshd enable ise1/admin(config)# end ise1/admin# reload Save the current ADE-OS running configuration? (yes/no) [yes]? yes Continue with reboot? [y/n] y Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 11 Table 6 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 11. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Release Notes for Cisco Identity Services Engine, Release 1.1.x 26 OL-26136-01 Cisco ISE, Release 1.1.4 Patch Updates Table 6 Cisco ISE Patch Version 1.1.4.218—Patch 11 Resolved Caveats Caveat Description CSCuo40875 Cisco ISE 1.1.x Not Able to Handle New User Agent Format This fix addresses an issue where Cisco ISE 1.1.x considered the user agent string sent by a 4.9.4.3 agent machine as user agent from a non-agent machine and redirected to client provisioning page Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 10 Table 7 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 10. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 7 Cisco ISE Patch Version 1.1.4.218—Patch 10 Resolved Caveats Caveat Description CSCui57374 ISE IPEP Invalid RADIUS Authenticator error during high load This fix addresses an issue where the NAC agent stopped popping up for the clients when there was a high load on the IPEP. Invalid RADIUS Authenticator errors were recorded in the logs. CSCun25178 Fetching Group Information Takes a Long Time Because of SIDHistory This fix addresses an issue where Cisco ISE failed to resolve SIDHistory to group names if the SIDHistory belonged to a trusted domain/forest. The large number of SIDHistory values in the user's token used to cause long delay (2-5 minutes) during user authentication. CSCun77904 iPEP interfaces Issues After Upgrading to 1.1.4 Patch 9 This fix addresses an “interface flapping” issue with the eth0 and eth1 interfaces on 3315 and 3355 appliances that resulted from upgrading to Cisco ISE 1.1.4 patch 9. Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 9 Table 8 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 9. Note Cisco Recommends upgrading to Cisco ISE 1.1.4 patch 10 instead of patch 9 due to caveat CSCui57374. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 27 Cisco ISE, Release 1.1.4 Patch Updates To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. Table 8 Cisco ISE Patch Version 1.1.4.218—Patch 9 Resolved Caveats Caveat Description CSCub35046 ISE custom guest portal results page includes unused fields CSCub62481 This fix addresses an issue where unused, optional fields were displayed on the guest self registration results page when using a custom self registration page and specifying 'Unused' for the Optional Data fields in the Guest Details Policy. CSCug90502 ISE Blind SQL Injection Vulnerability This fix addresses an issue where the Cisco Identity Services Engine (ISE) was vulnerable to blind SQL injection. This could allow a remote, authenticated user to modify information in the database. PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6/5.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:U/RC:C CVE ID CVE-2013-5525 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-552 5 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Release Notes for Cisco Identity Services Engine, Release 1.1.x 28 OL-26136-01 Cisco ISE, Release 1.1.4 Patch Updates Table 8 Cisco ISE Patch Version 1.1.4.218—Patch 9 Resolved Caveats Caveat Description CSCui67495 Uploaded Filenames/Content Not Properly Sanitized This fix addresses an issue where filenames and content uploaded to Cisco Identity Services Engine (ISE) was not filtered/sanitized effectively. This could have resulted in a file of incorrect type being uploaded to ISE or the filename leading to a potential cross-site scripting (XSS) issue. PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:L/Au:S/C:N/I:P/A:N/E:H/RL:U/RC:C CVE ID CVE-2013-5541 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-554 1 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html CSCui67511 Certain File Types are not Filtered and are Executable This fix addresses an issue where, due to insufficient filtering and access control, potentially malicious file types could have been uploaded to, and executed within, the Cisco Identity Services Engine (ISE) web interface. PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:H/RL:U/RC:C CVE ID CVE-2013-5539 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-553 9 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 29 Cisco ISE, Release 1.1.4 Patch Updates Table 8 Cisco ISE Patch Version 1.1.4.218—Patch 9 Resolved Caveats Caveat Description CSCul02860 Struts Action Mapper Vulnerability Previous versions of ISE Cisco ISE included a version of Apache Struts that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-4310 Cisco has analyzed these vulnerabilities and concluded that the product is not impacted, however the affected component has been updated as harden measure. PSIRT Evaluation The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact [email protected] for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html CSCul03127 Struts 2 Dynamic Method Invocation Vulnerability Previous versions of Cisco ISE included a version of Apache Struts2 that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-4316 PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C CVE ID CVE-2013-4316 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 8 Table 9 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 8. ISE 1.1.4 patch 8 also includes support for Windows 8.1 and Mac OS X 10.9. See Support for Windows 8.1 and Mac OS X 10.9, page 25 for more information. Release Notes for Cisco Identity Services Engine, Release 1.1.x 30 OL-26136-01 Cisco ISE, Release 1.1.4 Patch Updates To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 9 Cisco ISE Patch Version 1.1.4.218—Patch 8 Resolved Caveats Caveat Description CSCuj45431 ISE Support for Mac OS X 10.9 NAC Agent ISE 1.1.3 patch 8 supports a NAC Agent for Mac OS X 10.9. CSCuj60796 ISE Support for IE 11 ISE 1.1.3 patch 8 supports Internet Explorer 11. Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 7 Table 10 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 7. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 10 Cisco ISE Patch Version 1.1.4.218—Patch 7 Resolved Caveats Caveat Description CSCud83514 ISE session database growing too large, causing homepage blank To resolve this issue, run the application configure ise command using the Reset M&T Session Database option. When the Monitoring and Session Database becomes corrupted, Cisco ISE may be variably slow, unusable, have a full disk, become unable to perform replication, or register/join a distributed deployment. You may observe alert(s) from the ISE appliance with the title “Session directory write failed.” where the body of the alert email states that the disk is full. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 31 Cisco ISE, Release 1.1.4 Patch Updates Table 10 Cisco ISE Patch Version 1.1.4.218—Patch 7 Resolved Caveats Caveat Description CSCue28066 IP address field is missing during editing/duplicating NADs This fix addresses the issue where you cannot edit or duplicate NADs in the Network Devices List page when the IP address field is not displayed in the Cisco ISE user interface. CSCue62940 Incremental Backup without Full Backup gets stuck in running state This fix addresses the issue where an incremental backup fails in the absence of a full backup file in the repository. CSCug20065 Unable to enforce RBAC as desired to a custom admin This fix addresses the issue where an admin user (custom created) cannot add endpoints to an endpoint identity group (custom created) even after assigning the correct role-based access control policy. CSCug68792 Incomplete Backup Process Status in UI This fix addresses the issue where the status of backup is still shown as running in the user interface even though the process is interrupted in the middle of a backup. CSCug77406 Increase retention of ASA VPN sessions to 120 hours (5 days) This fix retains RADIUS active sessions up to 120 hours. CSCug99304 ISE replication gets disabled due to expired certificates even though they are valid This fix addresses the issue where you cannot perform manual synchronization to secondary nodes, if the certificate has expired in any one of the secondary nodes in a deployment. CSCuh12487 Null value associated with SNMP GET after call from NMAP fails This fix addresses the issue with MIB when mapping an endpoint profiling policy with the device MAC address after an NMAP scan. CSCuh43440 ISE needs to improve logging mechanism to keep track of backup failures This fix addresses the issue where you can track information on previous backup exceptions, which can be queried using "IncrBackupUtil" or "incrbackup" as a key for incremental backup related errors in the ise-psc.log because the IncrBackupRestoreException.log is overwritten every time an exception occurs during backup. CSCui75669 Endpoint update calls from guest-portal causing replication issues This fix addresses the issue where the Guest portal generates endpoint update calls on every redirect to the Guest portal login page for the same user-agent. CSCuj35109 LWA is broken in iOS 7 devices with ISE 1.1.3 patch 6 This fix addresses the issue where LWA fails for Apple (iOS7) devices in the Cisco ISE 1.1.3 patch 6. CSCuj51094 Captured TCPDump file is not working. This fix addresses the issue where you are unable to open the captured TCPDump.pcap file in Wireshark. Release Notes for Cisco Identity Services Engine, Release 1.1.x 32 OL-26136-01 Cisco ISE, Release 1.1.4 Patch Updates Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 6 Table 11 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 6. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 11 Cisco ISE Patch Version 1.1.4.218—Patch 6 Resolved Caveats Caveat Description CSCuf20919 Guests can view accounts from each other through self-service Guest users can view other accounts that are created using the Self Service feature in a custom guest portal or through the default portal. CSCuh67300 ISE redirects to default guest pages when configured for custom pages When using Google Chrome, guest users are redirected to the default guest portal though Cisco ISE is configured to redirect users to the custom guest portal. Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 5 Table 12 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 5. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 12 Cisco ISE Patch Version 1.1.4.218—Patch 5 Resolved Caveats Caveat Description CSCtx35984 Profiler unable to save into DB - SSL Handshake exception error This fix addresses SSL Handshake related issues when a secondary PAN is registered in a deployment. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 33 Cisco ISE, Release 1.1.4 Patch Updates Table 12 Cisco ISE Patch Version 1.1.4.218—Patch 5 Resolved Caveats Caveat Description CSCui41569 BYOD Supplicant Provisioning Status query should be optimized This fix improves the response time for querying the monitoring database if the device has been successfully provisioned or pending provisioning and to check the status of device registration. CSCui56071 ISE: Ignore 0.0.0.0 in Framed-IP-Address Profiler Updates This fix filters incoming Framed-IP-Address that contains zero IP address (0.0.0.0) to reduce replication. Resolved issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 4 Table 13 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 4. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 13 Cisco ISE Patch Version 1.1.4.218—Patch 4 Resolved Caveats Caveat Description CSCuh70984 Database purging alarms on Cisco ISE due to open cursors exceeded This fix addresses the database purging alarm issue where an hourly database purge fails due to the maximum number of open cursors exceeding the threshold of 1500 per user session in the Monitoring node. CSCui22841 Apache Struts2 command execution vulnerability Cisco ISE includes a version of Apache Struts that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-2251. This fix addresses the potential impact on this product. Resolved issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 3 Table 14 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 3. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Release Notes for Cisco Identity Services Engine, Release 1.1.x 34 OL-26136-01 Cisco ISE, Release 1.1.4 Patch Updates Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 14 Cisco ISE Patch Version 1.1.4.218—Patch 3 Resolved Caveats Caveat Description CSCth95432 All OUIs in IEEE need to be resolved to names by profiler This fix addresses that all OUIs are resolved to organization names by the Cisco ISE profiler. CSCuc29014 Profiling conditions edit throws null error with NullPointerException This fix addresses the null error issue that occurs when editing a profiler condition. This issue occurred when the policy rule existed in the profiler cache even after the endpoint profiling policy that contained the rule was deleted. CSCuc74270 Authorization policy match fails following Active Directory password change This issue has been observed where users authenticate against Active Directory and are prompted to change to a new password. The password change is successful in Active Directory, but Cisco ISE fails to match with the appropriate authorization policy based on session attributes. This is most likely due to attributes used in authentication not being available for authorization policy evaluation following a change in the Active Directory password. CSCue41912 NAC agent is not triggered on Windows 8 client Ensure that you install the new NAC agent 4.9.0.52 on Windows 8 clients along with the Cisco ISE 1.1.3 patch 3. This fix addresses that you must install the Cisco ISE certificate on the Windows 8 client that allows the NAC agent to pop-up. Unlike Windows 7 and XP clients, Windows 8 does not display the trust certificate dialog box to allow the NAC agent to pop-up, if Cisco ISE is using the self-signed certificate, and if the Cisco ISE certificate is not previously installed on the Windows 8 client. CSCue59806 'NAC Server not available' error is thrown - EAP failure error (No response) This fix addresses EAP timeout issue when it occurred on the session, but the session is already accepted and the protocol runtime (prrt) will not remove any session attribute. If you see an EAP timeout from the client, the protocol runtime (prrt) cleans posture session attributes. The posture runtime service, which looks for session attributes will fail to fetch the session information. CSCue60442 Authorization policies disappear after modifying the name of the parent endpoint identity group in Cisco ISE This fix addresses the issue where you can modify the name of the user-defined endpoint identity groups and this does not impact the Authorization Policy page. If you modify the name of the parent endpoint identity group (user-defined) when you have referenced the child endpoint identity groups in the authorization policies, the Authorization Policy page is empty and the configured authorization policies are not displayed. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 35 Cisco ISE, Release 1.1.4 Patch Updates Table 14 Cisco ISE Patch Version 1.1.4.218—Patch 3 Resolved Caveats Caveat Description CSCue67900 Termination-Action returns RADIUS-Request The fix addresses the issue where Termination-Action=Radius-Request in Access-Accept is set only for the Inline Posture node. Cisco ISE sends Termination-Action=Radius-Request in Access-Accept, which indicates that re-authentication should occur on expiration of the Session-Time or the session was terminated. CSCue73865 Cisco ISE is unable to authenticate users against Active Directory with SmbServerNameHardeningLevel=1 This fix addresses the issue that occurred when authenticating users against Active Directory with SmbServerNameHardeningLevel=1. Authentications failed against Active Directory with SmbServerNameHardeningLevel set to 1 with an error "24444 Active Directory operation has failed because of an unspecified error." CSCuf56635 HP Jetdirect Printer is incorrectly profiled as HP-Device using DHCP probe This fix addresses incorrect profiling of an HP Jetdirect Printer using DHCP probe. If you change the parent policy of an existing profiling policy, and then add or delete one or more profiling conditions in the profiling policy, endpoints are not profiled as expected and you might encounter cache-related exceptions. Workaround Use static endpoint profiling for HP printers when you have issues with dynamic profiling using DHCP probe CSCug06716 Cisco ISE Centrify AD domain whitelisting breaks machine authentication Centrify version is upgraded to 4.6.0.114. This fix addresses the issue where machine authentication fails against Active Directory whitelisted domains, if Cisco ISE is configured with AD domains whitelist. Run the application configure ise command to configure the AD whitelist domains. ise/admin# application configure ise Selection ISE configuration option [1]Reset Active Directory settings to defaults [2]Display Active Directory settings [3]Configure Active Directory settings [4]Restart/Apply Active Directory settings [5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings [6]Exit Use the option 3 to configure the AD domains whitelist. You are about to configure Active Directory settings. Are you sure you want to proceed? y/n [n]: y Parameter Name: adclient.included.domains Parameter Value: abc.com Active Directory internal setting modification should only be performed if approved by ISE support. Please confirm this change has been approved y/n [n]: y Active Directory settings were modified. Settings will take effect after choosing apply option from menu. Use the option 5 to clear the Centrify cache and restart for the new configuration options to take effect. Release Notes for Cisco Identity Services Engine, Release 1.1.x 36 OL-26136-01 Cisco ISE, Release 1.1.4 Patch Updates Table 14 Cisco ISE Patch Version 1.1.4.218—Patch 3 Resolved Caveats Caveat Description CSCug69605 BYOD: Fingerprint exception on Cisco ISE when CA certificate is retrieved via SCEP This fix addresses the issue where BYOD certificate-provisioning fails for all clients with an error when CA certificate is retrieved via the SCEP server. CSCug72958 Profiling functionality is broken while editing policies This fix addresses incorrect profiling of endpoints when you change the parent policy of an existing profiling policy, and then add or delete one or more profiling conditions in the profiling policy. CSCug74166 Identity groups are corrupted after changing the parent identity group name This issue occurs only when editing the parent identity group name with the same name of the child identity group. Workaround We recommend that you create parent and child identity groups with different names. CSCug76995 Unable to add user after changing the parent user identity group name This fix addresses the issue where you cannot add users to the user identity group even after changing the parent user identity group name. CSCug79181 Secure SSID is visible with a PEAP profile, but not with an EAP-TLS profile, when the secure SSID was not broadcasted This error occurs when a device connects to an open network using IOS, gets redirected to CWS, and provides credentials, the device is registered, and the profile is installed successfully. The user is then be prompted with a message to connect to “XXXX SSID and try the original url.” If the profile was modified with PEAP, once the boarding process is completed, the secure SSID is then visible, and you can connect to the secure SSID. Workaround There is no known workaround for this issue. CSCug95429 Profiler: IP attribute unnecessarily being updated This fix addresses the issue where the endpoint IP address was updated for the following conditions: CSCug98513 • If Framed-IP-Address attribute contains the limited connectivity IP (169.254.0.0/16) address, it is ignored by the RADIUS probe. • If endpoint IP address is assigned to 0.0.0.0 by the DHCP probe, it is ignored. Integrate components to support AD 2012 or mixed mode (2008) Centrify version is upgraded to support Active Directory 2012 and mixed 2008/2012 environments. CSCuh17560 Suppress Accounting update packets in Cisco ISE 1.1.x This fix controls the recording of accounting updates from the network access devices (NADs) that causes the MnT database to grow larger, if NADs are configured to send periodic accounting updates. By default, no RADIUS accounting updates are recorded in the accounting report. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 37 Cisco ISE, Release 1.1.4 Patch Updates Table 14 Cisco ISE Patch Version 1.1.4.218—Patch 3 Resolved Caveats Caveat Description CSCuh23189 ISE: Using Internal Identity User can gain access to Admin Dashboard This fix addresses the issue where internal users gain access to the Cisco ISE Admin portal Home page when they are not mapped to any Cisco ISE administrator group. CSCuh29915 ID group add button window shrinks This fix addresses the issue where you cannot add endpoints to the endpoint identity group from the Endpoints object selector. CSCuh36595 Custom Guest Self Registration Result should not write to file system This fix addresses the issue where the client browsers display the same credentials for all guest users instead of displaying credentials for respective guest users after self-registration. CSCuh43470 Cisco ISE Authentication failures alarm threshold definition This fix addresses the issue where the Cisco ISE alarms were displayed along with the criteria mapped to the alarm. CSCuh43528 Cisco ISE Alarm Authentication failures count incorrectly shows "%" in details This fix addresses the issue where the Cisco ISE alarms were displayed along with the criteria mapped to the alarm. CSCuh54747 Search is not working in object selector if we change the views The fix addresses the issue where you cannot search endpoints or users in the object selector when you switch back to the list-view from the tree-view. CSCuh56861 Cisco ISE Active Endpoints count on dashboard home page does not decrease The fix addresses the issue where the active endpoint count is not decreasing on the Cisco ISE dashboard if the session purge is not running properly. Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 2 Table 15 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 2. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. While upgrading from Cisco ISE Release 1.1.4 patch 1 to patch 2, the log targets configured for ‘Authentication Flow Diagnostics’ might get removed. You need to manually reconfigure the log targets. See Also CSCuh81724, page 94. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Release Notes for Cisco Identity Services Engine, Release 1.1.x 38 OL-26136-01 Cisco ISE, Release 1.1.4 Patch Updates Table 15 Cisco ISE Patch Version 1.1.4.218—Patch 2 Resolved Caveats Caveat Description CSCud65479 Device registration Change of Authorization loop with posturing enabled This fix addresses the device registration flow issue where the Cisco ISE Admin node issues a second CoA after the endpoint becomes compliant and is authorized. When a client connects to the SSID, authenticates, and is redirected to device registration portal, the user agrees to the Acceptable Use Policy and is mapped to the predetermined endpoint group and the client status changes to compliant. After a few seconds, however, the client undergoes another Change of Authorization. CSCue25407 Wrong Authentication Policy match: Cisco ISE initiates MAB instead of 802.1x Before this fix, when 802.1x authentication happened for the employee user after device registration over MAB in a wired device on-boarding case, authentication policy matched for the user automatically resumed using MAB when it should have started 802.1x. As a result, the end user received a “Windows Cannot connect to the network” message. The workaround was that once the device is not able to connect via 802.1x and the user receives an error message, the user could try disconnecting the wire and connecting again. CSCue49305 Device registration is disabled if JavaScript is disabled for Safari or Chrome browsers on iOS and Android platforms. This fix allows the JavaScript to be disabled without disabling the device registration. CSCue49317 SCEP enrolment failure if the user name is prefixed with AD domain name Before this fix, the device on-boarding process would return an error after registering as part of certificate enrollment. This would occur during personal device registration, when a username must be entered in the format <domain>\<username>. This issue has only been observed when using the <domain>\<username> format to connect via 802.1x. The workaround was to connect using just the username without the domain name. CSCue50838 An arrayOutOfBoundException occurs during Certificate provisioning. This exception no longer occurs. CSCue71407 Guest and Sponsor language templates disappear from database. Before this fix, all configured field values in the language templates for both the Sponsor and Guest portals would disappear. The portals would display the correct themes and images, but not text. The names of the language templates would also not appear in the "SEC_RES_MASTER" table. CSCue83454 In CWA, ISE is not able to learn guest user IP address In CWA, the NAD has no knowledge of the guest username, so RADIUS accounting cannot do the username-IP mapping. However, ISE can fetch the client IP address and show it in the Live Authentications or in the Guest reports. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 39 Cisco ISE, Release 1.1.4 Patch Updates Table 15 Cisco ISE Patch Version 1.1.4.218—Patch 2 Resolved Caveats (continued) Caveat Description CSCue90444 When an active IPEP node fails, the VPN traffic drops. This fix ensures that VPN traffic is not dropped. The error occurred because when the standby IPEP device becoming active as a result of a failure of an active IPEP node, the VPN session information was not being updated. The workaround was to disconnect and then reconnect the VPN session. CSCuf05267 BYOD usability - Provide API to poll BYOD status. An API has been provided to poll the BYOD Status, which can be used by the Guest Service. CSCuf08298 Collect only the attributes that are used in profiling policies This is an enhancement to CSCua89503, which was resolved in 1.1.2. It enhances the ability to globally configure endpoint attribute filtering to help Cisco ISE reduce the amount of profiling traffic replicated in the local database. Now any attributes that are not present in the whitelist are dropped when attribute filtering is enabled. CSCuf47857 BYOD enhancements This fix provides BYOD usability enhancements for guest CR CSCuf66747 Guest user notification substitution uses system timezone instead of user timezone Guest user notifications use system timezone for account-start-time and account-end-time when the %starttime% and %endtime% variables are used in guest user notification within the Sponsor portal language templates. This substitution uses start-time and end-time adjusted to the Cisco ISE system timezone instead of guest user timezone. CSCuf71124 PAP admin login failed for consecutive purge operations This issue was intermittent. Before this fix, when there were successful data purges of the Management node, attempts to log into the PAP admin UI would fail with the following error message: “Authentication failed due to zero RBAC Group.” CSCuf90492 ISE cannot process large SGT matrices or send radius messages larger than 4k ISE now supports large SGT matrices. It no longer displays the following error message in the AAA diagnostics: “Invalid attributes in outgoing radius packet possibly some attributes exceeded their size limit.” CSCuf90513 Multiple Policy Service node’s attempt to write the same profile data to the database that causes high CPU usage. When multiple Policy Service nodes receive the same profiling data from an endpoint, each Policy Service node attempts to write to the Cisco ISE database. However, only one Policy service node can write data to the database, and therefore CPU utilization will be high in other Policy Service nodes when they are not able to write data to the database during reprofiling endpoints. This might result in disabling the data replication from the Administration ISE node. Release Notes for Cisco Identity Services Engine, Release 1.1.x 40 OL-26136-01 Cisco ISE, Release 1.1.4 Patch Updates Table 15 Cisco ISE Patch Version 1.1.4.218—Patch 2 Resolved Caveats (continued) Caveat Description CSCug04743 The order of policies change on Authentication, Posture and CP Policy pages when using Google Chrome Before this fix, when a policy was inserted or duplicated on either the Posture Policy page, CP Policy page, or Authentication Policy. After the policy was saved, and you returned to the Policy page, the policies would be listed in a different order. This issue occurred only when there are more than 10 policies. CSCug15615 BYOD CR: Error message needs to be modified for a disabled NSP policy (NSPMsg.FAIL_NSP_DISABLE) The following error message has been enhanced to indicate that the error occurs when the NSP policy is configured but disabled: “System administrator has not configured a policy for your device. Contact your system administrator.” The new error message is: “System administrator has not configured a policy or has to enable a policy for your device. Contact your system administrator.” CSCug34981 Incorrect authorization policy match for Self Service Guests when the profiler CoA is set to ReAuth The authorization policy match for Self Service Guests is now correct. CSCug35133 The attribute Service-Type is changing often with the radius probe and causing high CPU usage This is not a key attribute and it has been removed from the static list. It is no longer triggering frequent profiling updates on EndPoints. CSCug37245 SCEP enrolment fails when using certificates from different CAs SCEP enrolment can now use certificates from different CAs. CSCug44228 BYOD success message is shown before CoA and can cause a loop and a network connection error message on the browser Before this fix, a BYOD success message would be received too early, and sometimes when an attempt was made to browse the Internet, an error message was shown stating that the client cannot connect to network. This issue would occur when a BYOD device would connect to an Open SSID with PEAP initially and browse the Internet. This would cause the device to be redirected to the device registration page and would be asked to download a profile. Once the device was registered and the profile was downloaded, a success message was shown. However, this occurred before CoA had happen. CSCug78350 To install the NAC Agent on IE 10, you must enable compatible mode This fix ensures that you no longer have to enable compatibility mode to install the NAC Agent. This issue would occur after authenticating to ISE, opening IE 10 as an administrator, redirecting to the CP page, and clicking Install. Only Active-x would be installed and no error messages were displayed on the server. The workaround was to enable Compatibility Mode on IE. CSCug78636 Disable Diagnostics Issue Before this fix, it was recommended that diagnostics be disabled to improve the response time of the UI. You can now leave the diagnostics at the default setting of logging only warning or error level messages. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 41 Cisco ISE, Release 1.1.4 Patch Updates Table 15 Cisco ISE Patch Version 1.1.4.218—Patch 2 Resolved Caveats (continued) Caveat Description CSCug79123 Messages are displaying in vertical format in IE The following BYOD flow message is no longer displaying in vertical format on the device registration page when the CP policy was disabled: “The system administrator has not configured a policy or has to enable a policy for your device.” The message now displays correctly in the horizontal format. The message always displayed correctly for Chrome and Firefox. CSCug80970 Wrong button is displayed when the session is lost during NSPWizard installation process Before this fix, the Run Network Setup Assistant button was displayed when the session was staled in a dual SSID scenario. This fix now allows only the Try Again button to be displayed, as expected because the session does not exist in server, and stops the Run Network Setup Assistant button from being displayed. This occurs when a dual SSID flow is Configured, a Windows device is redirected to the guest portal, the Register button is clicked to start the NSP Wizard installation, and the session is staled during NSP Wizard installation. Then when you exit the NSP profile window and go back to browser, the correct message is displayed. Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 1 Table 16 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.4.218 cumulative patch 1. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.4, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 16 Cisco ISE Patch Version 1.1.4.218—Patch 1 Resolved Caveats Caveat Description CSCuc07816 Must be able to purge MnT data from CLI This fix allows Cisco ISE administrators to purge monitoring and troubleshooting operational data on demand using the application configure ise command. CSCuc48613 Google Chrome can cause reordering of Authorization Policy rules This fix addresses the issue where after upgrade to Cisco ISE 1.1.1, if you use the Google Chrome browser to edit the authorization policy rules, you find the rules reordered and some of the rules appear grayed out. Release Notes for Cisco Identity Services Engine, Release 1.1.x 42 OL-26136-01 Cisco ISE, Release 1.1.4 Patch Updates Table 16 Cisco ISE Patch Version 1.1.4.218—Patch 1 Resolved Caveats (continued) Caveat Description CSCuc58992 IP address of the endpoints is not getting updated correctly Cisco ISE Release 1.1.x uses the following authoritative attributes to create IP address-to-MAC address mapping: • DHCP-REQUESTED-ADDRESS • FRAMED-IP-ADDRESS • CDPCACHEADDRESS In the case of DHCP span, if Cisco ISE gets an actual assignment from the DHCP server, then DHCP can be authoritative. Unfortunately, in the case of IP Helper, only the requested address is visible, and in some cases, the server responds with a different address than the requested one. To address some of the inaccuracies with the IP-MAC mapping, Cisco has moved the Framed-IP-Address so that it has a better preference than the dhcp-request-address. CSCue14864 Endpoint statically assigned to ID group may appear in different group This fix addresses an issue where endpoints that are statically assigned to an Endpoint ID group unexpectedly appear in another group. The potential issue is that, where authorization profiles are based on ID group, these endpoints may wind up getting assigned the wrong authorization result. This issue has been observed where the administrator creates endpoint identity groups and manually add endpoints to the Cisco ISE database, making them static. CSCue16774 Profiler purge process is not running, EndPoint Cache grows past memory limits This fix addresses the Cisco ISE application restart issue that occurs if purge process in profiler has stopped and EndPoint Cache size increases beyond the memory limit. CSCue31190 Sponsor users editing guest accounts may cause internal server errors This fix addresses the issue where an "internal server error" message would appear in the Cisco ISE Administrator User Interface when attempting to edit a guest user via the Cisco ISE Sponsor portal. CSCue53508 Limit SNMP Query based of RADIUS Acct Start Event Once it receives a RADIUS accounting message, Cisco ISE schedules an SNMP query on that port. If too many messages come in, the server can get overwhelmed. Cisco has added a time-out parameter to control how often Cisco ISE performs SNMP queries for particular endpoints. (At most one query per day per endpoint.) CSCue58842 Valid email refused in Cisco ISE Guest Portal This fix validates the email address entered in the Cisco ISE Guest portal. If you enter a valid email address such as [email protected] and there is only one character after the period in the username, Cisco ISE refuses it as an invalid email address for a sponsored guest email ID. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 43 Cisco ISE, Release 1.1.3 Patch Updates Table 16 Cisco ISE Patch Version 1.1.4.218—Patch 1 Resolved Caveats (continued) Caveat Description CSCue71478 Remove ACS-Session-ID from attribute suppression white-list The ACS-Session-ID attribute is used in Profiler to detect which Policy Service node issues a Change of Authorization. This attribute changes frequently in case of failed authorization events because new sessions are created. This means that even with attribute suppression enabled, because this attribute is essential, Cisco ISE generates a database replication event for it. The fix is to drop the attribute and instead extract the AAA server attribute, which corresponds to the node that evaluates the request. For example: AAA-Server1-admin Previously, Cisco ISE would use the ACS-Session-ID which would have been: AcsSessionID positron-mehdi/151281952/12 In the context of very high Accounting or Authorization failures, this should reduce the number of database events. CSCue71874 Re-profiling process check continuously running Due to the 60 second buffering in persistence to allow for replication events reduction, Cisco ISE delays re-profiling if any profiler policy is changed. This delay is now disabled for the Primary node where re-profiling occurs. CSCue86661 Cisco ISE does not match a compound condition with multiple conditions in a policy rule This fix addresses the issue where Cisco ISE evaluates only the last compound condition in a policy rule with multiple conditions. Earlier, the workaround was to remove the compound condition from the policy rule and add it again. CSCue96626 Address purging issues Purge failure and the resulting impact on Monitoring operations are addressed in this fix. Cisco ISE, Release 1.1.3 Patch Updates The following patch releases apply to Cisco ISE release 1.1.3: • Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 12, page 45 • Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 11, page 46 • Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 10, page 47 • Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 9, page 47 • Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 8, page 50 • Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 7, page 51 • Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 6, page 53 • Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 5, page 53 Release Notes for Cisco Identity Services Engine, Release 1.1.x 44 OL-26136-01 Cisco ISE, Release 1.1.3 Patch Updates • Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 4, page 54 • Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 3, page 54 • Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 2, page 58 • Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 1, page 62 The following patch releases apply to Cisco ISE release 1.1.2 and have been rolled into release 1.1.3: • Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 6, page 67 • Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 5, page 68 • Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 4, page 70 Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 12 Table 17 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 12. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 17 Cisco ISE Patch Version 1.1.3.124—Patch 12 Resolved Caveats Caveat Description CSCur29078 ISE evaluation of SSLv3 POODLE vulnerability. This fix addresses an issue where SSLV POODLE vulnerability impact on third-party software was tested. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 45 Cisco ISE, Release 1.1.3 Patch Updates Table 17 Cisco ISE Patch Version 1.1.3.124—Patch 12 Resolved Caveats Caveat Description CSCur00532 ISE evaluation for CVE-2014-6271 and CVE-2014-7169 (AKA ShellShock). This fix addresses an issue in ISE nodes that are SSH enabled. If SSH is enabled, a remote user with ISE CLI credentials will be able to exploit the vulnerability and run generic Linux commands. PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.5/7.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:U/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html Workaround Disable SSH and reload ISE node as follows: ise1/admin# configure terminal ise1/admin(config)# no service sshd enable ise1/admin(config)# end ise1/admin# reload Save the current ADE-OS running configuration? (yes/no) [yes]? yes Continue with reboot? [y/n] y Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 11 Table 18 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 11. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Release Notes for Cisco Identity Services Engine, Release 1.1.x 46 OL-26136-01 Cisco ISE, Release 1.1.3 Patch Updates Table 18 Cisco ISE Patch Version 1.1.3.124—Patch 11 Resolved Caveats Caveat Description CSCuo40875 Cisco ISE 1.1.x Not Able to Handle New User Agent Format This fix addresses an issue where Cisco ISE 1.1.x considered the user agent string sent by a 4.9.4.3 agent machine as user agent from a non-agent machine and redirected to client provisioning page Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 10 Table 19 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 10. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 19 Cisco ISE Patch Version 1.1.3.124—Patch 10 Resolved Caveats Caveat Description CSCun25178 Fetching Group Information Takes a Long Time Because of SIDHistory This fix addresses an issue where Cisco ISE failed to resolve SIDHistory to group names if the SIDHistory belonged to a trusted domain/forest. The large number of SIDHistory values in the user's token used to cause long delay (2-5 minutes) during user authentication. Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 9 Table 20 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 9. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 47 Cisco ISE, Release 1.1.3 Patch Updates Table 20 Cisco ISE Patch Version 1.1.3.124—Patch 9 Resolved Caveats Caveat Description CSCub35046 ISE Custom Guest Portal Results Page Includes Unused Fields CSCub62481 This fix addresses an issue where unused, optional fields were displayed on the guest self registration results page when using a custom self registration page and specifying 'Unused' for the Optional Data fields in the Guest Details Policy. CSCug90502 ISE Blind SQL Injection Vulnerability This fix addresses an issue where the Cisco Identity Services Engine (ISE) was vulnerable to blind SQL injection. This could allow a remote, authenticated user to modify information in the database. PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6/5.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:U/RC:C CVE ID CVE-2013-5525 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-552 5 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html CSCui57374 ISE IPEP Invalid RADIUS Authenticator error during high load This fix addresses an issue where the NAC agent stopped popping up for the clients when there was a high load on the IPEP. Invalid RADIUS Authenticator errors were recorded in the logs. Release Notes for Cisco Identity Services Engine, Release 1.1.x 48 OL-26136-01 Cisco ISE, Release 1.1.3 Patch Updates Table 20 Cisco ISE Patch Version 1.1.3.124—Patch 9 Resolved Caveats Caveat Description CSCui67495 Uploaded Filenames/Content Not Properly Sanitized This fix addresses an issue where filenames and content uploaded to Cisco Identity Services Engine (ISE) was not filtered/sanitized effectively. This could have resulted in a file of incorrect type being uploaded to ISE or the filename leading to a potential cross-site scripting (XSS) issue. PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:L/Au:S/C:N/I:P/A:N/E:H/RL:U/RC:C CVE ID CVE-2013-5541 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-554 1 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html CSCui67511 Certain File Types are not Filtered and are Executable This fix addresses an issue where, due to insufficient filtering and access control, potentially malicious file types could have been uploaded to, and executed within, the Cisco Identity Services Engine (ISE) web interface. PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:H/RL:U/RC:C CVE ID CVE-2013-5539 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-553 9 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 49 Cisco ISE, Release 1.1.3 Patch Updates Table 20 Cisco ISE Patch Version 1.1.3.124—Patch 9 Resolved Caveats Caveat Description CSCul02860 Struts Action Mapper Vulnerability Previous versions of ISE Cisco ISE included a version of Apache Struts that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-4310 Cisco has analyzed these vulnerabilities and concluded that the product is not impacted, however the affected component has been updated as harden measure. PSIRT Evaluation The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact [email protected] for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html CSCul03127 Struts 2 Dynamic Method Invocation Vulnerability Previous versions of Cisco ISE included a version of Apache Struts2 that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-4316 PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C CVE ID CVE-2013-4316 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 8 Table 21 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 8. ISE 1.1.3 patch 8 also includes support for Windows 8.1 and Mac OS X 10.9. See Support for Windows 8.1 and Mac OS X 10.9, page 25 for more information. Release Notes for Cisco Identity Services Engine, Release 1.1.x 50 OL-26136-01 Cisco ISE, Release 1.1.3 Patch Updates To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 21 Cisco ISE Patch Version 1.1.3.124—Patch 8 Resolved Caveats Caveat Description CSCuj45431 ISE Support for Mac OS X 10.9 NAC Agent ISE 1.1.3 patch 8 supports a NAC Agent for Mac OS X 10.9. CSCuj60796 ISE Support for IE 11 ISE 1.1.3 patch 8 supports Internet Explorer 11. Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 7 Table 22 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 7. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 22 Cisco ISE Patch Version 1.1.3.124—Patch 7 Resolved Caveats Caveat Description CSCud83514 ISE session database growing too large, causing homepage blank To resolve this issue, run the application configure ise command using the Reset M&T Session Database option. When the Monitoring and Session Database becomes corrupted, Cisco ISE may be variably slow, unusable, have a full disk, become unable to perform replication, or register/join a distributed deployment. You may observe alert(s) from the ISE appliance with the title “Session directory write failed.” where the body of the alert email states that the disk is full. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 51 Cisco ISE, Release 1.1.3 Patch Updates Table 22 Cisco ISE Patch Version 1.1.3.124—Patch 7 Resolved Caveats Caveat Description CSCue28066 IP address field is missing during editing/duplicating NADs This fix addresses the issue where you cannot edit or duplicate NADs in the Network Devices List page when the IP address field is not displayed in the Cisco ISE user interface. CSCue62940 Incremental Backup without Full Backup gets stuck in running state This fix addresses the issue where an incremental backup fails in the absence of a full backup file in the repository. CSCug20065 Unable to enforce RBAC as desired to a custom admin This fix addresses the issue where an admin user (custom created) cannot add endpoints to an endpoint identity group (custom created) even after assigning the correct role-based access control policy. CSCug68792 Incomplete Backup Process Status in UI This fix addresses the issue where the status of backup is still shown as running in the user interface even though the process is interrupted in the middle of a backup. CSCug77406 Increase retention of ASA VPN sessions to 120 hours (5 days) This fix retains RADIUS active sessions up to 120 hours. CSCug99304 ISE replication gets disabled due to expired certificates even though they are valid This fix addresses the issue where you cannot perform manual synchronization to secondary nodes, if the certificate has expired in any one of the secondary nodes in a deployment. CSCuh12487 Null value associated with SNMP GET after call from NMAP fails This fix addresses the issue with MIB when mapping an endpoint profiling policy with the device MAC address after an NMAP scan. CSCuh43440 ISE needs to improve logging mechanism to keep track of backup failures This fix addresses the issue where you can track information on previous backup exceptions, which can be queried using "IncrBackupUtil" or "incrbackup" as a key for incremental backup related errors in the ise-psc.log because the IncrBackupRestoreException.log is overwritten every time an exception occurs during backup. CSCui75669 Endpoint update calls from guest-portal causing replication issues This fix addresses the issue where the Guest portal generates endpoint update calls on every redirect to the Guest portal login page for the same user-agent. CSCuj35109 LWA is broken in iOS 7 devices with ISE 1.1.3 patch 6 This fix addresses the issue where LWA fails for Apple (iOS7) devices in the Cisco ISE 1.1.3 patch 6. CSCuj51094 Captured TCPDump file is not working. This fix addresses the issue where you are unable to open the captured TCPDump.pcap file in Wireshark. Release Notes for Cisco Identity Services Engine, Release 1.1.x 52 OL-26136-01 Cisco ISE, Release 1.1.3 Patch Updates Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 6 Table 23 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 6. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 23 Cisco ISE Patch Version 1.1.3.124—Patch 6 Resolved Caveats Caveat Description CSCuf20919 Guests can view accounts from each other through self-service Guest users can view other accounts that are created using the Self Service feature in a custom guest portal or through the default portal. CSCuh67300 ISE redirects to default guest pages when configured for custom pages When using Google Chrome, guest users are redirected to the default guest portal though Cisco ISE is configured to redirect users to the custom guest portal. Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 5 Table 24 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 5. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 24 Cisco ISE Patch Version 1.1.3.124—Patch 5 Resolved Caveats Caveat Description CSCtx35984 Profiler unable to save into DB - SSL Handshake exception error This fix addresses SSL Handshake related issues when a secondary PAN is registered in a deployment. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 53 Cisco ISE, Release 1.1.3 Patch Updates Table 24 Cisco ISE Patch Version 1.1.3.124—Patch 5 Resolved Caveats Caveat Description CSCui41569 BYOD Supplicant Provisioning Status query should be optimized This fix improves the response time for querying the monitoring database if the device has been successfully provisioned or pending provisioning and to check the status of device registration. CSCui56071 ISE: Ignore 0.0.0.0 in Framed-IP-Address Profiler Updates This fix filters incoming Framed-IP-Address that contains zero IP address (0.0.0.0) to reduce replication. Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 4 Table 25 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 4. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 25 Cisco ISE Patch Version 1.1.3.124—Patch 4 Resolved Caveats Caveat Description CSCuh70984 Database purging alarms on Cisco ISE due to open cursors exceeded This fix addresses the database purging alarms issue where an hourly database purging fails due to the maximum number of open cursors exceeds the threshold of 1500 per user session in the Monitoring ISE node. CSCui22841 Apache Struts2 command execution vulnerability Cisco ISE includes a version of Apache Struts that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-2251. This fix addresses the potential impact on this product. Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 3 Table 26 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 3. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Release Notes for Cisco Identity Services Engine, Release 1.1.x 54 OL-26136-01 Cisco ISE, Release 1.1.3 Patch Updates Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 26 Cisco ISE Patch Version 1.1.3.124—Patch 3 Resolved Caveats Caveat Description CSCth95432 All OUIs in IEEE need to be resolved to names by profiler This fix addresses that all OUIs are resolved to organization names by the Cisco ISE profiler. CSCuc29014 Profiling conditions edit throws null error with NullPointerException This fix addresses the null error issue that occurs when editing a profiler condition. This issue occurred when the policy rule existed in the profiler cache even after the endpoint profiling policy that contained the rule was deleted. CSCuc74270 Authorization policy match fails following Active Directory password change This issue has been observed where users authenticate against Active Directory and are prompted to change to a new password. The password change is successful in Active Directory, but Cisco ISE fails to match with the appropriate authorization policy based on session attributes. This is most likely due to attributes used in authentication not being available for authorization policy evaluation following a change in the Active Directory password. CSCue41912 NAC agent is not triggered on Windows 8 client Ensure that you install the new NAC agent 4.9.0.52 on Windows 8 clients along with the Cisco ISE 1.1.3 patch 3. This fix addresses that you must install the Cisco ISE certificate on the Windows 8 client that allows the NAC agent to pop-up. Unlike Windows 7 and XP clients, Windows 8 does not display the trust certificate dialog box to allow the NAC agent to pop-up, if Cisco ISE is using the self-signed certificate, and if the Cisco ISE certificate is not previously installed on the Windows 8 client. CSCue59806 'NAC Server not available' error is thrown - EAP failure error (No response) This fix addresses EAP timeout issue when it occurred on the session, but the session is already accepted and the protocol runtime (prrt) will not remove any session attribute. If you see an EAP timeout from the client, the protocol runtime (prrt) cleans posture session attributes. The posture runtime service, which looks for session attributes will fail to fetch the session information. CSCue60442 Authorization policies disappear after modifying the name of the parent endpoint identity group in Cisco ISE This fix addresses the issue where you can modify the name of the user-defined endpoint identity groups and this does not impact the Authorization Policy page. If you modify the name of the parent endpoint identity group (user-defined) when you have referenced the child endpoint identity groups in the authorization policies, the Authorization Policy page is empty and the configured authorization policies are not displayed. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 55 Cisco ISE, Release 1.1.3 Patch Updates Table 26 Cisco ISE Patch Version 1.1.3.124—Patch 3 Resolved Caveats Caveat Description CSCue67900 Termination-Action returns RADIUS-Request The fix addresses the issue where Termination-Action=Radius-Request in Access-Accept is set only for the Inline Posture node. Cisco ISE sends Termination-Action=Radius-Request in Access-Accept, which indicates that re-authentication should occur on expiration of the Session-Time or the session was terminated. CSCue73865 Cisco ISE is unable to authenticate users against Active Directory with SmbServerNameHardeningLevel=1 This fix addresses the issue that occurred when authenticating users against Active Directory with SmbServerNameHardeningLevel=1. Authentications failed against Active Directory with SmbServerNameHardeningLevel set to 1 with an error "24444 Active Directory operation has failed because of an unspecified error." CSCuf56635 HP Jetdirect Printer is incorrectly profiled as HP-Device using DHCP probe This fix addresses incorrect profiling of an HP Jetdirect Printer using DHCP probe. If you change the parent policy of an existing profiling policy, and then add or delete one or more profiling conditions in the profiling policy, endpoints are not profiled as expected and you might encounter cache-related exceptions. Workaround Use static endpoint profiling for HP printers when you have issues with dynamic profiling using DHCP probe CSCug06716 Cisco ISE Centrify AD domain whitelisting breaks machine authentication Centrify version is upgraded to 4.6.0.114. This fix addresses the issue where machine authentication fails against Active Directory whitelisted domains, if Cisco ISE is configured with AD domains whitelist. Run the application configure ise command to configure the AD whitelist domains. ise/admin# application configure ise Selection ISE configuration option [1]Reset Active Directory settings to defaults [2]Display Active Directory settings [3]Configure Active Directory settings [4]Restart/Apply Active Directory settings [5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings [6]Exit Use the option 3 to configure the AD domains whitelist. You are about to configure Active Directory settings. Are you sure you want to proceed? y/n [n]: y Parameter Name: adclient.included.domains Parameter Value: abc.com Active Directory internal setting modification should only be performed if approved by ISE support. Please confirm this change has been approved y/n [n]: y Active Directory settings were modified. Settings will take effect after choosing apply option from menu. Use the option 5 to clear the Centrify cache and restart for the new configuration options to take effect. Release Notes for Cisco Identity Services Engine, Release 1.1.x 56 OL-26136-01 Cisco ISE, Release 1.1.3 Patch Updates Table 26 Cisco ISE Patch Version 1.1.3.124—Patch 3 Resolved Caveats Caveat Description CSCug69605 BYOD: Fingerprint exception on Cisco ISE when CA certificate is retrieved via SCEP This fix addresses the issue where BYOD certificate-provisioning fails for all clients with an error when CA certificate is retrieved via the SCEP server. CSCug72958 Profiling functionality is broken while editing policies This fix addresses incorrect profiling of endpoints when you change the parent policy of an existing profiling policy, and then add or delete one or more profiling conditions in the profiling policy. CSCug74166 Identity groups are corrupted after changing the parent identity group name This issue occurs only when editing the parent identity group name with the same name of the child identity group. Workaround We recommend that you create parent and child identity groups with different names. CSCug76995 Unable to add user after changing the parent user identity group name This fix addresses the issue where you cannot add users to the user identity group even after changing the parent user identity group name. CSCug79181 Secure SSID is visible with a PEAP profile, but not with an EAP-TLS profile, when the secure SSID was not broadcasted This error occurs when a device connects to an open network using IOS, gets redirected to CWS, and provides credentials, the device is registered, and the profile is installed successfully. The user is then be prompted with a message to connect to “XXXX SSID and try the original url.” If the profile was modified with PEAP, once the boarding process is completed, the secure SSID is then visible, and you can connect to the secure SSID. Workaround There is no known workaround for this issue. CSCug95429 Profiler: IP attribute unnecessarily being updated This fix addresses the issue where the endpoint IP address was updated for the following conditions: CSCug98513 • If Framed-IP-Address attribute contains the limited connectivity IP (169.254.0.0/16) address, it is ignored by the RADIUS probe. • If endpoint IP address is assigned to 0.0.0.0 by the DHCP probe, it is ignored. Integrate components to support AD 2012 or mixed mode (2008) Centrify version is upgraded to support Active Directory 2012 and mixed 2008/2012 environments. CSCuh17560 Suppress Accounting update packets in Cisco ISE 1.1.x This fix controls the recording of accounting updates from the network access devices (NADs) that causes the MnT database to grow larger, if NADs are configured to send periodic accounting updates. By default, no RADIUS accounting updates are recorded in the accounting report. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 57 Cisco ISE, Release 1.1.3 Patch Updates Table 26 Cisco ISE Patch Version 1.1.3.124—Patch 3 Resolved Caveats Caveat Description CSCuh23189 ISE: Using Internal Identity User can gain access to Admin Dashboard This fix addresses the issue where internal users gain access to the Cisco ISE Admin portal Home page when they are not mapped to any Cisco ISE administrator group. CSCuh29915 ID group add button window shrinks This fix addresses the issue where you cannot add endpoints to the endpoint identity group from the Endpoints object selector. CSCuh36595 Custom Guest Self Registration Result should not write to file system This fix addresses the issue where the client browsers display the same credentials for all guest users instead of displaying credentials for respective guest users after self-registration. CSCuh43470 Cisco ISE Authentication failures alarm threshold definition This fix addresses the issue where the Cisco ISE alarms were displayed along with the criteria mapped to the alarm. CSCuh43528 Cisco ISE Alarm Authentication failures count incorrectly shows "%" in details This fix addresses the issue where the Cisco ISE alarms were displayed along with the criteria mapped to the alarm. CSCuh54747 Search is not working in object selector if we change the views The fix addresses the issue where you cannot search endpoints or users in the object selector when you switch back to the list-view from the tree-view. CSCuh56861 Cisco ISE Active Endpoints count on dashboard home page does not decrease The fix addresses the issue where the active endpoint count is not decreasing on the Cisco ISE dashboard if the session purge is not running properly. Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 2 Table 27 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 2. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Release Notes for Cisco Identity Services Engine, Release 1.1.x 58 OL-26136-01 Cisco ISE, Release 1.1.3 Patch Updates Table 27 Cisco ISE Patch Version 1.1.3.124—Patch 2 Resolved Caveats Caveat Description CSCud65479 Device registration Change of Authorization loop with posturing enabled This fix addresses the device registration flow issue where the Cisco ISE Admin node issues a second CoA after the endpoint becomes compliant and is authorized. When a client connects to the SSID, authenticates, and is redirected to device registration portal, the user agrees to the Acceptable Use Policy and is mapped to the predetermined endpoint group and the client status changes to compliant. After a few seconds, however, the client undergoes another Change of Authorization. CSCue25407 Wrong Authentication Policy match: Cisco ISE initiates MAB instead of 802.1x Before this fix, when 802.1x authentication happened for the employee user after device registration over MAB in a wired device on-boarding case, authentication policy matched for the user automatically resumed using MAB when it should have started 802.1x. As a result, the end user received a “Windows Cannot connect to the network” message. The workaround was that once the device is not able to connect via 802.1x and the user receives an error message, the user could try disconnecting the wire and connecting again. CSCue49305 Device registration is disabled if JavaScript is disabled for Safari or Chrome browsers on iOS and Android platforms. This fix allows the JavaScript to be disabled without disabling the device registration. CSCue49317 SCEP enrolment failure if the user name is prefixed with AD domain name Before this fix, the device on-boarding process would return an error after registering as part of certificate enrollment. This would occur during personal device registration, when a username must be entered in the format <domain>\<username>. This issue has only been observed when using the <domain>\<username> format to connect via 802.1x. The workaround was to connect using just the username without the domain name. CSCue50838 An arrayOutOfBoundException occurs during Certificate provisioning. This exception no longer occurs. CSCue71407 Guest and Sponsor language templates disappear from database. Before this fix, all configured field values in the language templates for both the Sponsor and Guest portals would disappear. The portals would display the correct themes and images, but not text. The names of the language templates would also not appear in the "SEC_RES_MASTER" table. CSCue83454 In CWA, ISE is not able to learn guest user IP address In CWA, the NAD has no knowledge of the guest username, so RADIUS accounting cannot do the username-IP mapping. However, ISE can fetch the client IP address and show it in the Live Authentications or in the Guest reports. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 59 Cisco ISE, Release 1.1.3 Patch Updates Table 27 Cisco ISE Patch Version 1.1.3.124—Patch 2 Resolved Caveats (continued) Caveat Description CSCue90444 When an active IPEP node fails, the VPN traffic drops. This fix ensures that VPN traffic is not dropped. The error occurred because when the standby IPEP device becoming active as a result of a failure of an active IPEP node, the VPN session information was not being updated. The workaround was to disconnect and then reconnect the VPN session. CSCuf05267 BYOD usability - Provide API to poll BYOD status. An API has been provided to poll the BYOD Status, which can be used by the Guest Service. CSCuf08298 Collect only the attributes that are used in profiling policies This is an enhancement to CSCua89503, which was resolved in 1.1.2. It enhances the ability to globally configure endpoint attribute filtering to help Cisco ISE reduce the amount of profiling traffic replicated in the local database. Now any attributes that are not present in the whitelist are dropped when attribute filtering is enabled. CSCuf47857 BYOD enhancements This fix provides BYOD usability enhancements for guest CR CSCuf66747 Guest user notification substitution uses system timezone instead of user timezone Guest user notifications use system timezone for account-start-time and account-end-time when the %starttime% and %endtime% variables are used in guest user notification within the Sponsor portal language templates. This substitution uses start-time and end-time adjusted to the Cisco ISE system timezone instead of guest user timezone. CSCuf71124 PAP admin login failed for consecutive purge operations This issue was intermittent. Before this fix, when there were successful data purges of the Management node, attempts to log into the PAP admin UI would fail with the following error message: “Authentication failed due to zero RBAC Group.” CSCuf90492 ISE cannot process large SGT matrices or send radius messages larger than 4k ISE now supports large SGT matrices. It no longer displays the following error message in the AAA diagnostics: “Invalid attributes in outgoing radius packet possibly some attributes exceeded their size limit.” CSCuf90513 Multiple Policy Service node’s attempt to write the same profile data to the database that causes high CPU usage. When multiple Policy Service nodes receive the same profiling data from an endpoint, each Policy Service node attempts to write to the Cisco ISE database. However, only one Policy service node can write data to the database, and therefore CPU utilization will be high in other Policy Service nodes when they are not able to write data to the database during reprofiling endpoints. This might result in disabling the data replication from the Administration ISE node. Release Notes for Cisco Identity Services Engine, Release 1.1.x 60 OL-26136-01 Cisco ISE, Release 1.1.3 Patch Updates Table 27 Cisco ISE Patch Version 1.1.3.124—Patch 2 Resolved Caveats (continued) Caveat Description CSCug04743 The order of policies change on Authentication, Posture and CP Policy pages when using Google Chrome Before this fix, when a policy was inserted or duplicated on either the Posture Policy page, CP Policy page, or Authentication Policy. After the policy was saved, and you returned to the Policy page, the policies would be listed in a different order. This issue occurred only when there are more than 10 policies. CSCug15615 BYOD CR: Error message needs to be modified for a disabled NSP policy (NSPMsg.FAIL_NSP_DISABLE) The following error message has been enhanced to indicate that the error occurs when the NSP policy is configured but disabled: “System administrator has not configured a policy for your device. Contact your system administrator.” The new error message is: “System administrator has not configured a policy or has to enable a policy for your device. Contact your system administrator.” CSCug34981 Incorrect authorization policy match for Self Service Guests when the profiler CoA is set to ReAuth The authorization policy match for Self Service Guests is now correct. CSCug35133 The attribute Service-Type is changing often with the radius probe and causing high CPU usage This is not a key attribute and it has been removed from the static list. It is no longer triggering frequent profiling updates on EndPoints. CSCug37245 SCEP enrolment fails when using certificates from different CAs SCEP enrolment can now use certificates from different CAs. CSCug44228 BYOD success message is shown before CoA and can cause a loop and a network connection error message on the browser Before this fix, a BYOD success message would be received too early, and sometimes when an attempt was made to browse the Internet, an error message was shown stating that the client cannot connect to network. This issue would occur when a BYOD device would connect to an Open SSID with PEAP initially and browse the Internet. This would cause the device to be redirected to the device registration page and would be asked to download a profile. Once the device was registered and the profile was downloaded, a success message was shown. However, this occurred before CoA had happen. CSCug78350 To install the NAC Agent on IE 10, you must enable compatible mode This fix ensures that you no longer have to enable compatibility mode to install the NAC Agent. This issue would occur after authenticating to ISE, opening IE 10 as an administrator, redirecting to the CP page, and clicking Install. Only Active-x would be installed and no error messages were displayed on the server. The workaround was to enable Compatibility Mode on IE. CSCug78636 Disable Diagnostics Issue Before this fix, it was recommended that diagnostics be disabled to improve the response time of the UI. You can now leave the diagnostics at the default setting of logging only warning or error level messages. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 61 Cisco ISE, Release 1.1.3 Patch Updates Table 27 Cisco ISE Patch Version 1.1.3.124—Patch 2 Resolved Caveats (continued) Caveat Description CSCug79123 Messages are displaying in vertical format in IE The following BYOD flow message is no longer displaying in vertical format on the device registration page when the CP policy was disabled: “The system administrator has not configured a policy or has to enable a policy for your device.” The message now displays correctly in the horizontal format. The message always displayed correctly for Chrome and Firefox. CSCug80970 Wrong button is displayed when the session is lost during NSPWizard installation process Before this fix, the Run Network Setup Assistant button was displayed when the session was staled in a dual SSID scenario. This fix now allows only the Try Again button to be displayed, as expected because the session does not exist in server, and stops the Run Network Setup Assistant button from being displayed. This occurs when a dual SSID flow is Configured, a Windows device is redirected to the guest portal, the Register button is clicked to start the NSP Wizard installation, and the session is staled during NSP Wizard installation. Then when you exit the NSP profile window and go back to browser, the correct message is displayed. Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 1 Table 28 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.3.124 cumulative patch 1. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.3, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 28 Cisco ISE Patch Version 1.1.3.124—Patch 1 Resolved Caveats Caveat Description CSCuc07816 Must be able to purge MnT data from CLI This fix allows Cisco ISE administrators to purge monitoring and troubleshooting operational data on demand using the application configure ise command. CSCuc48613 Google Chrome can cause reordering of Authorization Policy rules This fix addresses the issue where after upgrade to Cisco ISE 1.1.1, if you use the Google Chrome browser to edit the authorization policy rules, you find the rules reordered and some of the rules appear grayed out. Release Notes for Cisco Identity Services Engine, Release 1.1.x 62 OL-26136-01 Cisco ISE, Release 1.1.3 Patch Updates Table 28 Cisco ISE Patch Version 1.1.3.124—Patch 1 Resolved Caveats (continued) Caveat Description CSCuc58992 IP address of the endpoints is not getting updated correctly Cisco ISE Release 1.1.x uses the following authoritative attributes to create IP address-to-MAC address mapping: • DHCP-REQUESTED-ADDRESS • FRAMED-IP-ADDRESS • CDPCACHEADDRESS In the case of DHCP span, if Cisco ISE gets an actual assignment from the DHCP server, then DHCP can be authoritative. Unfortunately, in the case of IP Helper, only the requested address is visible, and in some cases, the server responds with a different address than the requested one. To address some of the inaccuracies with the IP-MAC mapping, Cisco has moved the Framed-IP-Address so that it has a better preference than the dhcp-request-address. CSCue14864 Endpoint statically assigned to ID group may appear in different group This fix addresses an issue where endpoints that are statically assigned to an Endpoint ID group unexpectedly appear in another group. The potential issue is that, where authorization profiles are based on ID group, these endpoints may wind up getting assigned the wrong authorization result. This issue has been observed where the administrator creates endpoint identity groups and manually add endpoints to the Cisco ISE database, making them static. CSCue16774 Profiler purge process is not running, EndPoint Cache grows past memory limits This fix addresses the Cisco ISE application restart issue that occurs if purge process in profiler has stopped and EndPoint Cache size increases beyond the memory limit. CSCue31190 Sponsor users editing guest accounts may cause internal server errors This fix addresses the issue where an "internal server error" message would appear in the Cisco ISE Administrator User Interface when attempting to edit a guest user via the Cisco ISE Sponsor portal. CSCue53508 Limit SNMP Query based of RADIUS Acct Start Event Once it receives a RADIUS accounting message, Cisco ISE schedules an SNMP query on that port. If too many messages come in, the server can get overwhelmed. Cisco has added a time-out parameter to control how often Cisco ISE performs SNMP queries for particular endpoints. (At most one query per day per endpoint.) CSCue58842 Valid email refused in Cisco ISE Guest Portal This fix validates the email address entered in the Cisco ISE Guest portal. If you enter a valid email address such as [email protected] and there is only one character after the period in the username, Cisco ISE refuses it as an invalid email address for a sponsored guest email ID. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 63 Cisco ISE, Release 1.1.2 Patch Updates Table 28 Cisco ISE Patch Version 1.1.3.124—Patch 1 Resolved Caveats (continued) Caveat Description CSCue71478 Remove ACS-Session-ID from attribute suppression white-list The ACS-Session-ID attribute is used in Profiler to detect which Policy Service node issues a Change of Authorization. This attribute changes frequently in case of failed authorization events because new sessions are created. This means that even with attribute suppression enabled, because this attribute is essential, Cisco ISE generates a database replication event for it. The fix is to drop the attribute and instead extract the AAA server attribute, which corresponds to the node that evaluates the request. For example: AAA-Server1-admin Previously, Cisco ISE would use the ACS-Session-ID which would have been: AcsSessionID positron-mehdi/151281952/12 In the context of very high Accounting or Authorization failures, this should reduce the number of database events. CSCue71874 Re-profiling process check continuously running Due to the 60 second buffering in persistence to allow for replication events reduction, Cisco ISE delays re-profiling if any profiler policy is changed. This delay is now disabled for the Primary node where re-profiling occurs. CSCue86661 Cisco ISE does not match a compound condition with multiple conditions in a policy rule This fix addresses the issue where Cisco ISE evaluates only the last compound condition in a policy rule with multiple conditions. Earlier, the workaround was to remove the compound condition from the policy rule and add it again. CSCue96626 Address purging issues Purge failure and the resulting impact on Monitoring operations are addressed in this fix. Cisco ISE, Release 1.1.2 Patch Updates The following patch release applies to Cisco ISE release 1.1.2 • Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 10, page 65 • Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 9, page 65 • Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 8, page 66 • Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 7, page 66 • Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 6, page 67 The following patch releases apply to Cisco ISE release 1.1.2 and have been rolled into release 1.1.3: • Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 6, page 67 • Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 5, page 68 Release Notes for Cisco Identity Services Engine, Release 1.1.x 64 OL-26136-01 Cisco ISE, Release 1.1.2 Patch Updates • Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 4, page 70 • Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 3, page 70 • Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 2, page 71 Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 10 Table 30 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.2.145 cumulative patch 10. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 29 Cisco ISE Patch Version 1.1.2.145—Patch 10 Resolved Caveats Caveat Description CSCuj51094 Captured TCPDump file is not working This fix addresses an issue where an exception occured when opening a captured TCPDump file. Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 9 Table 30 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.2.145 cumulative patch 9. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 65 Cisco ISE, Release 1.1.2 Patch Updates Table 30 Cisco ISE Patch Version 1.1.2.145—Patch 9 Resolved Caveats Caveat Description CSCui22841 Apache Struts2 command execution vulnerability Cisco ISE includes a version of Apache Struts that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-2251. This fix addresses the potential impact on this product. Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 8 Table 31 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.2.145 cumulative patch 8. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 31 Cisco ISE Patch Version 1.1.2.145—Patch 8 Resolved Caveats Caveat Description CSCue59806 'NAC Server not available' error is thrown - EAP failure error (No response) This fix addresses EAP timeout issue when it occurred on the session, but the session is already accepted and the protocol runtime (prrt) will not remove any session attribute. If you see an EAP timeout from the client, the protocol runtime (prrt) cleans posture session attributes. The posture runtime service, which looks for session attributes will fail to fetch the session information. Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 7 Table 32 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.2.145 cumulative patch 7. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. Release Notes for Cisco Identity Services Engine, Release 1.1.x 66 OL-26136-01 Cisco ISE, Release 1.1.2 Patch Updates If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 32 Cisco ISE Patch Version 1.1.2.145—Patch 7 Resolved Caveats Caveat Description CSCue60442 Authorization policies disappear after modifying the name of the parent endpoint identity group in Cisco ISE This fix addresses the issue where you can modify the name of the user-defined endpoint identity groups and this does not impact the Authorization Policy page. If you modify the name of the parent endpoint identity group (user-defined) when you have referenced the child endpoint identity groups in the authorization policies, the Authorization Policy page is empty and the configured authorization policies are not displayed. CSCuf56635 HP Jetdirect Printer is incorrectly profiled as HP-Device using DHCP probe If you change the parent policy of an existing profiling policy, and then add or delete one or more profiling conditions in the profiling policy, endpoints are not profiled as expected and you might encounter cache-related exceptions. Workaround To prevent such issues, you must create a new profiling policy instead of modifying an existing policy. • If a secondary node has any profiling issue as described above, perform a manual synchronization of nodes, which might resolve the issue. • If an existing profiling policy creates an issue as described above, delete the existing policy and create a new profiling policy with the same set of attributes and conditions. If both of the workarounds listed here do not work, contact Cisco TAC for assistance. Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 6 Table 33 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.2.145 cumulative patch 6 (Revision Number 77241). To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 67 Cisco ISE, Release 1.1.2 Patch Updates Table 33 Cisco ISE Patch Version 1.1.2.145—Patch 6 Resolved Caveats Caveat Description CSCud65479 Device registration Change of Authorization loop with posturing enabled This fix addresses the device registration flow issue where the Cisco ISE Admin node issues a second CoA after the endpoint becomes compliant and is authorized. When a client connects to the SSID, authenticates, and is redirected to device registration portal, the user agrees to the Acceptable Use Policy and is mapped to the predetermined endpoint group and the client status changes to compliant. After a few seconds, however, the client undergoes another Change of Authorization. Cisco ISE registers a “CoAHandler][] cisco.profiler.infrastructure.profiling.CoAHandler- About to issue CoA on <MAC address> due to Identity Group change.” entry repeatedly in the profiler.log file: CSCuf08298 Collect only the attributes that are used in profiling policies Earlier releases of Cisco ISE do not feature any control over which attributes can be saved, and as a result, would collect a significant amount of unnecessary information. In Cisco ISE, Release 1.1.2, you can globally configure endpoint attribute filtering to help Cisco ISE reduce the amount of profiling traffic replicated in the local database. This enhancement introduces a new function called a “whitelist,” which drops any attributes that are not present in the whitelist to ensure Cisco ISE database replication takes place as efficiently as possible. CSCuf66747 Guest user notification substitution uses system timezone instead of user timezone Guest user notifications use system timezone for account-start-time and account-end-time when the %starttime% and %endtime% variables are used in guest user notification within the Sponsor portal language templates. This substitution uses start-time and end-time adjusted to the Cisco ISE system timezone instead of guest user timezone. CSCuf90513 Multiple Policy Service node’s attempt to write the same profile data to the database that causes high CPU usage. When multiple Policy Service nodes receive the same profiling data from an endpoint, each Policy Service node attempts to write to the Cisco ISE database. However, only one Policy service node can write data to the database, and therefore CPU utilization will be high in other Policy Service nodes when they are not able to write data to the database during reprofiling endpoints. This might result in disabling the data replication from the Administration ISE node. Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 5 Table 34 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.2.145 cumulative patch 5. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Release Notes for Cisco Identity Services Engine, Release 1.1.x 68 OL-26136-01 Cisco ISE, Release 1.1.2 Patch Updates Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 34 Cisco ISE Patch Version 1.1.2.145—Patch 5 Resolved Caveats Caveat Description CSCuc58992 IP address of the endpoints is not getting updated correctly Cisco ISE Release 1.1.x uses the following authoritative attributes to create IP address-to-MAC address mapping: • DHCP-REQUESTED-ADDRESS • FRAMED-IP-ADDRESS • CDPCACHEADDRESS In the case of DHCP span, if Cisco ISE gets an actual assignment from the DHCP server, then DHCP can be authoritative. Unfortunately, in the case of IP Helper, only the requested address is visible, and in some cases, the server responds with a different address than the requested one. To address some of the inaccuracies with the IP-MAC mapping, Cisco has moved the Framed-IP-Address so that it has a better preference than the dhcp-request-address. CSCue53508 Limit SNMP Query based of RADIUS Acct Start Event Once it receives a RADIUS accounting message, Cisco ISE schedules an SNMP query on that port. If too many messages come in, the server can get overwhelmed. Cisco has added a time-out parameter to control how often Cisco ISE performs SNMP queries for particular endpoints. (At most one query per day per endpoint.) CSCue71478 Remove ACS-Session-ID from attribute suppression white-list The ACS-Session-ID attribute is used in Profiler to detect which Policy Service node issues a Change of Authorization. This attribute changes frequently in case of failed authorization events because new sessions are created. This means that even with attribute suppression enabled, because this attribute is essential, Cisco ISE generates a database replication event for it. The fix is to drop the attribute and instead extract the AAA server attribute, which corresponds to the node that evaluates the request. For example: AAA-Server1-admin Previously, Cisco ISE would use the ACS-Session-ID which would have been: AcsSessionID positron-mehdi/151281952/12 In the context of very high Accounting or Authorization failures, this should reduce the number of database events. CSCue71874 Re-profiling process check continuously running Due to the 60 second buffering in persistence to allow for replication events reduction, Cisco ISE delays re-profiling if any profiler policy is changed. This delay is now disabled for the Primary node where re-profiling occurs. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 69 Cisco ISE, Release 1.1.2 Patch Updates Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 4 Table 35 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.2.145 cumulative patch 4. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 35 Cisco ISE Patch Version 1.1.2.145—Patch 4 Resolved Caveats Caveat Description CSCue14864 Endpoint statically assigned to ID group may appear in different group This fix addresses an issue where endpoints that are statically assigned to an Endpoint ID group unexpectedly appear in another group. The potential issue is that, where authorization profiles are based on ID group, these endpoints may wind up getting assigned the wrong authorization result. This issue has been observed where the administrator creates endpoint identity groups and manually add endpoints to the Cisco ISE database, making them static. Workaround The end users must manually authenticate the endpoint again. Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 3 Table 36 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.2.145 cumulative patch 3. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Release Notes for Cisco Identity Services Engine, Release 1.1.x 70 OL-26136-01 Cisco ISE, Release 1.1.2 Patch Updates Table 36 Cisco ISE Patch Version 1.1.2.145—Patch 3 Resolved Caveats Caveat Description CSCud43467 Periodic Reassessment check functionality not working This resolution addresses an issue where no periodic posture reassessment was initiated on certain client machines logged into the Cisco ISE network. Note There is no known workaround for this issue. Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 2 Note There is no Patch 1 available for general deployment on the Cisco Download Software Site. Patch 1 was a limited availability patch which is now superseded by Patch 2. Table 37 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.2.145 cumulative patch 2. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 37 Cisco ISE Patch Version 1.1.2.145—Patch 2 Resolved Caveats Caveat Description CSCto28988 Session cache entry not found with failed authentication entries This fix addresses an issue where Cisco ISE would intermittently return session failures citing the wrong password, unknown user, and/or EAP protocol failures. Before this resolution, you would need to disconnect and reconnect to any wired interface experiencing this issue, and (for wireless connections) either disconnect from the interface and wait five minutes before reconnecting, or ask your network administrator to manually clear the client session from a Wireless LAN Controller. Note This issue was not unique to guest login session flows. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 71 Cisco ISE, Release 1.1.2 Patch Updates Table 37 Cisco ISE Patch Version 1.1.2.145—Patch 2 Resolved Caveats (continued) Caveat Description CSCub32594 Inline posture node does not accept a policy from the associated Policy Service node This resolution addresses an issue that could occur when multiple user sessions trigger concurrent exchanges of RADIUS messages between the Inline Posture node and the Policy Service node (in the case of an “Authorize-Only” query or DACL download, for example) due to a race condition between two simultaneous threads. To reproduce this issue, the best way is to generate many concurrent RADIUS sessions. Note CSCuc13075 Historically, this issue might only occur on a very infrequent basis, possibly taking months between subsequent occurrences. Endpoints are being saved with EndpointPolicy as Unknown This update fixes an issue where endpoint profiles were appearing in the Cisco ISE administrator interface as designed, reading “Apple-Device,” but upon editing the endpoint entry, the endpoint attributes “Endpoint Policy” and “Matched Policy” appeared as “UNKNOWN.” CSCuc21814 Incorrect profiler policy with Rate limiter delayed updates in few cases This fix addresses an issue where the Cisco ISE profiling policy represents to an incorrect value in certain cases due to delayed profiling updates by the previously-implemented Rate Limiter enhancement. CSCuc46719 High CPU usage observed when profiling data cannot be written to database When profiler fails to write data to the Cisco ISE database, the process does not drop that data and, instead, keeps trying to update the database, driving up CPU usage due to the extra services required. One example recorded involved a RADIUS probe where each user had a very large Active Directory group membership field. The value of this field was larger than what the Cisco ISE database could store reliably, and when Profiler tried repeatedly to add the data, the result was extremely high CPU usage. CSCud04633 Java causing “Out of Memory” errors in Cisco ISE This issue was observed in Cisco ISE, Release 1.1.1 where client machines were attempting to register with Cisco ISE using the EAP-TLS and PEAP protocols, as well as during standard profiling functions. Before this fix addressed the issue, you would have to manually restart services on the Cisco ISE node in question to remedy the situation. Release Notes for Cisco Identity Services Engine, Release 1.1.x 72 OL-26136-01 Cisco ISE, Release 1.1.2 Patch Updates Table 37 Cisco ISE Patch Version 1.1.2.145—Patch 2 Resolved Caveats (continued) Caveat Description CSCud11139 XSS Vulnerability in Cisco ISE Guest Portal A security scan of the Cisco ISE Guest Portal indicated that the product could be vulnerable to an XSS cross-scripting attack. This issue was observed on Cisco ISE, Release 1.1.1 and has now been addressed in this patch release. Note There is no known workaround for this issue. PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:U/RC:C CVE ID CVE-2012-5744 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html CSCud12095 Purge job fails to complete in Cisco ISE, Release 1.1.1 This fix addresses an issue resulting in an “explosion” of Monitoring and Troubleshooting node tables reaching as high as 150GB in size, and the presence of many associated “database failure” messages in the Cisco ISE alarm entries. Prior to this fix, you would need to contact the Cisco TAC to get instructions necessary to manually clean the oversized Monitoring and Troubleshooting node tables. CSCud20871 Session cache entry missing during Guest authentication This fix addresses an issue with Cisco ISE Guest authentication failures returning “86107-Session cache entry missing” errors from the Guest Portal. In order to resolve the issue prior to this fix, you would have to: 1. Manually remove the Guest login session from the access point. 2. Wait for the resulting idle-timeout or session timeout to elapse on the access point, and then attempt to re-establish the connection. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 73 Cisco ISE, Release 1.1.1 Patch Updates Cisco ISE, Release 1.1.1 Patch Updates The following patch releases apply to Cisco ISE release 1.1.1 • Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 7, page 74 The following patch releases apply to Cisco ISE release 1.1.1 and 1.1.3: • Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 6, page 74 • Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 5, page 75 • Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 4, page 76 The following patch releases apply to Cisco ISE release 1.1.1 and have been rolled into release 1.1.2 and 1.1.3: • Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 3, page 77 • Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 2, page 78 • Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 1, page 79 Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 7 Table 38 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.1.268 cumulative patch 7. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 38 Cisco ISE Patch Version 1.1.1.268—Patch 7 Resolved Caveats Caveat Description CSCuj51094 Captured TCPDump file is not working This fix addresses an issue where an exception occured when opening a captured TCPDump file. Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 6 Table 39 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.1.268 cumulative patch 6. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Release Notes for Cisco Identity Services Engine, Release 1.1.x 74 OL-26136-01 Cisco ISE, Release 1.1.1 Patch Updates Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 39 Cisco ISE Patch Version 1.1.1.268—Patch 6 Resolved Caveats Caveat Description CSCui22841 Apache Struts2 command execution vulnerability Cisco ISE includes a version of Apache Struts that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-2251. This fix addresses the potential impact on this product. Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 5 Table 40 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.1.268 cumulative patch 5. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 40 Cisco ISE Patch Version 1.1.1.268—Patch 5 Resolved Caveats Caveat Description CSCub32594 Inline posture node does not accept a policy from the associated Policy Service node This resolution addresses an issue that could occur when multiple user sessions trigger concurrent exchanges of RADIUS messages between the Inline Posture node and the Policy Service node (in the case of an “Authorize-Only” query or DACL download, for example) due to a race condition between two simultaneous threads. To reproduce this issue, the best way is to generate many concurrent RADIUS sessions. Note Historically, this issue might only occur on a very infrequent basis, possibly taking months between subsequent occurrences. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 75 Cisco ISE, Release 1.1.1 Patch Updates Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 4 Note To properly apply patch 4 to your Cisco ISE nodes and gain the benefits of CSCua55485, you must install the patch according to whether your nodes are deployed in different network domains: • If all of your Cisco ISE nodes are deployed are in same domain, you can apply patch 4 using the standard administrator user interface method described below. • If your Cisco ISE nodes are deployed in different domains, you must install this patch on your Cisco ISE nodes via the administrator CLI. Once the patch has been applied on the deployment, you can then apply future patches using the standard Administrator user interface method. Table 41 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.1.268 cumulative patch 4. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 41 Cisco ISE Patch Version 1.1.1.268—Patch 4 Resolved Caveats Caveat Description CSCua55485 Cisco ISE distributed deployment does not work with split-domain configuration This fix addresses an issue users can experience while adding nodes to an existing distributed deployment. If the existing Cisco ISE nodes belong to different domains (or even different sub-domains), you may not be able to introduce new nodes to the deployment as designed. The primary cause of this failure involves Cisco ISE using the hostnames from different domains to resolve to the IP address rather than using the proper FQDN during registration. Note CSCuc13075 If all of your Cisco ISE nodes are deployed are in same domain, you can apply this patch using the standard administrator user interface method. If your Cisco ISE nodes are deployed in different domains, however, you must install this patch on the Cisco ISE nodes via the administrator CLI. Once the patch has been applied on the deployment, you can then apply future patches using the standard Administrator user interface method. Endpoints are being saved with EndpointPolicy as Unknown This update fixes an issue where endpoint profiles were appearing in the Cisco ISE administrator interface as designed, reading “Apple-Device,” but upon editing the endpoint entry, the endpoint attributes “Endpoint Policy” and “Matched Policy” appeared as “UNKNOWN.” Release Notes for Cisco Identity Services Engine, Release 1.1.x 76 OL-26136-01 Cisco ISE, Release 1.1.1 Patch Updates Table 41 Cisco ISE Patch Version 1.1.1.268—Patch 4 Resolved Caveats (continued) Caveat Description CSCuc46719 High CPU usage observed when profiling data cannot be written to database When profiler fails to write data to the Cisco ISE database, the process does not drop that data and, instead, keeps trying to update the database, driving up CPU usage due to the extra services required. One example recorded involved a RADIUS probe where each user had a very large Active Directory group membership field. The value of this field was larger than what the Cisco ISE database could store reliably, and when Profiler tried repeatedly to add the data, the result was extremely high CPU usage. CSCuc64732 Detecting a name change behaves case-sensitive This fix addresses an issue involving user names in Active Directory using a different case format than the user names stored in the session Cache. The result of this mismatch led to users experiencing a “loop” because the name comparison failed repeatedly. Workaround Without applying this patch, you must ensure that you use only lower case names in Active Directory as well as when authenticating via a native supplicant. Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 3 Table 42 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.1.268 cumulative patch 3. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 42 Cisco ISE Patch Version 1.1.1.268—Patch 3 Resolved Caveats Caveat Description CSCuc19682 Cisco ISE purge operation corrupts indexes in some database tables This fix addresses an issue where a large number of authentication failures result due to the Network Access Device pointing to the Policy Service Node for RADIUS. One of the primary symptoms, however, involves the fact that those failures do not then appear in the Administrative ISE node user interface. Prior to this fix, to resolve the issue, you would have had to work with the Cisco escalation team to manually purge some of these tables. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 77 Cisco ISE, Release 1.1.1 Patch Updates Table 42 Cisco ISE Patch Version 1.1.1.268—Patch 3 Resolved Caveats (continued) Caveat Description CSCuc51338 Sessions leak when rule-based policy performed with proxy result This fix addresses an issue where Cisco ISE restarts periodically because of an “Out Of Memory” condition due to a large number of authentication sessions when the Authentication policy is configured as a “Rule-Based” policy and Cisco ISE is configured to proxy requests through an external AAA server. Cisco ISE has a default limit of 15,000 concurrent sessions, but when authentication requests are proxied in this way, the number of sessions can grow beyond that limit. Prior to this resolution, you would ordinarily have to periodically restart the Cisco ISE server before reaching the upper limit of requests. Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 2 Table 43 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.1.268 cumulative patch 2. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 43 Cisco ISE Patch Version 1.1.1.268—Patch 2 Resolved Caveats Caveat Description CSCua64378 Large number of Profiler endpoint update messages causing an issue over WAN deployment This fix addresses an issue caused by an Oracle AQ limitation over WAN deployments. Cisco ISE now reduces the incoming database updates to the primary Administration ISE node by delaying Profiler endpoint updates so that, instead of sending all the intermediate changes on endpoints, the Profiler just sends the latest update at the end of the delay period. This collates a collection of updates into just one update. CSCua56980 Primary Administration ISE node is non-responsive over a period of time because of frozen database Cisco ISE has addressed this issue by sending just one consolidated update from all the probes like DHCP, RADIUS, SNMP,HTTP, etc. that are triggered when a user is coming onto the network. For new endpoints coming onto the network, the behavior remains as it is currently, as there are no issues with delay applied to those sessions. Release Notes for Cisco Identity Services Engine, Release 1.1.x 78 OL-26136-01 Cisco ISE, Release 1.1.1 Patch Updates Table 43 Cisco ISE Patch Version 1.1.1.268—Patch 2 Resolved Caveats (continued) Caveat Description CSCua50327 Cisco ISE Deployment page takes 40 to 50 seconds to render This fix resolves an issue in the Cisco ISE administrator user interface where the Administration > System > Deployment page takes approximately 40 to 50 seconds to load between peer nodes deployed over a WAN connection. CSCub03210 Database connection “leakage” during rollback failure This fix addresses an issue that comes up when profiler enabled on Policy Service nodes and the Policy Service node keeps profiling endpoints which have already been accounted for and logged in the Administration ISE node. Where there are multiple Policy Service nodes in a deployment trying to log information with the Administration ISE node and any of these transactions fail, the Policy Service node tries to roll back the transaction, thus resulting in a database connection “leakage.” Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 1 Table 44 lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.1.268 cumulative patch 1. To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.1.x. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 44 Cisco ISE Patch Version 1.1.1.268—Patch 1 Resolved Caveats Caveat Description CSCua92153 Cisco ISE does not validate Certificate Signing Requests correctly This fix addresses an issue where Cisco ISE generates a CSR from a native supplicant during device registration and uses the identity name as part of the request subject. Cisco ISE, however, does not appropriately validate the identity. As a result, an attacker can create a CSR with any name, and if there is a policy based on “cert:subject name.” then Cisco ISE may authenticate the false user ID because the policy allows it. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 79 Cisco ISE Antivirus and Antispyware Support Cisco ISE Antivirus and Antispyware Support See the following Cisco ISE documents for specific antivirus and antispyware support details using Cisco NAC Agent and NAC Web Agent: • Cisco Identity Services Engine Release 1.1.x Supported Windows AV/AS Products • Cisco Identity Services Engine Release 1.1.x Supported Mac OS X AV/AS Products Cisco NAC Agent Interoperability Between NAC Appliance and Identity Services Engine The Cisco NAC Agent versions 4.9.4.3 and later can be used on both Cisco NAC Appliance Releases 4.9(3), 4.9(4) and Cisco ISE Releases 1.1.3-patch 11, 1.1.4-patch 11, 1.2. This is the recommended model of deploying the NAC agent in an environment where users will be roaming between ISE and NAC deployments. Integration with Cisco Prime Network Control System Cisco Identity Services Engine, Release 1.1. x integrates with Cisco Prime Network Control System (Prime NCS), Release 1.2 to manage wired and wireless networks. Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats Caveat Description CSCus28288 After successful patch installation via GUI, the patch information fails to appear in the Administration > Maintenance > Patch Management > Installed Patches page. As a result, the Rollback option can be used only via the CLI. Also, successful installation of patch can be validated only via the CLI. Workaround Access the Rollback option from the CLI. Validate successful patch installation from the CLI. CSCul13185 When installing the NAC/Web Agent using ActiveX in Internet Explorer11, the browser shows the loading symbol indefinitely without downloading the agent. Workaround Close and reopen the browser. CSCuj61976 Admin UI fails to display certain pages using Firefox 25 The ISE admin UI pages with tree view are not displayed correctly when using FF25 and above versions.</B> Workaround Downgrade to Firefox 24. Release Notes for Cisco Identity Services Engine, Release 1.1.x 80 OL-26136-01 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCuj80131 ISE Client Provisioning - NSP does not launch on Safari 7 (Mac OS X 10.9) Java Applet fails to install SPW/Agent from Client Provisioning page on Safari browser version 7 available with Mac OSX 10.9. Explicitly let it run by changing the website settings on the browser. The default setting encourages users to whitelist individual sites/pages where JAVA is used. Workaround To let the applet install agent/SPW, connect to ISE and get re-directed to Client Provisioning page. Before clicking Click to Install Agent, go to: Safari->Preferences->Security->Manage Website Settings->Java->Click on your ISE URL->Run in unsafe mode. CSCtc70053 Browser “Back” button not working properly This issue has been observed in the Cisco ISE list page when switching from the list view to edit view (i.e., when you click the Create or Edit button). Workaround There is no known workaround for this issue. CSCti60114 The Mac OS X agent 4.9.0.x install is allowing downgrade The Mac OS X NAC Agent is allowing downgrades without warnings. Note CSCti71658 Mac OS X Agent builds differ in minor version updates only. For example, 4.9.0.638 and 4.9.0.637. The Mac OS X Agent shows user as “logged-in” during remediation The menu item icon for Mac OS X Agent might appear logged-in before getting full network accesses The client endpoints are connecting to an ISE 1.0 network or NAC using device-filter/check with Mac OS X Agent 4.9.0.x. Workaround Please ignore the icon changes after detecting the server and before remediation is done. CSCtj00178 Group QuickFilters not working as designed After the administrator runs and saves an advanced filter, Cisco ISE does not display the “Successful Save” pop-up after the filter is saved. This issue has been observed using the Admin Groups, User Identity Groups, Endpoint Identity Groups, and Guest Sponsor Groups filter options. Workaround There is no known workaround for this issue. CSCtj22050 Certificate dialog seen multiple times when certificate is not valid When the certificate used by the agent to communicate with the server is not trusted, the error message can be seen multiple times. Workaround Make sure you have a valid certificate installed on the server and that it has also been accepted and installed on the client. Note The additional certificate error message is primarily informational in nature and can be closed without affecting designed behavior. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 81 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCtj25158 Exported admin should not be imported back as Network Access User This problem occurs when Cisco ISE promote Network Access Users to Administrators, and then export those users. When you re-import those users, they appear as Network Access Users only. Cisco ISE does not import the promoted users as Administrators. Workaround There is no known workaround for this issue. CSCtj31552 Pop-up Login windows option not used with 4.9 Agent and Cisco ISE When right clicking on the Windows taskbar tray icon, the Login option is still present, but is not used for Cisco ISE. The login option should be removed or greyed out. Workaround There is no known workaround for this issue. CSCtj76835 Unable to retrieve a saved Authentication Trend report Symptom Two steps are necessary to save an Authentication Trend report: 1. Select the folder. 2. Name the file. If you do not select a folder from the list that is presented, the report should be saved in the root folder and should appear in the Reports tab. You can observe that the files are saved, but they do not appear in the left side pane and there is no option to retrieve the files. Conditions Saving an Authentication Trend report without selecting a folder. Workaround Do not save the report under the root folder. Always choose a subfolder. CSCtj81255 Two MAC addresses detected on neighboring switch of ACS 1121 Appliance. Symptom Two MAC addresses are detected on the switch interface connected to an ACS 1121 Appliance although only one interface is connected on the ACS 1121 Server eth0. Conditions Only one Ethernet interface, eth0 is connected between ACS and Switch. Workaround Disable BMC (Baseboard Management Controller) feature using BIOS setup. Caution To help prevent a potential network security threat, Cisco strongly recommends physically disconnecting from the Cisco ISE console management port when you are not using it. For more details, see http://seclists.org/fulldisclosure/2011/Apr/55, which applies to the Cisco ISE, Cisco NAC Appliance, and Cisco Secure ACS hardware platforms. Release Notes for Cisco Identity Services Engine, Release 1.1.x 82 OL-26136-01 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCtj94813 Left side administrator user interface pane “Search Result” option is not working as expected 1. If you enter available data and click the search option, it does not display properly. 2. If the option displays some data and if you enter another value, it does not refresh the data properly. 3. The option does not display the layered/structured model as designed. In addition, you are not able to go back to previous menu. Workaround There is no known workaround for this issue. CSCtk34851 XML parameters passed down from server are not using the mode capability The Cisco ISE Agent Profile editor can set parameter modes to merge or overwrite. Mac OS X agent is not processing the mode correctly. Instead, the complete file is overwritten each time. Workaround To use a unique entry, the administrator must set up a different user group for test purposes, or set the file to read only on the client machine and manually make the necessary changes to the local file. CSCtk37360 Administrator is not able to customize report in Internet Explorer 8 Monitoring and troubleshooting reporting functions related to column selection and entry deletion/aggregation, etc. are not working as designed. This issue can come up using the following versions of Internet Explorer 8: • IE 8.0.6001.18702 on Windows XP • IE 8.0.6001.18702IC on Windows XP Workaround There is no known workaround other than to avoid using the problematic browser versions. CSCtk46958 Cisco ISE does not display a warning when navigating away from a modified page without saving When a user changes configuration context, there is no warning indicating that the information configured on the current page is not saved, nor is there a warning indicating that all configuration changes will be lost when the user completes that context change. Workaround Save before navigating away from the page in question. CSCtk82864 AAA Servers incorrectly filter with “Contains” option When AAA servers are added to the AAA servers list (for example: a, ab) and a filter is added which includes regular expressions, Cisco ISE generates an incorrect filtered list. Workaround Do not use regular expressions in filters. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 83 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCtl53966 Agent icon stuck on Windows taskbar The taskbar icon should appear when the user is already logged in. Workaround Right-click on the icon in the taskbar tray and choose Properties or About. After you close the resulting Cisco NAC Agent dialog, the taskbar icon goes away. CSCtl70056 “Today” is not validated against the Cisco ISE Monitoring node End Date Reports run with a custom time range (where “today” is the specified End Date) does not work and the Monitoring node returns a validation error. This issue has been observed where the time on the client machine (where a browser session is active) is earlier than that of the Cisco ISE node (for example, where the client is on PST and the Cisco ISE node is on UTC time zone). Workaround Change the time zone or clock on the client machine so that the current time on that server is the same or ahead of the Monitoring node. CSCtl77592 Unable to create authorization policy with RadiusCallingStation ID condition When the administrator uses a MAC address with a xx-xx-xx-xx-xx-xx format as the right hand side (RHS) of a condition with RADIUS “Calling station ID” dictionary attribute, it fails to match the policy decision. Cisco ISE does not perform validation on the string value that is entreated on the RHS when constructing a condition. Workaround Use the MAC address format xx:xx:xx:xx:xx:xx when defining conditions. CSCtn44427 No progress indicator is displayed when importing collections of random or CSV guests Workaround There is no known workaround for this issue. The administrator must simply wait for the process to complete. CSCtn53084 Incorrect export of DER imported server and trusted certificate authority certificates When exporting a local certificate using the Administration > System > Certificates > Local Certificates > Export page, the administrator may find that the certificate is in Distinguished Encoding Rules (DER) format when another format like Privacy Enhanced Mail (PEM) is desired. The certificate export function exports a certificate using the same format it had when imported. In Cisco ISE, there is no format conversion option available. Note CSCtn65437 One way to avoid this is to simply import all certificates in PEM format. You can convert DER to PEM using tools like openssl, and your certificate authority may have an option for PEM output. Report timestamp incorrect with Asia/Kolkata time zone This behavior has been observed only using the Asia/Kolkata time zone. The result is minus 5.30 hours when compared to the actual record in the Cisco ISE database. Workaround There is no workaround for this issue at this time. Release Notes for Cisco Identity Services Engine, Release 1.1.x 84 OL-26136-01 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCtn76441 Custom conditions are not updated under Rules in profiling policies If you rename a profiler condition used by a profiling policy, the new name is not reflected in the rule summary display. It is, however, reflected in the associated expanded rule expression. Workaround If you expand and collapse the rule expression in the anchored overlay and click Save, the correct description displayed in the rule summary repeater will be displayed in the future. If you change the condition name a second time, however, and expand/collapse the summary overlay on the policy page a second time and click Save, the policy page will not reload until and unless you reload the server. CSCtn78676 When a user name has a space between words and another similar name contains two or more spaces, Cisco ISE displays the same user name for both users. Workaround There is no known workaround for this issue. Even though the multiple spaces are trimmed and shown as one space in the UI, the data is saved correctly in the database. CSCtn78899 When a user group name has a space between words and another similar user group name contains two or more spaces, Cisco ISE displays the same user group name for both groups. Workaround Avoid giving spaces in the name field while creating Identity Group. CSCtn92594 Quickpicker filters are not working correctly during Client Provisioning policy configuration This issue has been observed with the following three filter options: • Identity Groups • Operating Systems • Other conditions Workaround There is no known workaround for this issue. CSCtn95548 Filter behaving case sensitive for Network Device groups The results for network device group filtering in the network device group (NDG) page are incorrect. This is because the filtering in the network device group page is case sensitive. Workaround Enter network device groups values using lower-case letters. CSCto05172 The Profiler detail log does not display some attributes. “Certainty Metric,” “Matched Rule,” and “Endpoint Action” name values are not updated in the Profiler endpoint detail log. Workaround There is no known workaround for this issue. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 85 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCto09989 Cisco ISE browser session redirects to Monitoring login page using Internet Explorer 8 As soon as you login to Cisco ISE via IE8 the page gets redirected to a Monitoring node administrator login page (even before the initial page displays completely). Note This issue has also been observed using Mozilla Firefox, but the redirection in Firefox only takes place after a couple of minutes of inactivity. Workaround Immediately after entering your login credentials,. navigate from the main Cisco ISE page to any configuration page (like Posture, Authorization, or Client Provisioning, for example). For more information, see Issue Accessing the Cisco ISE Administrator User Interface, page 134. CSCto32002 The Cisco ISE MAC address authentication summary report displays IP addresses where MAC addresses should be CSCto33933 Login Success display does not disappear when user clicks OK This can occur if the network has not yet settled following a network change. Workaround Wait a few seconds for the display to close. CSCto41340 Authentication Policy replication failure from Primary to Secondary if the time zone changes after installation In release 1.0 time change is not supported after the deployment is setup because of the dependencies on time synchronization. Note CSCto45199 Support for time change within an existing deployment will be postponed to a later release. “Failed to obtain a valid network IP” message does not go away after the user clicks OK This issue has been observed in a wired NAC network with IP address change that is taking longer then normal. (So far, this issue has only been only seen on Windows XP machines.) Workaround None. The user needs to wait for the IP address refresh process to complete and for the network to stabilize in the background. CSCto48555 Mac OS X agent does not rediscover the network after switch from one SSID to another in the same subnet Agent does not rediscover until the temporary role (remediation timer) expires. Workaround The user needs to click Complete or Cancel in the agent login dialog to get the agent to appear again on the new network. CSCto52210 Authorization and authentication policy rules pages load and save times are high This issue has been observed with 50 or more authentication rules, where each rule has at least conditions. The Load and save times approach one-and-a-half minutes. Release Notes for Cisco Identity Services Engine, Release 1.1.x 86 OL-26136-01 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCto54536 Local certificates disappear on the secondary node following “application reset-config ise” command in CLI When displaying the local certificates on the Administration > System > Certificates > Local Certificates page of a deregistered node that is now in Standalone mode. The administrator should not reset the configuration of a node prior to de-registering it. The correct process is as follows: 1. Node A is registered. 2. Node A is deregistered. 3. Enter “application reset-config ise” in node A CLI. Workaround If the node is reset before deregistration, you can make the local certificates reappear by entering the following commands in the CLI: CSCto60148 • application stop ise • application start ise Java crashes during high posture load This issue has been observed under extreme load condition where Cisco ISE is hit with large number of concurrent users for posture. Workaround None. You must restart the Cisco ISE Policy Service. CSCto63069 The nacagentui.exe application memory usage doubles when using “ad-aware” This issue has been observed where the nacagentui.exe memory usage changes from 54 to 101MB and stays there. Workaround Disable the Ad-Watch Live Real-time Protection function. CSCto64028 “Fail to receive server response...” seen when deleting profiling policy A “Fail to receive server response due to the network error (ex. HTTP timeout)” error message may appear when deleting Profiling policies, and some of the policies may not be deleted. Workaround Log out from Cisco ISE, log back in, and try deleting the policies again. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 87 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCto72015 Authorization policy with condition as “Identity grp” does not work Create an Identity Group with the following attributes: User Identity Groups: • Employee – Location1 – Location2 Create Authorization Policy containing the “IdentityGroup:Name Equals Location1” condition and perform user authentication. Authentication fails because the rule in the condition has not been satisfied. This problem occurs only using the “IdentityGroup:Name” dictionary attribute in the Authorization Policy. Workaround To implement the workaround: 1. Instead of using a Dictionary Attribute (IdentityGroup:Name) in the policy, specify the Identity Group to be “Location1” in the Identity Group selection rather than “Any.” 2. Assign the “Location1” Identity Group to the Internal User. 3. In the Authorization Policy condition, specify one of the following: – “Internal Users.Identity Group Equals IdentityGroup:User Identity Groups:Employee:Location1” – “Internal Users.Identity Group Matches.*Location1” CSCto82519 Saving your Active Directory configuration while the DNS is down takes a very long time Cisco ISE requires connectivity to Active Directory (including DNS) when saving the configuration. If the DNS is not reachable, then the save function may time out before it can complete. Workaround Ensure that the DNS is available and reachable before saving your Active Directory configuration. CSCto84932 The Cisco NAC Agent takes too long to complete IP refresh following VLAN change The Cisco NAC agent is taking longer than normal to refresh IP address due to double IP refresh by supplicant and NAC agent. Workaround Disable the Cisco NAC Agent IP address change function if there is a supplicant present capable of doing the same task. Release Notes for Cisco Identity Services Engine, Release 1.1.x 88 OL-26136-01 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCto97486 The Mac OS X VLAN detect function runs between discovery, causing a delay VLAN detect should refresh the client IP address after a VLAN detect interval (5) X retry detect (3) which is ~ 30 sec, however it is taking an additional 30 sec. This issue has been observed in both a wired and wireless deployment where the Cisco NAC agent changes the client IP address in compliant or non-compliant state since Mac OS X supplicant cannot. An example scenario involves the user getting a “non-compliant” posture state where the Cisco ISE authorization profile is set to Radius Reauthentication (default) and session timer of 10 min (600 sec). After 10 min the session terminates and a new session is created in the pre-posture VLAN. The result is that the client machine still has post-posture VLAN IP assignment and requires VLAN detect to move user back to the pre-posture IP address. Workaround Disconnect and then reconnect the client machine to the network. CSCtq02332 Windows agent does not display IP refresh during non-compliant posture status The IP refresh is happening on the client machine as designed, but the Agent interface does not display the change appropriately (for example, following a move from preposture (non-compliant) to postposture (compliant) status). Workaround There is no known workaround for this issue. CSCtq02533 The Cisco NAC Agent takes too long to complete IP refresh following VLAN change The Cisco NAC agent is taking longer than normal to refresh IP address due to double IP refresh by supplicant and Cisco NAC agent. Workaround Disable the Cisco NAC Agent IP address change function if there is a supplicant present capable of doing the same task. CSCtq06832 Time and Date conditions need to be updated correctly when changing time zones Configure the Time Zone in Cisco ISE to be “IndianStandardTime,” for example, and create a Time and Date condition (Ex: From Time 10:00 AM & To Time 8:00 PM). Then update the Time Zone from IST to UTC. The existing Time and Date condition does not get updated per the new specified Time Zone. This issue comes up when changing the Time Zone after creating the Time and Date condition in the Policy > Conditions > Common > Time and Date page. Workaround There is no known workaround for this issue. CSCtq07271 Cisco ISE returns a misleading message after Change of Authorization on an Inline Posture node When the administrator issues a Change of Authorization Session Termination, Cisco ISE returns a “successful” message, but the Inline Posture node cannot find the session and drops the request. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 89 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCtq07311 Change of Authorization shows “0” sessions on Policy Service node are down This issue has been observed where when one or more Policy Service nodes are behind an Inline Posture node, a client machine connected via a particular Policy Service node has authenticated, but has not yet completed posture assessment, and that Policy Service node then goes down (administratively or otherwise). Note As designed, another Policy Service node in the node group detects that the peer node has gone down and issues a Change of Authorization to terminate the pre-posture session on the client machine, but that measure does not succeed. Workaround If the client machine re-initiates authentication, the new request goes to another Policy Service nod (assuming that the Network Access Device is configured with multiple RADIUS servers) and authentication and posture assessment should work as designed. CSCtq09004 Windows 7 guest access not successful from IE8 and Chrome 10 Guest access fails over a wireless LAN controller connection. The login session does not appropriately redirect the user authentication request. This is likely due to IE8 and Chrome10 browsers on Windows 7 being unable to redirect the RADIUS authentication request to the controller. Note This issue has not been observed using Mozilla Firefox. Workaround Ensure that the certificates in the controller are accepted by the IE8 browser on the Windows 7 client correctly. CSCtq12630 Guest page not redirecting to original URL after wireless login using Internet Explorer 8 or 9 Workaround In Internet Explorer 8, end user should click No in the resulting login dialog that pops up to be redirected to the correct page. In Internet Explorer 9, after the login success message appears, re-enter the original URL in the browser address bar. CSCtq15859 IP address refresh does not work with 64-bit Internet Explorer IP address refresh via ActiveX is not supported on 64-bit versions of the Internet Explorer browser. Such functions are only available in 32-bit versions of Internet Explorer. CSCtq53690 Scheduled Monitoring and Troubleshooting incremental backup switches off following failed backup attempt Workaround If one of the scheduled Monitoring and Troubleshooting node backup events fails, the administrator needs to enable the “Incremental Backup” option again in the Administration > System > Operations > Monitoring Node > Scheduled Backup page. CSCtr09694 MAC address search at Reports > Query and Run should not be case sensitive While launching reports, the MAC address search is case sensitive, but should not be. Note There is no known workaround for this issue. Release Notes for Cisco Identity Services Engine, Release 1.1.x 90 OL-26136-01 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCtr32014 Three-hour Cisco ISE upgrade time on scale configuration This problem occurs during upgrade from one Cisco ISE running release 1.0 software to release 1.1.x. Note CSCtr45402 There is no known workaround for this issue. Server Authentication Summary Report takes more than 1 minute to launch This issue has been observed when viewing more 30 days worth of data on a larger (3395) Cisco ISE platform running Cisco ISE, Release 1.0.4. CSCtr57280 IP-to-MAC address binding fails in wireless environment with RADIUS and HTTP probe RADIUS accounting messages from a WLC do not send the endpoint IP address. This is different from the RADIUS accounting messages from wired infrastructure. This makes the RADIUS method ineffective for IP-to-MAC address binding on Cisco ISE. Workaround Enable a DHCP probe and configure the setup for Cisco ISE to profile endpoints with DHCP packets. CSCtr58811 Need to log out and log back in to get Advanced License functionality After installing an Advanced License on top of an existing Base license, the administrator is not able to view advanced feature pages such as Posture, Profiler, and Security Group Access. Workaround Log out and log back in again to view Advanced feature pages. CSCtr66929 Selected month and year while configuring file “Date” condition If you specify either just the year or month in the “Date” field of the Policy > Policy Element > Conditions > File Condition configuration window, the date does not get saved along with the policy. Workaround Always specify the correct date. CSCtr68491 Windows Internet Explorer 8 Info button on compound condition format is empty When you hover over the “Info” button in the Go to Policy > Policy Elements > Conditions > Posture > Compound Condition page, the pop-up bubble remains empty. This issue has been observed using IE8, but the text appears as designed in Mozilla Firefox. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 91 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCtr88091 You may experience slow response times for some user interface elements when using Internet Explorer 8. Symptom When using Internet Explorer 8, the check- boxes on pop-up dialogs for selecting and deselecting groups and attributes may be slow to respond to clicks for changing states. Conditions The use of Internet Explorer 8. Workaround Do any of the following: CSCts10323 • Consider using an alternative web browser. Firefox does not show the same symptoms. • Be patient. The check-boxes in IE8 respond after clicking them several times. • Enter the group names manually, and avoid using the pop-up dialogs. Internet Explorer running slow during client provisioning Internet Explorer has an option where you can turn the “check for revocation lists” function on or off. When this option is enabled and the dACL simultaneously does not allow access to CDP servers, Internet Explorer “freezes up” for about a minute while it tires to access the requisite CDPs. CSCts20529 Authorization profile getting saved with incomplete information This issue occurs when using the “auto-smart-port,” “Filter_ID,” “wireless lan controller,” or “Posture Discovery” fields in the configuration page. Note Because of this mismatch in attribute values, the resulting authorization policy may not work properly. Workaround Click anywhere in the window while creating an authorization profile when using any of the above mentioned attributes. The authorization profile is then saved properly. CSCts36792 No “Cisco ISE Configuration Changes” alarms appearing on Conditions Guest simple and compound conditions can be created, edited, and deleted on the admin UI, but no logs are generated in Cisco ISE accounting. This problem is limited to creating, modifying, and deleting guest simple and compound conditions in the Policy > Policy Management > Conditions > Guest page Workaround There is no known workaround for this issue. Release Notes for Cisco Identity Services Engine, Release 1.1.x 92 OL-26136-01 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCts48857 Failed to send notification from UTF-8 Email address An “Internal error encountered. Please see logs for more details.” error message appears when attempting to notify a Guest user by email of their new account information. This problem occurs only for user IDs that contain UTF-8 characters outside the US ACSCII range. Workaround There is no actual workaround at this time, however, you could try substituting a traditional ASCII Email address for the address containing UTF-8 characters. CSCts80116 OPSWAT SDK 3.4.27.1 causes memory leak on some PCs Client machines that have version 8.2.0 of Avira AntiVir Premium or Personal may experience excessive memory usage. Note This has only been observed with version 8.2.0 of Avira AntiVir Premium or Personal. Later versions of the application do not have this issue. Workaround Install later version of Avira AntiVir Premium or Personal. CSCts89508 Authorization fails when a UTF-8 username and password credentials are used Microsoft native supplicants for Windows 7, Windows XP and Windows Vista require the following hot fixes in order to support UFT-8 RADIUS user names: • For Windows XP http://support.microsoft.com/default.aspx?scid=kb;EN-US;957218 • For Windows Vista, Windows 7, and Windows Server 2008 http://support.microsoft.com/kb/957424 Workaround Cisco AnyConnect 3.1 conducts EAP authentication with UTF-8 username successfully. CSCtt17378 Cisco NAC Agent does not pop up if TLS 1.0 is not enabled in Internet Explorer settings The problem occurs when all the following conditions are met: • Cisco ISE is operating with a FIPS 140-2 module • The client machine “Local security settings > System cryptography: Use FIPS algorithm” is enabled. • The client machine Internet Explorer Advanced settings, SSL3.0/TLS 1.0 is option is disabled. Workaround Ensure TLS 1.0 is enabled in Internet Explorer and restart the Cisco NAC Agent. CSCtt25262 Externally-authenticated administrator users cannot register nodes Workaround Cisco ISE will not allow the external administrator to register nodes. Create an internal user to perform the registration process. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 93 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCtt93787 Files without extensions are not downloaded correctly using Cisco NAC Web Agent When the Cisco NAC Web Agent invokes file remediation, it does not download the file as designed. Instead, the Agent attempts to open the file. Workaround There is no known workaround for this issue. CSCtu39612 Cisco ISE Inline Posture node is not accessible from the Admin ISE node user interface after an upgrade to ISE 1.1.x Workaround Follow the instructions provided in Upgrade from Cisco ISE, Release 1.0.4 to 1.1.1 with Inline Posture, page 16. CSCuh75971 Issue running applet with latest Java 7 update 25 on Windows / Mac If Java 7 update 25 or above is installed, launching of Agents or Network Setup Assistants during client provisioning or onboarding process on Windows or Mac clients would take about 3 minutes as this Java update has Perform revocation checks enabled by default. This causes the applets signed certificates to be verified against issuers CA server, which is currently blocked, and there is no way to open the traffic to CA server on a switch because switch does not support host name based ACL. Workaround If you are using Java 7 update 25, make sure to turn off Perform certificate revocation checks in Java. Open Java Control Panel, click the Advanced tab, go to Perform certificate revocation checks on and select Do not check. CSCuh81724 ISE - Authentication Flow Diagnostics log targets removed in 1.1.4 p2 While upgrading from Cisco ISE Release 1.1.4 patch 1 to patch 2, the log targets configured for ‘Authentication Flow Diagnostics’ might get removed. Workaround After upgrading to release 1.1.4 patch 2, navigate to Administration > Logging > Logging Categories and re-configure the log targets. CSCtv17606 Monitoring and Troubleshooting requires an appropriate error message if backup/restore process fails When you try and perform a Monitoring and Troubleshooting backup/restore from the Cisco ISE administrator user interface, which is intended only to restore Administrator ISE nodes, the message displayed reads, “% Error: Cannot find ise_backup_instance.log in the backup file % Application restore failed.” Instead, a message like “% Error: Cannot ISE M&T backup can only be restored web interface % Application restore failed” would better advise users of the issue. CSCtv21758 You are unable to Unquarantine an endpoint (with Endpoint Protection Services) using the IP address of the endpoint. Workaround Use the MAC address to unquarantine the endpoint. Release Notes for Cisco Identity Services Engine, Release 1.1.x 94 OL-26136-01 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCtw79431 Exiting the Cisco Mac Agent while in “pending” state displays the wrong user message When exiting a Cisco Mac Agent that has not successfully logged in yet, reveals a “successfully logged out from network” message to the user, when in fact there is no log-in status change. Workaround There is no known workaround for this issue. CSCtw98454 Guest accounting report filter not working If you specify a particular username in the Guest user filter in the guest accounting report, Cisco ISE still shows results from other users, as well. CSCtx03427 Create Alarm Schedule returning XSS error messages This issue has been observed when the configured alarm name contains “onChange”. Workaround Rename the alert name to something that does not contain “onChange”. CSCtx31601 Cannot add Network Access user, but able to import users When the string “alert” appears in the Network Access user name, the Cisco ISE user interface prevents it from being created. Workaround If you import a user with that name, it will work. CSCtx59957 A warning/pop-up appears while creating a Guest Time profile A pop-up with the message “Warning: Unresponsive script” can appear when adding a time profile in Guest settings under Administration. Workaround Dismiss the pop-up message and try again. CSCtx60819 Database restoration runs out of space on VMware systems with only 60 GB disk size This issue only occurs on unsupported (EVAL) VMware disk installations where the restoration server has a single disk of only about 60-70 GB of disk space. Workaround Use a VMware server installation with a larger disk size (like 100 GB) if possible. CSCtx62403 Admin can control sessions on a node on which replication has been disabled When a Cisco ISE certificate has expired, replication is disabled on that node. When replication is disabled on a node, active sessions affecting that node can be controlled from the Administrator ISE node. Therefore, the Cisco ISE administrator can see active sessions on nodes where replication has been disabled and can issue Change of Authentication for associated endpoints. Note Certificate validity is validated every 24 hours in a deployment for each node. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 95 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCtx62657 Cannot deregister an Inline Posture node On the Deployment List Page, when you attempt to deregister a node by clicking the appropriate button, the administrator user interface is grayed out until a message reading “Deregister is done. Node will be re-started.” appears. Workaround Log out and log in to the administrator user interface again. The deregistered node is no longer visible in the user interface. CSCtx68334 Promotion for Secondary Monitoring and Troubleshooting fails if the Primary node is down While promoting the secondary Monitoring and Troubleshooting node while the primary node is down, then Cisco ISE returns a transition failure and the database rolls back. Workaround Try to perform the operation again to overcome this issue. CSCtx69191 Mozilla Firefox does not function with OpenSC middleware software If you create certificate an authentication profile using the Cisco ISE Active Directory > Groups page, install the OpenSC middleware software, then go to the management station connected to a CAC authentication device and insert the CAC card while attempting to log in via Mozilla Firefox, authentication does not take place as designed. The key issue is that the e-mail certificate that Cisco ISE normally uses to authenticate the administrator does not appear for selection by the browser, and any other certificate fails during connection. Note CSCtx79725 This issue has been observed using OpenSC middleware on Mac OS X (Safari and Chrome both work as designed). CACkey middleware works as designed with Safari, Chrome, and Firefox. Cisco ISE freezes during startup if first DNS does not respond This issue has been observed if/when primary DNS is misconfigured or down. Workaround Specify a different (operational) DNS server. CSCtx80886 When switching to FIPS mode, there is no way to delete the self-signed certificate on an Inline Posture node This issue occurs when the original self-signed certificates still installed on the Inline Posture node, even though it is not actually used by Cisco ISE. Note Do not remove the default self signed certificate and join the Inline Posture node to the deployment using FIPS compliant CA certificates. Workaround Deregister the Inline Posture node, remove the self-signed certificate, and re-register the Inline Posture node. Release Notes for Cisco Identity Services Engine, Release 1.1.x 96 OL-26136-01 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCtx90696 Cisco ISE does not work after updating the IP address This issue may be that the primary DNS server used by Cisco ISE has not yet been updated with the new IP address. Note Do not use the no ip address command when you change the Cisco ISE appliance IP address. Instead, simply set the new IP address with the ip address command. Workaround Use the “ip address” command in the CLI to specify a new IP address. (Make sure the primary DNS server is also updated with new records.) CSCtx92251 Using the Cisco ISE “Replace” function on a secondary node does not assign protocols or replace the certificate Using the “Replace” button when replacing a certificate on a secondary node (such as a Monitoring and Troubleshooting or Policy Service node) does not move the protocols to the new certificate or remove the old certificate. This issue has been observed when you install the certificate on a Monitoring and Troubleshooting node, take the same Certificate Signing Request and have it signed by a different Certificate Authority, then install the certificate on the Monitoring and Troubleshooting node with the “Replace” option enabled. Note Both certificates are still present on the node and EAP and MGMT protocols are not part of the new certificate from the second Certificate Authority. Workaround Create a new certificate from the second Certificate Authority, edit protocols, and then delete the old certificate from the original Certificate Authority. CSCtx93416 Database restoration fails when upgrading from software release 1.0.4 to release 1.1.x The restore process fails the Cisco ISE Release 1.1.x deployment has been installed via upgrade and the hostnames in the topology have different assigned roles, but hostname of the original primary node name (when the release 1.0.4 backup image was created) is still a node name appearing in the new deployment, but is no longer the primary node in your deployment. Workaround There are two possible workarounds for this issue: CSCtx94533 • Change hostname on the new release 1.1.x primary node to match what it was during the backup, and try to restore the database again. • Change hostname on new release 1.1.x primary node to be something completely new (a name that was not used at all in the original release 1.0.4 deployment). Some endpoints appear as “pending” following posture assessment It can take up to 10-15 minutes to get the endpoint status updated to reflect a “Registered” state, where the endpoint goes through posture assessment and gains full access to the network. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 97 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCtx95251 Deployment page load exceeds six minutes when two or more nodes are unreachable This problem may occur only if the nodes are not reachable, there are lots of pending messages in the secondary node, and if there is possibly a firewall issue. Workaround Make sure all the nodes are reachable, there are no pending messages, and there are no firewall issues. CSCty00899 LiveLog Reports cannot be opened When you drill down on LiveLog details to launch a detail report, Cisco ISE returns an error message. Note This issue is seen only if you leave your browser idle for more than one day. Workaround Users can logout and log in again to drill down to report details from live logs. CSCty02167 IP refresh fails intermittently for Mac OS 10.7 guest users This problem stems from the way Mac OS 10.7 handles certificates. Marking the certificate as “trusted” in the CWA flow is not good enough to download the java applet required to perform the DHCP refresh function. Workaround The Cisco ISE certificate must be marked as “Always Trust” in the Mac OS 10.7 Keychain. CSCty05129 “Monitor All” function does not take effect after policy refresh When the administrator enables or disables the Monitor All function, devices do not get policy updates as designed. This has been observed in cases where the cells are not updated manually. Workaround Cisco recommends using the Monitor Mode function on a per cell basis, rather than Monitor All. If you have enabled the Monitor All function, edit at least one cell per column in which a value exists. You can also manually remove the policies from the network device and update them again from Cisco ISE. CSCty05157 The Cisco ISE dashboard is not working for administrator user names with more than 15 non-English characters contained in the username This issue has only been observed for user names created using a language other than English. Workaround Update the administrator user names so that they are less than 15 characters in length. CSCty08194 The administrator password character list is restricted during the reset-config function When the administrator tries to perform a “reset-config” function from the Cisco ISE CLI, the password character list for the administrator password is more restricted than at the time of installation. For example, during installation “!” is valid special character accepted for the administrator password. During the “reset-config” operation, however, “!” is not accepted as a valid password character. Release Notes for Cisco Identity Services Engine, Release 1.1.x 98 OL-26136-01 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCty10369 Management functions operate slowly on VM with UCS SATA-2 storage The following issues have been cited: • Importing 1,000 users in a deployment setup takes 8 more minutes than a dedicated hardware appliance (or VM SCSI HDD 10K rpm). • Full synchronization functions take up to 12 hours on a VM UCS with SATA2 HDD. • Disk latency is up to 50% greater on SATA-2 7200 rpm storage devices. Workaround Ensure external storage units connected to UCS feature SCSI/SAS 10K or 15K RPM technology. CSCty10692 Requirement is used by Policy - Need tooltip on OS When a requirement is used by a policy in Cisco ISE, the operating system of the policy and the requirement need to match. Currently, the requirement operating system field is disabled in the requirement page and the administrator is not able to tell with which operating systems this requirement is associated. Workaround There is no known workaround for this issue. CSCty19010 Editing Cisco ISE failure reason information returns error message If user edit some of the failure reason codes in the Administration > System > Settings > Monitoring > Failure Reason Editor page, Cisco ISE may display an error 500 message. “12818 Expected TLS acknowledge for last alert but received another message 24466 ISE Active Directory agent is down” Note CSCty19774 This issue can occur when failure reason information includes data that can indicate a cross site scripting attack; such as the string “alert” and “<” and “>” characters. Client Provisioning is not working when an Inline Posture node is connected to a VPN This can happen when the client machine successfully passes authentication and ACLs are downloaded to the Inline Posture node and there is connectivity to Policy Service node, but the URL redirect function is not working correctly. Note This issue has been observed on a on non-Windows 7 client machine. (XP clients do not update automatically because the root certificate list is not up to date.) Workaround One way to get around this problem is to do update your root certificates. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 99 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCty28274 System and RBAC administrator data access permission issue When an administrator other than the Cisco ISE administrator user created during installation logs into the Administrator ISE node user interface and navigates to Administration > System > Admin Access, they should be able view and update the administrator information when clicking on their own username. Instead, Cisco ISE displays a “Permission Denied” message. Workaround Administrators facing this issue can click on the logged-in username in the top right corner of the on user interface and edit their details from the pop-up dialog that appears. CSCty39209 IPsec and SSL VPNs do not work if FIPS function is enabled or the PAP protocol is disabled If you enable FIPS 140-2 functionality you must also turn off PAP authentication in the Allowed Protocols page. Once you turn off PAP, then any VPN client that uses group authentication, which always requires PAP, becomes incompatible with Cisco ISE. CSCty42816 Wireless Guest login fails using Google Chrome browser Self-service guest users are unable to get on to the network from Chrome Browser during Wireless Local Web Authentication. Cisco ISE displays an error page with user credentials after the self service guest user changes the password and tries to get onto the network. Workaround Cisco recommends using another browser for this operation. CSCtw50782 Agent hangs awaiting posture report response from server Workaround The issue occurs with Mac OS X 10.7.2 clients. Kill the CCAAgent Process and then start CCAAgent.app. Perform the following: CSCty51216 1. Go to Keychain Access. 2. Inspect the login Keychain for corrupted certificates, like certificates with the name “Unknown” or without any data 3. Delete any corrupted Certificates 4. From the pull-down menu, select Preferences and click the Certificates tab 5. Set OCSP and CRL to off. Upgrading Mac OS X Agent version 4.9.0.638 to later versions fails. Workaround 1. Remove the "CCAAgent" folder from temporary directory 2. Reboot the client 3. Connect to Web login page and install the Agent from there Release Notes for Cisco Identity Services Engine, Release 1.1.x 100 OL-26136-01 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCty52694 Mac OS X Agent needs to be installed from Client Provisioning Portal for VPN When a Mac OS X user connects through VPN, the Mac OS X Agent does not pop up as designed. This can happen if the Mac OS X Agent has been installed directly from Cisco Connection Online (CCO) or via application installation from an IT department instead of through The Cisco ISE client provisioning portal. Workaround Uninstall the agent from the system in question and reinstall the agent from the Cisco ISE client provisioning portal. CSCty61980 Cannot get Out-of-Band Security Gateway Access PAC for network devices after upgrade This issue can occur on a system that has been upgraded from Cisco ISE, Release 1.0.4 where device definitions were also updated as part of this upgrade. (The PAC file that is downloaded is invalid and Cisco ISE returns an error message.) Workaround Delete and recreate the network device definition for any device where you need to generate an Out-of-Band PAC. You can do this by creating the necessary entry in the administrator user interface or exporting the device definition, deleting the entry, and adding the device definition again. CSCty91514 Custom Guest Portal does not enforce Details Policy during Self Service When creating a custom Guest Portal under Multi-Portal Configurations, which allows Self Service in Cisco ISE 1.1.x, the Details Policy is not enforced when a user creates their Guest Account. CSCtz01339 Getting directed to Windows client provisioning flow on Android 2.3.3 Following user authentication via the Guest Portal and device registration, the device is going through the Windows client provisioning flow instead of being redirected to the Android Market place. CSCtz01754 The certificate and Cisco ISE CA names are missing in Android 2.3.3. EAP-TLS After a user authenticates via the Guest Portal and registers their device, they are then able to download and run the Supplicant Provisioning Wizard from the Android market place. After running the wizard, however, the “name” field is blank in the user certificate and the Cisco ISE certificate is blank as well. CSCtz21155 Assigned profile is missing under Network > 802.1X on Mac OS 10.6.3 machines Once the TLS profile gets configured, the end user is presented the following message: “Device configured. Go to System Preferences, choose Network, choose the wired (Ethernet) network, select <profile name> from the 802.1X menu, and click connect.” However, the profile is missing under System Preferences > Network > 802.1X, and the user is stranded in that step of the login process. Workaround Close the Network window and open it again. You should be able to see the appropriate profile under Network > 802.1X. (This is applicable only for wireless deployment scenarios.) Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 101 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCtz25101 Asset Registration Portal login event not shown in Live log Sponsor Portal login events are showing up as designed, however. CSCtz28932 Client Provisioning for Supplicant Provisioning flows is broken after upgrade Policies that were previously working now result in the “register” tab not appearing to users logging in via the Self-Provisioning page for Windows devices. This issue has been observed using Apple iPhone/iPad over a dual- SSID environment. CSCtz31672 NullPointer Exception when user redirects to CPP evaluate page from mobile Cisco ISE returns a “Cisco ISE is unable to determine access privileges in order to access the network. Please contact your system administrator.” message, and exceptions also appear in the ise-psc.log file. This issue is likely because the login session is trying to use an old session for the same device MAC address, which is not found in session directory. Workaround: The user logging in via their endpoint must open a new browser instance or clear the existing URL, and type enter the destination URL again to be redirected to the CCP evaluate page with expected device information. CSCtz36060 ARP authentication should show up in AAA diagnostics even with default log level MyDevices portal login audit can be seen in the AAA Diagnostics log as long as ARP logging is set to INFO or DEBUG. CSCtz37988 Two primary Administrative ISE nodes appear in deployment This issue can occur after the primary Administrative ISE node becomes disconnected and the secondary Administrative ISE node gets promoted to the primary role after 20 minutes or so. Then much (a day or so) later, the original primary is brought back online, two primary and secondary Administrative ISE nodes appear in the deployment setup. CSCtz40127 Certificate issue after SCEP failover where servers reside in different domains (This issue has been observed in a Windows 7 environment.) CSCtz41262 Authorization policy does not match when the MAC address uses the colon delimiter (00:00:00:00:00:00) When configuring policies using the Calling-Station-ID as a component, the authorization attempt does not match the rule if you use the value in the Cisco ISE report. When configuring this type of policy in Cisco ISE, Release 1.0.4 or 1.1, you will have to rely on the RADIUS packet information and not the ISE report. Workaround Use the TCPDump function in Cisco ISE to see the correct value that is being sent from the network access device and configure the Calling-Station-Id (MAC address in this case) using the hyphen-delimited format (00-00-00-00-00-00). Release Notes for Cisco Identity Services Engine, Release 1.1.x 102 OL-26136-01 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCtz42775 Java “unknown host” exceptions appear when downloading Client Provisioning resources Cisco ISE still reflects that the “Resources downloaded successfully” in the bottom right corner of the Cisco ISE administrator user interface. Workaround Please make sure the DNS server is up and running and the client provisioning Feed Server is reachable from ISE. Note CSCtz49846 This issue may occur more commonly where the DNS server has gone down. Cisco ISE does not contain the ASA attribute 146 Tunnel Group Name which is sent on the Access Request This issue can appear when the name of the attribute added in Cisco ISE includes a “.” character. Workaround Ensure that the attribute name does not include a “.” character. This also applies to some of the existing attributes in the Cisco-VPN300 dictionary. The attribute names should also be modified so that they do not include a “.” character. CSCtz55815 Default Gateway is not changed if the new value is a part of old value If the administrator specifies a new default gateway on the Cisco ISE that is too similar to the old default gateway (like a different address on the same 24-bit subnet for example), the gateway address does not change. Note CSCtz56547 This issue was observed on a VMware ESX 4.1 environment. Cisco ISE does not display alarms or notifications on “OutofSync” issues This has been observed when there is a time-shift event on an Administrative ISE or Policy Service node. Cisco ISE should notify admin user on all arising issues due to NTP dependency, as this issue can consume considerable time to troubleshoot. CSCtz61792 Administrator Username column in EPS Report shows incorrect data The Cisco ISE EPS operation history report displays the user as “internal” instead of the actual administrator user ID. Workaround Cisco recommends using the REST API, instead. CSCtz63899 Previously registered device is not able to re-connect Once a device has been registered with Cisco ISE and attempts to connect to the network again (as if a new device), the device should automatically attempt to connect to the secure network. However, the device is able to connect to secure network on second or third attempt. This issue can occur if the device is unable to complete the full EAP handshake with the NAD or WLC. Workaround Device can connect to closed network automatically in second or third attempts. or user can try flapping the interface to be connected to closed network. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 103 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCtz67158 IP address is not refreshed after reinstating the device Reinstating a blacklisted device in the My Devices portal does not refresh the IP address. This can happen when the administrator modifies the default blacklist authorization profile so that it includes ACCESS-ACCEPT and different sets of ACLs and VLANs. Since reinstating the device issues a CoA and triggers reauthentication, the IP address is not refreshed by the blacklisted device. Workaround The user can perform an IP address release/renew or turn off Wi-Fi on the device. CSCtz67372 External Admin Groups are not available until authentication password is changed This issue can come up when you configures external identity source (LDAP or Active Directory), import groups from the source, and then try to create an “external” RBAC Admin Group that refers to one or more groups imported from the external ID source. (That is, the Identity Source in the Authentication Method' page under 'Administration > System > Admin Access page has not yet been set to the external ID source containing the groups.) As a result, the groups from the external ID source are not shown in the Admin Group page in Cisco ISE. Per the current design, you can configure multiple identity sources, but only one may be enabled at a time. Note CSCtz74022 The External Group section in the Admin Group create/edit page in Cisco ISE only shows groups from the external identity source that are currently enabled. The device registration page is blank on a Windows 7 phone on which a language locale other than English is specified This issue has been observed when running performing device registration in a single SSID environment. Workaround Set the client browser locale to English. CSCtz80240 Secondary node never becomes standalone after de-registration The secondary node is de-registered successfully but a “The following deregistered nodes are not currently reachable: <name>. Be sure to reset the configuration on these nodes manually, as they may not revert to Standalone on their own.” message appears to the administrator. Workaround Log in to the administrator user interface with internal Cisco ISE administrator credentials when de-registering a node. CSCtz81107 Android registration fails if the user modifies the certificate while installing Android users are able to modify certificate names when installing the Cisco Supplicant Provisioning Wizard. If the user does in fact modify the certificate name, then the device is not able to connect to the secure network. Note This issue applied to both single- and dual-SSID deployments. Release Notes for Cisco Identity Services Engine, Release 1.1.x 104 OL-26136-01 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCtz83096 Cisco ISE ignores authorization exceptions when working with an option that matches multiple policy rules If you add a standard rule within an authorization policy, for example, “if Network Access: Username STARTS_WITH letters ‘te’ then DenyAccess,” add an additional Exception Rule like, “Network Access:Username EQUALS ‘testUser’ then PermitAccess,” specify that the policy should operate using the “Multi-Matched” option, and authenticate a user called “testUser,” the result is that Cisco ISE denies access to that user when it should permit access. CSCtz83530 Android devices must manually connect to the secure network if the user reboots the device This is due to the fact that users be required to enter storage credentials again to connect to the secure network using certificates that were installed during initial device registration. CSCtz84351 Cisco ISE stops responding to authentication requests Cisco ISE intermittently stops authenticating and returns “WARN RADIUS: RADIUS request dropped due to system overload” messages. This issue has been observed even when CPU usage is low and there is plenty of free memory. Workaround Disable and then re-enable Cisco ISE services. CSCtz90726 An error appears when attempting to create an inline “Allow Protocols” definition after having previously canceled the operation This issue can appear when you select the option to create an Allowed Protocols definition, click Cancel during the process, and then attempt to create the definition again. Workaround Clear the browser cache and attempt to create the definition again. CSCtz91998 New client provisioning ports need accommodated during upgrade After upgrade to Cisco ISE, Release 1.1.1, users are unable to download Cisco NAC Agent or NAC Web Agent after clicking the install button if the appropriate client provisioning port (8909) has not been opened across the network. Workaround Open up ACL for port 8909 to allow client access to ISE server. This ACL can be statically defined on the NAD or dynamically downloaded through ISE authorization policy CSCtz93520 Exceptions noted in logs while registering a node In a split domain upgrade older certificate is not working when older secondary is made as primary. Workaround After upgrade Export the secondary certificate into primary before registration. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 105 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCtz97075 Device registration session directed to wrong location when Administrative ISE node and Policy Service node become disconnected As a result, users are not able to complete device registration, account for lost devices, or remove old devices from Cisco ISE. Users are supposed to be redirected to the self-provisioning portal during both single- and dual-SSID sessions. This function requires an active connection between the Administrative ISE node and Policy Service node. If the two become disconnected, device registration fails. (This also applies to users trying to account for lost devices, or remove old devices from Cisco ISE.) CSCtz97833 HTTP time out error received during user session quarantine period Certificates used in Cisco ISE can be PEM- or DER-formatted. Cisco ISE also accepts certificate chains of multiple certificates. Cisco ISE does not, however, accept certificate chains which have a mix of both PEM- and DER- formatted certificates. This error is not reported as precisely in EPS REST calls, it just shows up as generic failed request. Workaround Check to see whether you are inadvertently mixing both PEM and DER formatted certificates. CSCtz98295 Opera browser “Back” button displays My Devices portal after user has logged out After logging out of the My Devices portal, the user can click the back button and the previous page appears. Workaround Recommend not using Opera if concerned. CSCtz99443 Policy Service nodes on the other side of WAN links display “IN-PROGRESS” status continuously This issue can occur on secondary nodes that are deployed over WAN links where there are a large number of replication events generated on the Administrator ISE node. Note CSCua00821 This issue is sometimes due to latency issues impacting WAN links. If there are a significant number of replication events generated by the Administrator ISE node, these events take longer time to be replicated and applied to the Policy Service nodes that are deployed over a WAN link. As a result, replication events accumulate on the node and the replication status appears as though replication is continuously in progress. Error messages appear when you configure Active Directory via the CLI When performing Active Directory configuration via the Cisco ISE CLI, selecting option number 5 (Clear Active Directory Trusts Cache and restart/apply Active Directory settings), the following errors may appear: • log4j:WARN No appenders could be found for logger (com.cisco.cpm.acs.nsf.config.handlers.ad.cli.ADAgentRestart). • log4j:WARN Please initialize the log4j system properly. Workaround From the Cisco ISE CLI, enter the “application configure ise” command and select option number 5 again. Release Notes for Cisco Identity Services Engine, Release 1.1.x 106 OL-26136-01 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCua03362 Need to enable automatic connection polling on Mac OS 10.7.x wired connection The Cisco ISE profile selection dialog does not appear if the “Enable automatic connection” option is not enabled (under System Preferences > Network > Ethernet > Advanced > 802.1X) on the Mac OS X client machine after the supplicant provisioning wizard is downloaded and installed. Workaround Be sure Mac OS 10.7.x wired device users know to choose the profile manually (like Mac OS 10.6.8, for example). CSCua03889 Guest users are asked to accept the Acceptable Use Policy twice when first logging into Cisco ISE with password change When the administrator sets up a multi-portal configuration, sets the Acceptable Use Policy to be accepted on “First Login,” and enables the “Requires guest users to change password at expiration and first option” option, the guest user needs to accept the Acceptable Use Policy twice. CSCua05003 Service status is not correct if the ARP port number changes This issue has been observed when an end-user attempts to access the My Devices portal via the configured port, but is not able to. Note Accessing the My Devices portal via the last configured network port works as designed (although and error message appears). Workaround If you have changed the port used for the My Devices portal, restart the Administrator ISE node and My Devices portal should restart on the correct port. CSCua05261 Windows XP 32-bit OS cannot connect to closed network if not broadcasting This issue can occur when the open network connection mode is set to “Automatically connect to network” (which is a default option on Windows XP. Note This issue has not been observed in a Windows 7 environment. Workaround Set the connection mode for Windows XP open networks to “manual” or “on demand”: CSCua08884 1. Select the open network profile. 2. Uncheck the “Connect when this network is in range” option. Restore failed in release 1.1.1 with customer backup of 1.0 version This issue is most likely due to a corrupted backup file resulting from an unknown operating system issue Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 107 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCua12479 HTTP profiling in Cisco ISE, Release 1.1 is performed after Guest Authentication Cisco ISE, Release 1.1 does not call upon user-to-agent information until the Guest user authenticates via the Guest portal. Note This behavior is different then what is seen in ISE 1.0.4 where profiling kicks off as soon as the user hits the guest portal. Workaround You can redirect users to the client provisioning portal. Even if no client provisioning rules exist, the user-to-agent information is called upon when the Guest user reaches that page. CSCua12479 Profiling via HTTP probes in Cisco ISE, Release 1.1 done after Guest authentication Cisco ISE, Release 1.1 does not use user-agent information until the Guest user authenticates to the Guest Portal. This behavior is different then what was seen in Cisco ISE, Release 1.0.4 where profiling would initiate as soon as the user hit the Guest Portal. Workaround Direct users to the Client Provisioning Portal. Even if no Client Provisioning rules exist, the user-agent information will be picked up when the user hits that page. CSCua18804 Authorization RADIUS packets fail due to incorrect delimiter Wireless LAN Controllers can send endpoint MAC addresses in RADIUS packets in various formats, including a series of colons, hyphens, or no delimiter at all. Cisco ISE authorization policies look for hyphen-formatted MAC addresses. Workaround Set the MAC address delimiter on the Wireless LAN Controller for the calling station-id to specify hyphens. CSCua19003 “hostname” and “ip domain-name” warnings are hard to understand Cisco ISE returns warnings when you attempt to change the Cisco ISE hostname or domain name after initial setup. Because the warnings are ambiguous and the affect on the system unknown, Cisco recommends that you do not change the hostname or domain name on any deployed Cisco ISE appliances. If it becomes necessary to change these parameters, the only reliable way to accomplish such a change is to re-image and specify different values for these parameters during initial configuration. Note CSCua25187 There is no known workaround for this issue. Employees whose user names are 41 digits long will not see their devices If the employee name is 41 digits long, then the devices added through the My Devices portal do not show up in the list of employee devices. Note Using a 40-digit user ID works as designed, as does a 48-alphanumeric character ID and a 40-digit alphanumeric character ID with one leading alphabetical character. Workaround Use less than 41 digits in the user name policy. Release Notes for Cisco Identity Services Engine, Release 1.1.x 108 OL-26136-01 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCua25333 Unable to login to the administration user interface using the username and password credentials set during the initial setup wizard After running the initial setup wizard with some specific set of username and password values, this problem will occur. The administrator is, however, able to log in to the Command Line Interface with the same username and password. Workaround Run the CLI “application reset-passwd” command to reset the administration user interface password to the value specified during the initial setup wizard or another value if desired. CSCua32575 Firefox browser is not working on Android devices for registration When the Mozilla Firefox browser is used for registering an Android device, it receives an “unsupported OS device” response From Cisco ISE. Note CSCua38966 When users register the device via the native Android browser, registration completes correctly. Policy Service node replication is disabled Policy service nodes in which large numbers of (bulk) users have been imported display signs of decreased performance. (The performance level of the three (of 40) Policy Service nodes were below that of other appliances.) Note This issue has been observed on a “large” deployment of 40 nodes. Workaround Manually synchronize node information. CSCua40773 IP refresh function is not working in Mac OS X after the session terminates The VLAN switching function does not take place on Macintosh client machines after Cisco ISE issues the requisite “change of authorization” during login. When Cisco ISE issues the “change of authorization,” and open/authenticated networks are in different VLANs, the Macintosh client does not refresh the IP/switch network (VLAN) automatically following re-authentication. Workaround The user must manually refresh the IP address: 1. Launch System preferences. 2. In the TCP/IP tab, go to Network > Advanced. 3. Click Renew DHCP Lease button. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 109 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCua55531 “Anonymous” user authentication fails when operating with CSSC CSSC expects both “Session Resume” and “Fast Reconnect” PEAP functions. When Cisco ISE transmits a valid TLS Session ID, but either or both of these PEAP functions are disabled or the session time out has elapsed, then CSSC drops the conversation before running the PEAP inner method. The result is that the PEAP outer identity is protected (e.g., “Anonymous”) but the conversation is dropped before revealing the unprotected user US, which then compromises the posture validation process because the user name has been “changed.” Workaround Enabling both of the “Session Resume” and “Fast Reconnect” options in “PEAP Settings” can reduce the frequency, but this issue will still likely occur when Cisco ISE terminates an expired session. To fully resolve the issue, Cisco recommends upgrading from CSSC to AnyConnect version 3.x. CSCua60073 Changing the log level for system statistics yields incorrect results After the log level for “System Statistics” is set to “ERROR,” the “System Summary” area on the Cisco ISE dashboard is empty. Workaround Do not change the log level for the “System Statistics” logging category. (Continue to use the default “INFO” value.) CSCua71361 Android 2.3.6 devices are not getting a new IP address following the change of authentication session terminate event Android devices such as Android RAZR are not refreshing their IP address after moving to a new subnet. This issue has been observed on certain Android O/S such as 2.3.6 and ISE issuing CoA session terminate Workaround Manually disconnect and reconnect to the network by turning Wi-Fi off and back on again. CSCua72137 Cisco ISE does not delete old files when the preset localStore size limit is reached CSCua97013 Apple iOS devices are prompted to accept “Not Verified” certificates Apple iOS devices (iPhone & iPad) are asked to accept the certificate, appearing to them as “Not Verified,” when connecting to WLAN (802.1X). By design, Apple iOS devices are prompted to accept a proprietary certificate, but Apple OS X and Android devices work without being prompted to accept a certificate. This happens even when the certificate is signed by a known CA, as there is an intermediate certificate in the server certificate chain. Workaround Click Accept to acknowledge the certificate. While browsing any URL, the user is redirected to provision the device. After provisioning, the intermediate certificate is installed on the iDevice. Release Notes for Cisco Identity Services Engine, Release 1.1.x 110 OL-26136-01 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCub01822 Cannot roll back patch when administrator is authenticated using an Active Directory identity store When the administrator, who is authenticated via an external identity store, applies a patch to Cisco ISE, the patch application process reboots Cisco ISE and the administrator is automatically logged out. After patch application, however, the same administrator cannot them log back into the system and roll back the installed patch. CSCub16453 Android Self-Provisioning Certificate installation and application erroneously informs the user of a Factory Reset event This issue has been observed on a device running Android OS version 4.0.3. A pattern lock factory reset message appears when installing the certificate in a device registration flow from the Cisco ISE self-provisioning page. No actual factory reset event actually takes place after the user clicks OK, and the device connects to the network without issues. Workaround Set a pin lock and then configure back to pattern lock. This time there are no reset messages. This was tested after removing the cert and supplicant config to start fresh CSCub17140 Upgrade to Cisco ISE 1.1 and 1.1.x fails when policies use the Blacklist_Access authorization profile. This issue has been observed when you upgrade the following Cisco ISE releases: • Upgrade from Cisco ISE, Release 1.1.3 to release 1.1.4 • Upgrade from Cisco ISE, Release 1.1.2 to release 1.1.3 • Upgrade from Cisco ISE, Release 1.1.1 to release 1.1.3 • Upgrade from Cisco ISE, Release 1.1.1 to release 1.1.2 • Upgrade from Cisco ISE, Release 1.1 to release 1.1.1 • Upgrade from Cisco ISE, Release 1.0.3.377 Workaround Before you upgrade, ensure that you delete all policies that use the “Blacklist_Access” authorization profile. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 111 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCub17522 IP Phone 802.1X authentication reverts to PAC-based authentication when the “Accept client on authenticated provisioning” option is not enabled When the “Accept client on authenticated provisioning” option is off then Cisco IP Phone EAP-FAST authentication sessions always end with an Access-Reject event. This requires the IP phone to perform PAC-based authentication to pass authentication. Since Cisco IP Phones perform authentication via authenticated provisioning and not via PAC-based authentication, it is not possible for the phone to authenticate when this option is off. Workaround Try one of the following: CSCub18575 • Turn on the Cisco IP Phone “Accept client on authenticated provisioning” option. • Switch from EAP-FAST protocol to PAC-less mode. • Authenticate Cisco IP Phones via EAP-TLS rather than EAP-FAST. Issue with Cisco ISE sponsor-initiated accounts starting with a “0” If you create a Guest user starting with a “0,” then log out and log back in, you are not able to see the Guest user entry as expected. Note CSCub26470 There is no known workaround for this issue. Wireless license shows Advanced and Base license as “Eval” Cisco ISE may display Base and Advanced license as “Eval” after installing a purchased Wireless license. This is a cosmetic issue, the license is functional and expires in the expected date. This issue has been observed in Cisco ISE, Release 1.1.1. CSCub44915 Activated Guest fails RADIUS authentication where the applicable role uses “FromFirstLogin” Workaround Use time profile “FromCreation,” or log in first via the Web Portal. Release Notes for Cisco Identity Services Engine, Release 1.1.x 112 OL-26136-01 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCub45799 Wired Mac OS X 10.8 clients fail to auto re-connect to the Cisco ISE network using a new profile After successfully provisioning the Mac OS X 10.8 client machine with an 802.1X profile for wired a network, the client machine may not provide the user an option to select the specified 802.1X network profile. When the user is not able to select the “Enable automatic connection” checkbox in System Preference > Network > 802.1X for a wired interface, or if the user manually disconnects from the 802.1X network, the client machine may not present the pop up that would enable the user to select the 802.1X network profile. Workaround The user must manually connect to the 802.1X network: CSCub45895 1. If the System Preference pane is already open, close it. 2. Navigate to System Preference > Network and select “Wired Network” from the left pane. 3. Select the appropriate user profile from the right-hand pane and click Connect under 802.1X. Unable to save external LDAP/AD groups Cisco ISE returns a “UTFDataFormatException” message upon saving LDAP groups with multiple Organizational Units and/or Domain Controllers. Workaround If possible, reduce the number of Organizational Units and/or Domain Controllers in the deployment. CSCub56607 Cisco ISE applies a wireless access session against the Advanced license allowable user count when it should not The wireless session in question should be applied against the Base license count. This issue has been observed in Cisco ISE, Release 1.1.1 where the following functions are set: • MAC Filtering is enabled on the SSID and the Central Web Authentication authorization policy is applied • Profiling is disabled • Posture is disabled • The device in question has not been registered via the My Devices Portal Note CSCub56607 There is no known workaround for this issue. Cisco ISE, Release 1.1.1 uses Advanced license for web authentication when it should not consume one This issue has been observed when a wireless user consumes an Advanced license instead of just a Base license slot, MAC Filtering is enabled on the SSID, and the Cisco ISE authorization policy is designed to support Central Web Authentication. Note There is no known workaround for this issue. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 113 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCub56814 Unable to provision Android 4.1.x device When registering a new Android 4.1 (Nexus 7) via the Cisco ISE Network Setup Assistant, Cisco ISE is unable to register the device and the user receives an “Unable to apply the Wi-Fi profile” message. Note CSCub57456 There is no known workaround for this issue. Cisco ISE is not sending RADIUS Request messages to external RADIUS server This issue has been observed in Cisco ISE, Release 1.1 with a wireless-only license. Cisco ISE is not sending the appropriate RADIUS request message to the external RADIUS server, which has been configured as a RADIUS proxy. Workaround Uninstall Wireless Only license and Install an Advance License. CSCub70759 Guest Email IDs greater than 24 characters in length are truncated When Cisco ISE handles Email IDs, the last characters are getting truncated such that all Email IDs are a maximum of 24 characters in length. Workaround Delete the user entry and create a new user again with correct email ID. CSCub73901 Cisco AV-pair is not accepted if it contains the term “Alert” Cisco ISE rejects the AV-pair configuration and returns a “Bad Request Parameters” error message. (Scripts in input fields are not processed.) Note CSCub77801 There is no known workaround for this issue. Cisco ISE returns a “Can't create new service” message when adding new allowed protocols When attempting to add a new Allowed Protocols Service in Cisco ISE, Release 1.1.1, saving a policy without the “Allow EAP-FAST or EAP-TLS” option enabled may result in a “Can't create new service” error. Workaround Add the Allowed Protocols service with the default protocols first. After saving, go back into the policy and deselect the protocols that you want, and save the service again. CSCub82418 Dual SSID registration fails when profiled endpoint’s MAC address changes to the Policy Service node MAC address On reaching the Device registration page, the device MAC addresses is populated using the Policy Service node MAC address. This issue occurs on user devices during registration if there is no MAC address in the Cisco ISE session cache. Workaround There are two possible workarounds for this issue: 1. The user can contact the system administrator so that the session can be cleared from the Wireless LAN Controller (WLC). (The user must be able to supply the Wi-Fi MAC address from the device to do so.) 2. The user can turn off Wi-Fi for a period of time (equal to slightly more than the session timeout period set on the WLC) and then reactivate Wi-Fi so that the device negotiates a new session with the WLC. Release Notes for Cisco Identity Services Engine, Release 1.1.x 114 OL-26136-01 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCub87687 Acceptable Use policy text character limit in Guest Language Templates When you attempt to modify the Acceptable Use Policy text under Administration > Web Portal Management > Settings > Guest > Language Template > German_Deutsch, it works as expected if fewer than 4000 characters. If attempting to input larger text content, then upon saving, Cisco ISE returns a “Server Response Language Template successfully saved” message. However, upon refresh, the changes have not been applied to the Acceptable Use Policy text. Workaround Use fewer than 4000 characters in the Acceptable Use Policy text field on the Language template, or employ a customized portal with its own logos and HTML pages. CSCub89895 SNMP process stops randomly due to an issue in netsnmp The netsnmp daemon on Cisco ISE can halt, causing any SNMP monitoring of the Cisco ISE node to fail until the daemon is restarted. This issue has been observed in Cisco ISE, Release 1.1.1. Workaround Remove all SNMP commands and re-add them to start the daemon again or restart the ISE node. For more information, see: http://sourceforge.net/tracker/index.php?func=detail&aid=3400106&group_id=126 94&atid=112694 CSCuc13075 Endpoints are saved with “EndpointPolicy” as “Unknown” Change of Authorization is continuously sent for an endpoint, causing the CPU usage on the Administration ISE node to run extremely high. (The endpoint may or may no longer be connected to the device the CoA is being sent to.) This issue can occur in Cisco ISE, Release 1.1.1 where Profiling is enabled as well as CoA. Note There is no known workaround for this issue. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 115 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCuc18502 Cisco ISE upgrade from release 1.1 to 1.1.1 fails because of Blacklist authorization The Cisco ISE support bundle log returns an error message inside the latest isedbupgrade-data-global-date-time.log file: UpgradeServiceRegistrar terminated with exception java.lang.RuntimeException: com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed: com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed: java.lang.NullPointerException Workaround If the ISE upgrade fails once, then you need to restart everything from scratch. CSCuc21037 1. Access the primary appliance that has not been configured yet and create a compound condition called “Wireless_802.1X” manually under Policy > Policy Elements > Conditions > Authorization > Compound Conditions. 2. Configure the rule to include “Radius:Service-Type Equals Framed AND Radius:NAS-Port-Type Equals Wireless - IEEE 802.11.” 3. Re-image the secondary appliance that you were trying to upgrade, add the Secondary to the Primary, and wait until the Secondary node gets its configuration from the Primary. 4. Restart the upgrade progress by breaking the pri/sec relation and doing the upgrade on the secondary again. Cisco ISE uses PEAP for outer identity when performing authorization Traditionally, authorization was accomplished in Cisco ISE, Release 1.1 using PEAP as the inner identity. In release 1.1.1, however, PEAP is used as the outer identity when performing authorization. Note It seems that the “Network Access:UserName” value is mapping to the “RADIUS Username,” and only applies to PEAP-EAP-TLS authentications. Workaround If you would like to match on the certificate fields (for example, the Subject field), change the authorization rule to use the “Certificate:Subject” attribute and match on CN\... (rather than using the “Network Access:UserName” attribute). Cisco recommends using the attributes from the Certificate dictionary when matching certificate fields. CSCuc22732 Cisco ISE drops RADIUS requests with no “calling-station-id” attribute When using MAB and sending a RADIUS request to Cisco ISE, the packet is dropped if the “calling-station-id” attribute is not included. Workaround Configure the remote access device to send the “calling-station-id” attribute if possible. CSCuc44766 My Devices Portal descriptions missing Periodically, after onboarding devices using the self provisioning flow (NSP) SPW, descriptions of endpoint devices may be missing form the My Devices Portal. Note There is no known workaround for this issue. Release Notes for Cisco Identity Services Engine, Release 1.1.x 116 OL-26136-01 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCuc50247 Cisco ISE does not recognize the certificate if the Certificate Authority name contains a space This issue can occur when the SubCA name contains a space. Cisco ISE records “Unknown CA” during processing and adds “%20” to the string, causing EAP-TLS authenticating to fail. Workaround Since the “Subject” is part of the FQDN or vice versa, do not use spaces in CN. CSCuc52368 Authenticating users using an alternative UPN fails In Cisco ISE, Release 1.1.1 with Centrify version 4.5, authenticating users against Active Directory with an alternative UPN fails. For example: *. considering a domain name sec.lab and an alternative UPN of sec.alt *. a user defined in AD as [email protected] Authentication using [email protected] fails. The domain name is not stripped from the username prior to authentication and Cisco ISE interprets the username as [email protected]@sec.lab (user@2nd_UPN@domain-name). Workaround Modify all users to use the primary UPN. CSCuc61143 Cisco ISE redirects to default login portal (instead of custom) when cookies are disabled Workaround Enable cookies on client browser. CSCuc62197 Unable to add or edit authorization compound conditions Adding or editing authorization compound conditions under Policy > Policy Elements > Conditions > Authorization > Compound Condition takes several minutes. When editing and saving a Condition Expression, the entry is duplicated. If you attempt to delete a Condition Expression, Cisco ISE returns a “Please enter a valid expression for the condition” error, and when adding and saving a Condition Expression, a Condition Expression entry is removed from the Authorization Compound condition expression list. CSCuc62197 Unable to add or edit authorization compound conditions The following issues have been observed when attempting to add or edit authorization compound conditions: • When editing and saving a Condition Expression, the entry is duplicated. • When adding and saving a Condition Expression, a Condition Expression entry gets removed from the Authorization Compound condition expression list. • If attempting to delete a Condition Expression, Cisco ISE returns a “Please enter a valid expression for the condition” error. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 117 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCuc71950 Network device .csv import function fails if Protocol field is “radius” When importing a .csv file of network devices to Cisco ISE running release 1.1.1 where the Protocol field is “radius,” the import function may fail and leave the network devices user interface page in loading state—not displaying any devices. Workaround Replace “radius” with “RADIUS,” and try the import operation again. CSCuc72034 Combined Base and Advanced license generated in incorrect order This issue has been observed where the administrator is unable to add combination Base-Advanced license file to Cisco ISE via the administrator user interface, and the appliance returns a message indicating that a Base license is required. Workaround Request individual Base and Advanced license files. If that does not address the issue, contact Cisco Technical Assistance Center (TAC). CSCuc76477 First-time Guest login fails when using the “DefaultFirstLogin” attribute This issue has been observed with an activated Group even though the user appears as “Active” on the portal. Workaround Use other time profiles like “DefaultOneHour” or “DefaultStartEnd.” CSCuc81940 Cisco ISE database process stops due to internal errors As a result, you can view “ORA-00600” errors seen in the Cisco ISE database trace logs. Workaround Restart Cisco ISE services. CSCuc82135 Guest accounts need to be removed from the network on suspend/delete When a guest user is deleted from the system, the RADIUS sessions associated with that guest user still exist. Workaround Re-issue the CoA from the Monitoring and Troubleshooting reports page for the sessions associated with that guest user. CSCuc82135 Guests need to be removed from the network on Suspend/Delete/Expiration When a guest user is deleted from the system, the RADIUS sessions associated with that guest user still exists. Workaround Reissue the Change of Authorization using the session information from Monitoring reports for the sessions associated with that guest user. CSCuc91726 My Devices Portal friendly name is not working Unable to access My Devices Portal using the URL specified in the “Default My Devices Portal URL” field on the Web Portal Management > Settings > General > Ports page after upgrade to release 1.1.1. Workaround Go to the Web Portal Management > Settings > General > Ports page and click Save. This will update Cisco ISE tomcat configuration files with the changes necessary for the redirect to work. (Note that this will restart the Cisco ISE appliances.) Release Notes for Cisco Identity Services Engine, Release 1.1.x 118 OL-26136-01 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCuc95915 Cisco ISE, Release 1.1.1 system database becomes full This issue may be addressed by obtaining the updated Oracle version 11.2.0.2 (Server Patch Set) and applying it to Cisco ISE, which will be available in an upcoming release of Cisco ISE. CSCud02566 Administration ISE node not able to join non-Administration ISE nodes to Active Directory When Cisco ISE nodes are deployed in different domains or sub-domains and you attempt to join any Cisco ISE node (except another Administration ISE node) to Active Directory, the operation fails and returns a “No Response from ISE Node” error message. To ensure the Active Directory join operation is successful, ensure that: • The Cisco ISE nodes in your deployment are not in different domains (e.g., Administration ISE node as pap1.sj.cisco.com Policy Service node1: pdp1.hyd.cisco.com, Policy Service node2: pdp2.webex.com would cause this issue) • The Cisco ISE node you are trying to join to Active Directory is NOT another Administration ISE node • You are not trying to join Active Directory from the Administrator web portal on the Administration ISE node Workaround Go to the respective Administrator web portal on the non-Administration ISE node and join that node to Active Directory, instead of trying to join using the Administrator web portal on the Administration ISE node. CSCud08618 Profiler is not recording all of the expected DHCP probe attributes This issue may come up if padding <0's> appear between fields. Workaround Use an IOS sensor on the network access device or a combination of other probes to achieve similar results. CSCud31796 External RBAC fails if user member of group containing apostrophe When the RBAC function utilizes an external identity store (AD, LDAP), group mapping fails for a user with the correct group(s) to gain access to the administrator user interface, and a “Authentication failure for user: username: No admin groups” message is displayed: Cisco recommends renaming all groups in the external identity store so that they do not contain apostrophes, and removing any users participating in Cisco ISE administration from any external groups that contain apostrophes. Note CSCud36451 There is no known workaround for this issue. Swapped NICs seen on Cisco ISE 3315s Some Cisco ISE 3315 appliances running Cisco ISE, Release 1.x appear as though NICs have been “swapped” with other NICs. (GigabitEthernet0 maybe end up being eth3, for example.) Workaround You can try to reimage the machine, but results have been mixed. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 119 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCue05861 Cisco ISE imports duplicate attributes which corrupt the system Cisco ISE discarding RADIUS packets and returns a “Network Device Not found” message when duplicate RADIUS attributes are imported in the dictionary. Workaround Remove any duplicate RADIUS attributes and restart Cisco ISE services. CSCue11380 Mozilla Firefox18 is not compatible for viewing reports System administrators running Firefox 18 may not be able to view pie charts in the Operations > Catalog > User > Guest Sponsor Summary Report page. This is likely due to the fact that the current ACCUTE version used in Cisco ISE is not supported by the latest versions of Firefox. CSCue16801 Cisco ISE Reports do not show all data when the report period crosses years The Cisco ISE report does not display any entries later than 31 December when the report period spans multiple years. Workaround You may use a time period falling within a single calendar year. CSCue38038 Users are unable to log in when cookies are disabled Users who are not accessing the Cisco ISE network via client provisioning or native supplicant provisioning are unable to log in using the Guest Portal and receive a “Cookies are disabled, please enable cookies” error message on the page. Note For Android devices (Samsung Galaxy, Motorola Tab) using default browsers, no warning message is displayed if cookies are disabled, and the end user is redirected to the login page without any warning. Workaround End users may resolve this issue by enabling cookies in their browser. CSCug66959 Cisco ISE displays Certification Expiration alarms for all nodes in the deployment. You might receive Certification Expiration warning messages in Cisco ISE, Release 1.1.x deployment. This alarm gets triggered because of an issue in Cisco ISE 1.1.x and can be ignored. Workaround Delete and import the certificates again. CSCug79657 Catalyst 3850 fails to profile an endpoint coming from Wireless MAB/MAC-Filtering-ISE While connecting to wireless MAB from Windows 7 client using Catalyst 3850 switch, the client is not able to connect to MAB SSID due to missing attributed in the RADIUS packet sent by the switch. The endpoints do not get profiled and the MAB request fails. Workaround Add the additional configuration 'radius-server attribute 31 send nas-port-detail mac-only' in the switch. Release Notes for Cisco Identity Services Engine, Release 1.1.x 120 OL-26136-01 Cisco ISE Release 1.1.x Open Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCug79736 Redirection is unsuccessful intermittently at client from Catalyst 3850 Switch While authenticating clients with wireless MAB/Dot1x using Catalyst 3850, the redirection to pages like Client Provisioning, Native Supplicant Provisioning, or Guest Portal does not happen automatically. Workaround Clear the existing session in the switch, and then try again. CSCug83908 Getting Blank Page for Client Provisioning Redirect if JavaScript is disabled A blank page is displayed when a Client Provisioning redirect occurs and JavaScript is disabled. This issued occurs on IE, Firefox, or Chrome when a normal dot1X flow is configured and a device connects to a dot1X SSID. It also occurs if a Guest user comes through MAC Address Bypass (MAB) and Client Provisioning is configured for Guest users. Workaround There is no known workaround for this issue. CSCug85725 Cisco ISE patch may not work as expected if you run the application reset-config ise command from the CLI after patch installation. Some of the bug fixes resolved in the patch are uninstalled when you run the application reset-config command after patch installation. Workaround We recommend that you to uninstall the applied patch(es) first before running the application reset-config command and then install the patch(es) as necessary once the Cisco ISE application configuration is reset. CSCug85972 Sometimes, the Authorization Policy page is not listing authorization policies in the Mozilla Firefox 20.0.0 browser The Mozilla Firefox 20.0.0 browser displays authorization policies intermittently while editing endpoint identity groups when they are used in authorization policies. It displays all authorization policies properly, if you navigate away from the Authorization Policy page and return back to the Authorization Policy page. CSCuh05898 Message should say “Enable JavaScript” instead of “Enable Java” in MAC OSX This issue occurs on the Mac OSX and the Safari browser when JavaScript is disabled on the client and a single SSID flow is configured. The wrong message is displayed when the Safari browser is redirected to the NSP portal. Workaround There is no known workaround for this issue. CSCuh09116 Inconsistent message when JavaScript is disabled in Android browser When JavaScript is disabled and an Authorization policy is configured for either as single or dual SSID BYOD flows, a message displayed saying that “JavaScript is disabled.” but the instructions for enabling JavaScript are for either the Chrome browser or the Safari browser. Workaround There is no known workaround for this issue. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 121 Cisco ISE Release 1.1.x Resolved SPW Caveats Table 45 Cisco ISE Release 1.1.x Open Caveats (continued) Caveat Description CSCuh29820 Windows surface tablets are being detected as Microsoft Workstations EP Windows surface tablets hit the wrong authentication policy, which leads to issues in the BYOD/Guest Flow. Workaround There is no known workaround for this issue. CSCuh37511 Unexpected Acct-Status-Type: [Stop] for method MAB after URL redirect While trying wired MAB to Dot1x with PEAP flow in a Windows 7 client using WS-C3780-48P-S, it is not redirected to the Client Provisioning page. The issue happens as the switch sends Accounting Stop request before being directed to the Client Provisioning page. Workaround Disconnect and connect the network adaptor after NSP is finished to get the Client Provisioning page. CSCuo81045 Changes in Agent Profile not Reflecting in Agent Configuration File Agent changes are not automatically updated in the agent configuration file. Workaround Re-map the agent profile using the Client Provisioning page. Cisco ISE Release 1.1.x Resolved SPW Caveats The following tables list the resolved SPW caveats in Cisco ISE Release 1.1.x. Table 46 Resolved SPW Caveats for Windows Caveat Description SPW Version CSCug95980 ISE NSP does not support SDIO based Wireless Adapters 1.0.0.31 CSCug66885 Windows SPW - Trusted Root CA not set in network profile 1.0.0.30 CSCud65260 DualSSID_Win7_PEAP_AutoLogin NSP not connecting to Closed SSID 1.0.0.29 CSCud01247 BYOD: Messages are not localized 1.0.0.28 CSCud56448 PEAP Supplicant Provisioning does not set Validate Server Certificate 1.0.0.28 CSCue38943 BYOD: Characters corrupted. A vertical line appears at the end of the Applying Configuration screen 1.0.0.28 CSCue43405 Windows 8 - Dual SSID is broken (MAB + PEAP), if wrong networking password is entered in SPW” 1.0.0.28 CSCue43413 Login failure message displayed in dual SSID (MAB + PEAP) 1.0.0.28 CSCue47503 Win SPW v1.0.0.27 fails with Wired dual SSID (MAB > PEAP) 1.0.0.28 CSCud05296 NSP installation on Windows 8 failed 1.0.0.26 Release Notes for Cisco Identity Services Engine, Release 1.1.x 122 OL-26136-01 Cisco ISE Release 1.1.4 Resolved Caveats Table 47 Resolved SPW Caveats for Mac OS X Caveat Description SPW Version CSCuf61159 Wired MAC10.8.3-Fails to auto re-connect to network using new profile 1.0.0.21 CSCug16632 BYOD CR: SPW configures the profile and succeeds even when PDP is down 1.0.0.20 CSCug18081 NSP page does not show status of Mac SPW consistently 1.0.0.20 CSCuf03318 Network Setup Assistant fails, if user clicks ‘Cancel’ in the Config 1.0.0.19 profile Tool CSCue53450 Cisco Network Setup Assistant copy right year should be changed 1.0.0.19 CSCue62005 Mac SPW 1.0.0.17 is not able to configure wired adapters 1.0.0.18 CSCud00349 Translation property file has new line character in the JA translation 1.0.0.17 property file CSCud64592 MAC OSX 10.6.8: Fails to connect to Closed SSID using the TSL Profile CSCub29212 In MAC 10.8, modify Sys network config needs confirmation from 1.0.0.15 sys admin CSCuc42511 Localization for nsp wizards - support for additional languages CSCub27769 ISE does not block both wired and wireless interface MAC for lost 1.0.0.13 devices CSCub65963 Certificate Enrollment is vulnerable to session Hija CSCub29185 MAC 10.8: Agent and SPW fails to install, when "MAC App Store 1.0.0.11 and identified developers" is selected in the Security & Privacy Preference Pane. 1.0.0.16 1.0.0.14 1.0.0.12 Cisco ISE Release 1.1.4 Resolved Caveats The following table lists the resolved server-side caveats in Cisco ISE, Release 1.1.4. Table 48 Resolved Caveats in Cisco ISE Release 1.1.4 Patches Caveat Description CSCth95432 All OUIs in IEEE need to be resolved to names by profiler CSCtx35984 Profiler unable to save into DB - SSL Handshake exception error CSCuc07816 Must be able to purge MnT data from CLI CSCuc29014 Profiling conditions edit throws null error with NullPointerException CSCuc48613 Google Chrome can cause reordering of Authorization Policy rules CSCuc58992 IP address of the endpoints is not getting updated correctly CSCuc74270 Authorization policy match fails following Active Directory password change CSCud65479 Device registration Change of Authorization loop with posturing enabled CSCud83514 ISE session database growing too large, causing homepage blank Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 123 Cisco ISE Release 1.1.4 Resolved Caveats Table 48 Resolved Caveats in Cisco ISE Release 1.1.4 Patches (continued) Caveat Description CSCue14864 Endpoint statically assigned to ID group may appear in different group CSCue16774 Profiler purge process is not running, EndPoint Cache grows past memory limits CSCue25407 Wrong Authentication Policy match: Cisco ISE initiates MAB instead of 802.1x CSCue28066 IP address field missing during editing/duplicating NADs CSCue31190 Sponsor users editing guest accounts may cause internal server errors CSCue41912 NAC agent is not triggered on Windows 8 client CSCue49305 Device registration is disabled if JavaScript is disabled for Safari or Chrome browsers on iOS and Android platforms CSCue49317 SCEP enrolment failure if the user name is prefixed with AD domain name CSCue50838 An arrayOutOfBoundException occurs during Certificate provisioning CSCue53508 Limit SNMP Query based of RADIUS Acct Start Event CSCue58842 Valid email refused in Cisco ISE Guest Portal CSCue59806 'NAC Server not available' error is thrown - EAP failure error (No response) CSCue60442 Authorization policies disappear after modifying the name of the parent endpoint identity group in Cisco ISE CSCue62940 Incremental Backup without Full Backup gets Stuck in Running CSCue67900 Termination-Action returns RADIUS-Request CSCue71407 Guest and Sponsor language templates disappear from database CSCue71478 Remove ACS-Session-ID from attribute suppression white-list CSCue71874 Re-profiling process check continuously running CSCue73865 Cisco ISE is unable to authenticate users against Active Directory with SmbServerNameHardeningLevel=1 CSCue83454 In CWA, ISE is not able to learn guest user IP address CSCue84050 Enhancements to support CARS UDI validation for recognizing incorrect UDI format. It is observed that PID section of the UDI is not burned properly for NAC 33x5 devices. As a result, ISE installation on those devices fails. These enhancements enable support for ISE Release 1.1.4 installation on certain NAC-33XX units that have a variable length UDI PID CSCue86661 Cisco ISE does not match a compound condition with multiple conditions in a policy rule CSCue90444 When an active IPEP node fails, the VPN traffic drops CSCue96100 Enhancements to support the installation of Cisco SNS-3400 Series (SNS-3415 and SNS-3495) appliances in Cisco ISE Release 1.1.4 CSCue96626 Address purging issues CSCuf05267 BYOD usability - Provide API to poll BYOD status CSCuf08298 Collect only the attributes that are used in profiling policies CSCuf17123 Shell script to create bootable USB is missing CSCuf20919 Guests can view accounts from each other through self-service Release Notes for Cisco Identity Services Engine, Release 1.1.x 124 OL-26136-01 Cisco ISE Release 1.1.4 Resolved Caveats Table 48 Resolved Caveats in Cisco ISE Release 1.1.4 Patches (continued) Caveat Description CSCuf47857 BYOD enhancements CSCuf56635 HP Jetdirect Printer is incorrectly profiled as HP-Device using DHCP probe CSCuf59973 Swapped NIC problem observed on ISE Release 1.1.4 with CIMC version 1.4.6c and BIOS 1.4.6a.0 during installation of 1.1.4.207 on 3495 CSCuf66747 Guest user notification substitution uses system timezone instead of user timezone CSCuf71124 PAP admin login failed for consecutive purge operations CSCuf73365 The show tech-support command shows wrong RAID information CSCuf90492 ISE cannot process large SGT matrices or send radius messages larger than 4k CSCuf90513 Multiple Policy Service node’s attempt to write the same profile data to the database that causes high CPU usage CSCug04743 The order of policies change on Authentication, Posture and CP Policy pages when using Google Chrome CSCug06716 Cisco ISE Centrify AD domain whitelisting breaks machine authentication CSCug15615 BYOD CR: Error message needs to be modified for a disabled NSP policy (NSPMsg.FAIL_NSP_DISABLE) CSCug20065 Unable to enforce RBAC as desired to a custom admin CSCug34981 Incorrect authorization policy match for Self Service Guests when the profiler CoA is set to ReAuth CSCug35133 The attribute Service-Type is changing often with the radius probe and causing high CPU usage CSCug37245 SCEP enrolment fails when using certificates from different CAs CSCug44228 BYOD success message is shown before CoA and can cause a loop and a network connection error message on the browser CSCug68792 Incomplete Backup Process Status in UI CSCug69605 BYOD: Fingerprint exception on Cisco ISE when CA certificate is retrieved via SCEP CSCug72958 Profiling functionality is broken while editing policies CSCug74166 Identity groups are corrupted after changing the parent identity group name CSCug76995 Unable to add user after changing the parent user identity group name CSCug77406 Increase retention of ASA VPN sessions to 120 hours (5 days) CSCug78350 To install the NAC Agent on IE 10, you must enable compatible mode CSCug78636 Disable Diagnostics Issue CSCug79123 Messages are displaying in vertical format in IE CSCug79181 Secure SSID is visible with a PEAP profile, but not with an EAP-TLS profile, when the secure SSID was not broadcasted CSCug80970 Wrong button is displayed when the session is lost during NSPWizard installation process CSCug95429 Profiler: IP attribute unnecessarily being updated CSCug98513 Integrate components to support AD 2012 or mixed mode (2008) Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 125 Cisco ISE Release 1.1.3 Resolved Caveats Table 48 Resolved Caveats in Cisco ISE Release 1.1.4 Patches (continued) Caveat Description CSCug99304 ISE replication gets disabled due to expired certificates even though they are valid CSCuh12487 Null value associated with SNMP GET after call from NMAP fails CSCuh17560 Suppress Accounting update packets in Cisco ISE 1.1.x CSCuh23189 ISE: Using Internal Identity User can gain access to Admin Dashboard CSCuh29915 ID group add button window shrinks CSCuh36595 Custom Guest Self Registration Result should not write to file system CSCuh43440 ISE needs to improve logging mechanism to keep track of backup failures CSCuh43470 Cisco ISE Authentication failures alarm threshold definition CSCuh43528 Cisco ISE Alarm Authentication failures count incorrectly shows "%" in details CSCuh54747 Search is not working in object selector if we change the views CSCuh56861 Cisco ISE Active Endpoints count on dashboard home page does not decrement CSCuh67300 ISE redirects to default guest pages when configured for custom pages CSCuh70984 Database purging alarms on ISE due to open cursors exceeded CSCui22841 Apache Struts2 command execution vulnerability CSCui41569 BYOD Supplicant Provisioning Status query should be optimized CSCui56071 ISE: Ignore 0.0.0.0 in Framed-IP-Address Profiler Updates CSCui75669 Endpoint update calls from guest-portal causing replication issues CSCuj35109 LWA is broken in iOS 7 devices with ISE 1.1.3 patch 6 CSCuj45431 ISE Support for Mac OS X 10.9 NAC Agent CSCuj51094 Captured TCPDump file is not working CSCuj60796 ISE Support for IE 11 Cisco ISE Release 1.1.3 Resolved Caveats The following table lists the resolved server-side caveats in Cisco ISE, Release 1.1.3. Table 49 Resolved Caveats in Cisco ISE, Release 1.1.3 Patches Caveat Description CSCte69572 NAC Web Agent fails when more than one browser is trying to install CSCth95432 All OUIs in IEEE need to be resolved to names by profiler CSCto03644 Tray icon flickers click focus if user changes apps from login OK CSCto49390 NAC Agent 4.8.1.5 takes long time to login CSCtr28855 Web Agent logs does not show the OPSWAT SDK Version CSCtw62033 Mac OS X Agent log time should use UTC if not configurable CSCtw98454 Cisco ISE Guest accounting report filter not working CSCtx35984 Profiler unable to save into DB - SSL Handshake exception error Release Notes for Cisco Identity Services Engine, Release 1.1.x 126 OL-26136-01 Cisco ISE Release 1.1.3 Resolved Caveats Table 49 Resolved Caveats in Cisco ISE, Release 1.1.3 Patches (continued) Caveat Description CSCty04128 AV Remediation success while def update is blocked, full access granted CSCua05433 Import of identity groups and identities does not maintain membership CSCua12479 HTTP profiling in ISE 1.1 is done after Guest Authentication CSCub05899 ISE cannot import CA cert with non-standard field CSCub18575 Problem with sponsor accounts starting with a "0" CSCub26470 Wireless license shows Advanced and Base license as “Eval” CSCub29212 Mac OS 10.8 clients require confirmation from a system administrator to modify the System network configuration CSCub32594 ISE: Inline posture node is not accepting policy from PDP CSCub35046 ISE custom guest portal results page includes unused fields CSCub62481 CSCub44915 ActivatedGuest fails radius authentication with FromFirstLogin time prof CSCub45895 UTFDataFormatException upon saving LDAP groups with multiple OUs/DCs CSCub54464 Unable to delete SSH keys with "ssh delete host" command CSCub61252 Need to disable list of services through the AXIS configuration file CSCub70759 Email id of guest users more than 24 chars getting truncated CSCub74879 NAC posture check fails for IE8 KB2544521 CSCub82418 Dual SSID failing as Profiled endpoints mac is changed to PDP's MAC CSCub99507 Remediation not working correctly with nacagent / ISE CSCuc07816 Must be able to purge MnT data from CLI CSCuc08926 NAC WebAgent posture check fails for IE8 KB2544521 CSCuc13075 Endpoints are being saved with EndpointPolicy as Unknown CSCuc18502 Cisco ISE upgrade from release 1.1 to 1.1.1 fails because of Blacklist authorization CSCuc29014 Profiling conditions edit throws null error with NullPointerException CSCuc31098 Backup should not be triggered when there is no sufficient disk space CSCuc46719 High CPU usage in ISE if profiling data cannot be written to database CSCuc48613 Google Chrome can cause reordering of Authorization Policy rules CSCuc61143 Cisco ISE redirects to default login portal (instead of custom) when cookies are disabled CSCuc74270 Authorization policy match fails following Active Directory password change CSCuc84467 When retrieved group with ' AD page indicate problem CSCud00831 EAP-TLS authentications failing with x509 decrypt error CSCud04633 Java causing ISE Out of Memory Error CSCud05296 NSP on Window 8 is broken CSCud08580 Authentication does not have UserInfo object set in the thread local var CSCud11139 XSS Vulnerability in ISE Guest portal CSCud12095 Purge job fails to complete in ISE 1.1.1 Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 127 Cisco ISE Release 1.1.3 Resolved Caveats Table 49 Resolved Caveats in Cisco ISE, Release 1.1.3 Patches (continued) Caveat Description CSCud20033 IP phone and workstation profiled as cisco access point CSCud20871 ISE- 86107-Session cache entry missing during guest authentication. CSCud21349 Mac CCAAgent Posture Process will not start for non-English languages CSCud33787 Edit and saving a Guest user fails with internal error CSCud65479 Device registration Change of Authorization loop with posturing enabled CSCud83514 ISE session database growing too large, causing homepage blank CSCud85806 Purge Operation Fails Intermittently CSCue00010 Configuration backup command need to exclude mnt tablespace CSCue00631 Add CNA wispr to list of ignored user agents CSCue16774 Profiler purge process not running. EP Cache growing past memory limits CSCue25407 Wrong Authentication Policy match: Cisco ISE initiates MAB instead of 802.1x CSCue28066 IP address field missing during editing/duplicating NADs CSCue29044 Timesten configuration setting change CSCue30368 Parsing of subject field of certificate fails CSCue31190 Sponsor users editing guest accounts may cause internal server errors CSCue33406 Default enable the "Number of authentications exceed threshold" alarm CSCue41912 NAC agent is not triggered on Windows 8 client CSCue49305 Device registration is disabled if JavaScript is disabled for Safari or Chrome browsers on iOS and Android platforms. CSCue49317 SCEP enrolment failure if the user name is prefixed with AD domain name CSCue50838 An arrayOutOfBoundException occurs during Certificate provisioning. CSCue58842 Valid email refused in ISE Guest Portal CSCue59806 'NAC Server not available' error thrown - EAP failure error (No response) CSCue60442 Authorization policies disappear after modifying the name of the parent endpoint identity group in Cisco ISE CSCue62940 Incremental Backup without Full Backup gets Stuck in Running CSCue67900 Termination-Action returns RADIUS-Request CSCue71407 Guest and Sponsor language templates disappear from database. CSCue73865 Cisco ISE is unable to authenticate users against Active Directory with SmbServerHardening=1 CSCue83454 In CWA, ISE is not able to learn guest user IP address CSCue86661 ISE may not match compound condition with multiple conditions CSCue90444 When an active IPEP node fails, the VPN traffic drops. CSCue96626 Address purging issues CSCue98661 ISE NAC Agent on Windows 8 checks for AV that is not selected CSCuf05267 BYOD usability - Provide API to poll BYOD status. CSCuf08298 Collect only the attributes that are used in profiling policies Release Notes for Cisco Identity Services Engine, Release 1.1.x 128 OL-26136-01 Cisco ISE Release 1.1.3 Resolved Caveats Table 49 Resolved Caveats in Cisco ISE, Release 1.1.3 Patches (continued) Caveat Description CSCuf20919 Guests can view accounts from each other through self-service CSCuf47857 BYOD enhancements CSCuf56635 HP Jetdirect Printer incorrectly profiled as HP-Device using DHCP probe CSCuf66747 Guest user notification substitution uses system timezone instead of user timezone CSCuf71124 PAP admin login failed for consecutive purge operations CSCuf90492 ISE cannot process large SGT matrices or send radius messages larger than 4k CSCuf90513 Multiple Policy Service node’s attempt to write the same profile data to the database that causes high CPU usage. CSCug04743 The order of policies change on Authentication, Posture and CP Policy pages when using Google Chrome CSCug06716 Cisco ISE Centrify AD domain whitelisting breaks machine authentication CSCug15615 BYOD CR: Error message needs to be modified for NSPMsg.FAIL_NSP_DISABLE a disabled NSP policy CSCug20065 Unable to enforce RBAC as desired to a custom admin CSCug34981 Incorrect authorization policy match for Self Service Guests when the profiler CoA is set to ReAuth CSCug35133 The attribute Service-Type is changing often with the radius probe and causing high CPU usage CSCug37245 SCEP enrolment fails when using certificates from different CAs CSCug44228 BYOD success message is shown before CoA and can cause a loop and a network connection error message on the browser CSCug68792 Incomplete Backup Process Status in UI CSCug69605 BYOD: Fingerprint exception on Cisco ISE when CA cert is retrieved via SCEP CSCug72958 1.1.2 Patch 7 - Profiling functionality is broken while editing policies CSCug74166 Identity groups are corrupted after changing the parent identity group name CSCug76995 Unable to add user after changing the parent user identity group name CSCug77406 Increase retention of ASA VPN sessions to 120 hours (5 days) CSCug78350 To install the NAC Agent on IE 10, you must enable compatible mode CSCug78636 Disable Diagnostic Issue CSCug79123 Messages are displaying in vertical format in IE CSCug79181 IOS: not able to see closed SSID if it isn't broadcasted if profile is TLS CSCug80970 Wrong button is displayed when the session is lost during NSPWizard installation process CSCug90502 ISE Blind SQL Injection Vulnerability CSCug95429 Profiler: IP attribute unnecessarily being updated CSCug98513 Integrate components to support AD 2012 or mixed mode (2008) CSCug99304 ISE replication gets disabled due to expired certificates even though they are valid CSCuh12487 Null value associated with SNMP GET after call from NMAP fails Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 129 Cisco ISE Release 1.1.2 Resolved Caveats Table 49 Resolved Caveats in Cisco ISE, Release 1.1.3 Patches (continued) Caveat Description CSCuh17560 Suppress Accounting update packets in ISE 1.1.x CSCuh23189 ISE: Using Internal Identity User can gain access to Admin Dashboard CSCuh29915 ID group add button window shrinks CSCuh36595 Custom Guest Self Registration Result should not write to file system CSCuh43440 ISE needs to improve logging mechanism to keep track of backup failures CSCuh43470 ISE Authentication failures alarm threshold definition CSCuh43528 ISE Alarm Authentication failures count incorrectly shows "%" in details CSCuh54747 Search is not working in object selector if we change the views CSCuh56861 ISE Active Endpoints count on dashboard home page does not decrement CSCuh67300 ISE redirects to default guest pages when configured for custom pages CSCuh70984 Database purging alarms on ISE due to open cursors exceeded CSCui22841 Apache Struts2 command execution vulnerability CSCui41569 BYOD Supplicant Provisioning Status query should be optimized CSCui56071 ISE: Ignore 0.0.0.0 in Framed-IP-Address Profiler Updates CSCui57374 ISE IPEP Invalid RADIUS Authenticator error during high load CSCui67495 Uploaded Filenames/Content Not Properly Sanitized CSCui67511 Certain File Types are not Filtered and are Executable CSCui75669 Endpoint update calls from guest-portal causing replication issues CSCuj35109 LWA is broken in iOS 7 devices with ISE 1.1.3 patch 6 CSCuj45431 ISE Support for Mac OS X 10.9 NAC Agent CSCuj51094 Captured TCPDump file is not working CSCuj60796 ISE Support for IE 11 CSCul02860 Struts Action Mapper Vulnerability CSCul03127 Struts 2 Dynamic Method Invocation Vulnerability CSCun25178 Fetching Group Information Takes a Long Time Because of SIDHistory Cisco ISE Release 1.1.2 Resolved Caveats The following table lists the resolved server-side caveats in Cisco ISE, Release 1.1.2. Table 50 Resolved Caveats in Cisco ISE, Release 1.1.2 Patches Caveat Description CSCtx81905 Cisco ISE returns an error message while registering one node to another CSCty51260 Active Directory “dn” attribute does not work for authorization policies CSCty98551 Race condition between CoA event and persistence event during initial endpoint login Release Notes for Cisco Identity Services Engine, Release 1.1.x 130 OL-26136-01 Cisco ISE Release 1.1.2 Resolved Caveats Table 50 Resolved Caveats in Cisco ISE, Release 1.1.2 Patches (continued) Caveat Description CSCtz13306 Monitoring and Troubleshooting collector cannot collect posture audit logs to generate report CSCtz41452 Evaluation license counter incrementing when wireless license installed CSCtz67814 Replication disabled for secondary node CSCtz99077 ISE refuses valid email address as user email field CSCua05433 The endpoint identity import function does not maintain correct identity group membership CSCua50327 Cisco ISE Deployment page takes 40 to 50 seconds to render CSCua50627 Base license removes SGA attributes in device configuration CSCua55485 ISE distributed deployment does not work with split-domain configuration CSCua56980 Primary Administration ISE node is non-responsive over a period of time because of frozen database CSCua64378 Rate limit profiler endpoint updates to reduce the number of messages CSCua65587 Alarms For Authorization Profile Matches CSCua79768 EAP Chaining + Posture lost Compliant Session:PostureStatus in reauth CSCua89503 Collect only the attributes that are used in profiling policies CSCua92153 Cisco ISE does not validate Certificate Signing Requests correctly CSCub03210 Alpha- DB Connection leakage when the rollback fails CSCub19485 RADIUS Dictionary Export does not export “Direction” or “Description” CSCub28834 Inline Posture node not displaying logs CSCub71617 IP Phones 7942 with MAC address prefix 5C:50:15 are not profiled on ISE CSCub85511 IE Protected mode - provisioning without adding site to trusted list CSCub95755 Backup and cleanup scripts causing failures CSCuc06431 End point import not working with policy names included in CSV file CSCuc19682 Cisco ISE purge operation corrupts indexes in some database tables CSCuc34292 Mac OS 10.8: Both NAC Agents and Supplicant Provisioning Wizards fail to register with Cisco ISE if the “MACAppStore&iden. developer” string is missing CSCuc44535 EAP Chaining + Posture fails for inner methods other than EAP-MSCHAP CSCuc51338 Sessions leak when rule based policy performed with proxy result CSCuc58992 IP address of the endpoints is not getting updated correctly CSCuc64732 Detecting a name change behaves case-sensitive CSCud43467 Periodic Reassessment check functionality not working CSCud65479 ISE DRW COA loop with posturing enabled CSCue14864 Endpoint statically assigned to ID group may appear in different group CSCue53508 Limit SNMP Query based of RADIUS Acct Start Event CSCue59806 'NAC Server not available' error thrown - EAP failure error CSCue60442 Authorization Policy disappears after modifying Identity Group Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 131 Cisco ISE Release 1.1.1 Resolved Caveats Table 50 Resolved Caveats in Cisco ISE, Release 1.1.2 Patches (continued) Caveat Description CSCue71478 Remove ACS-Session-ID from attribute suppression white-list CSCue71874 Re-profiling process check continuously running CSCuf08298 Collect only the attributes that are used in profiling policies CSCuf56635 HP Jetdirect Printer incorrectly profiled as HP-Device using DHCP probe CSCuf66747 Guest user notification substitution uses system timezone instead of user timezone CSCuf90513 Multiple PSN's attempt to write same profile data to db causes high CPU CSCui22841 Apache Struts2 command execution vulnerability Cisco ISE Release 1.1.1 Resolved Caveats The following table lists the resolved server-side caveats in Cisco ISE, Release 1.1.1. Table 51 Resolved Caveats in Cisco ISE, Release 1.1.1 Patches Caveat Description CSCto03644 Tray icon flickers click focus if user changes applications from login OK CSCto19507 Mac OS X agent does not prompt for upgrade when coming out of sleep mode CSCto87799 Guest authentication fails, if the web browser is using old session information CSCto97422 Auto Popup does not happen after clicking Cancel during remediation failure CSCts45441 Weird behavior with creating guest account using start-end time profile CSCtu05540 Monitoring and Troubleshooting node does not show Active Directory External Groups following authentication failure CSCtx01136 Cisco NAC Agent is not performing posture assessment CSCtx07670 Profiler conditions that are edited wind up corrupting Profiler policies CSCtx25213 IP table entry needs cleanup after deregistering a secondary node CSCtx33747 RBAC admin cannot access deployment page and perform deployment-related functions CSCtx51454 Unable to retrieve administrator users list CSCtx74574 Device Configure Deployment option selected after upgrade from software release 1.0 to release 1.1 CSCtx77149 Disk space issue CSCtx94839 Clicking on logout link on the AUP page of Device Registration Webauth flow appears to do nothing CSCtx97190 Cisco 3750 switch is profiled as “Generic Cisco Router” CSCty02379 Cisco ISE runs out of space due to a backlog of pending messages in the replication queue CSCty10461 Cannot register a Cisco ISE node with UTF-8 characters in administrator name CSCty15646 Monitoring and Troubleshooting debug log alert settings get reset to WARN Release Notes for Cisco Identity Services Engine, Release 1.1.x 132 OL-26136-01 Known Issues Table 51 Resolved Caveats in Cisco ISE, Release 1.1.1 Patches (continued) Caveat Description CSCty16603 Administrator ISE node promotion fails, resulting in disabled replication status CSCty23790 Internet Explorer 8 is unable to import endpoints from LDAP CSCty40077 Shared Secret Key for Inline Posture node Network Access Device is not created or updated CSCty54756 Indexes corrupted in Monitoring and Troubleshooting node database CSCty59165 SNMPQuery Probe events queue runs out of memory CSCty80451 Failed to authenticate external admin (AD user) when configured user to change password at the next log in CSCtz28057 After upgrade to release 1.1, Cisco ISE is still in “initializing” state CSCtz45714 Incorrect authentication and authorization match on client machine CSCub29185 Mac Agent not getting installed when the “MAC App Store” and “identified developers” options are enabled on the client CSCub32594 Inline posture node does not accept a policy from the associated Policy Service node CSCub82071 Unable to Install/Upgrade Mac agent 4.9.0.654 on Mac OS X 10.7.4 Client CSCui22841 Apache Struts2 command execution vulnerability Known Issues • Cisco ISE Release 1.1.3 and Earlier Does Not Support Google Chrome For the Administrative User Interface, page 134 • Cisco ISE Hostname Character Length Limitation with Active Directory, page 134 • Windows Internet Explorer 8 Known Issues, page 134 – Issue Accessing the Cisco ISE Administrator User Interface – Cisco Secure ACS-to-Cisco ISE Migration User Interface Issue Using IE8 – User Identity Groups User Interface Issue With IE 8 • Issues With 2k Message Size in Monitoring and Troubleshooting, page 135 • Issues With More Than Three Users Accessing Monitoring and Troubleshooting Concurrently, page 135 • Inline Posture Restrictions, page 135 • Cisco IP phones using EAP-FAST, page 135 • Internationalization and Localization, page 135 • Issues with Monitoring and Troubleshooting Restore, page 136 Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 133 Known Issues Cisco ISE Release 1.1.3 and Earlier Does Not Support Google Chrome For the Administrative User Interface Google Chrome is not a supported browser for use with the Administrative User Interface of the Cisco Identity Service Engine (ISE), Release 1.1.3 and earlier versions. If you use Google Chrome to edit the authorization policy rules, the policy ranking order might change, which impacts authorization of end users. This issue is limited to authenticated admin users with permissions to manage Cisco ISE authorization polices. This issue does not apply to end users who use Google Chrome for web authentication for network access. Cisco ISE Hostname Character Length Limitation with Active Directory It is important that Cisco ISE hostnames be limited to 15 characters or less in length, if you use Active Directory on your network. Active Directory does not validate hostnames larger than 15 characters. This can cause a problem if you have multiple ISE hosts in your deployment whose hostnames are identical through the first 15 characters, and are only distinguishable by the characters that follow (the first 15). Windows Internet Explorer 8 Known Issues • Issue Accessing the Cisco ISE Administrator User Interface • Cisco Secure ACS-to-Cisco ISE Migration User Interface Issue Using IE8 • User Identity Groups User Interface Issue With IE 8 Issue Accessing the Cisco ISE Administrator User Interface When you access the Cisco ISE administrator user interface using the host IP address as the destination in the Internet Explorer 8 address bar, the browser automatically redirects your session to a different location. This situation occurs when you install a real SSL certificate issued by a Certificate Authority like VeriSign. If possible, Cisco recommends using the Cisco ISE hostname or fully qualified domain name (FQDN) you used to create the trusted SSL certificate to access the administrator user interface via Internet Explorer 8. Cisco Secure ACS-to-Cisco ISE Migration User Interface Issue Using IE8 There is a known migration consideration that affects successful migration of Cisco Secure ACS 5.1/5.2 data to the Cisco ISE appliance using the Cisco Secure ACS 5.1/5.2-ISE 1.0 Migration Tool. The only currently supported browser for downloading the migration tool files is Firefox version 3.6.x. Microsoft Windows Internet Explorer (IE8 and IE7) browsers are not currently supported for this function. For more information, see the Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.1.x. Release Notes for Cisco Identity Services Engine, Release 1.1.x 134 OL-26136-01 Known Issues User Identity Groups User Interface Issue With IE 8 If you create and operate 100 User Identity Groups or more, a script in the Cisco ISE administrator user interface Administration > Identity Management > User Identity Groups page can cause Internet Explorer 8 to run slowly, looping until a pop-up appears asking you if you want to cancel the running script. (If the script continues to run, your computer might become unresponsive.) Issues With 2k Message Size in Monitoring and Troubleshooting Cisco ISE monitoring and troubleshooting functions are designed to optimize data collection performance messages of 8k in size. As a result, you may notice a slightly different message performance rate when compiling 2k message sizes regularly. Issues With More Than Three Users Accessing Monitoring and Troubleshooting Concurrently Although more than three concurrent users can log into Cisco ISE and view monitoring and troubleshooting statistics and reports, more than three concurrent users accessing Cisco ISE can result in unexpected behavior like (but not limited to) monitoring and troubleshooting reports and other pages taking excessive amounts of time to launch, and the application sever restarting on its own. Inline Posture Restrictions • Inline Posture is not supported in a virtual environment, such as VMware. • The Simple Network Management Protocol (SNMP) Agent is not supported by Inline Posture. • The Cisco Discovery Protocol (CDP) is not supported by Inline Posture. Cisco IP phones using EAP-FAST Cisco ISE, Release 1.0 does not support Cisco IP phones that are using EAP-FAST with certificates. Cisco recommends using EAP-TLS with IP phones in your network. Internationalization and Localization This section covers the known issues relating to internationalization and localization. Custom Language Templates If you create a custom language template with a name that conflicts with a default template name, your template is automatically renamed after an upgrade and restore. After an upgrade and restore, default templates revert back to their default settings, and any templates with names that conflict with defaults are renamed as follows: user_{LANG_TEMP_NAME}. Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 135 Documentation Updates Issues with Monitoring and Troubleshooting Restore During the Monitoring and Troubleshooting restore, Cisco ISE application on the Monitoring node restarts and the GUI is unavailable until the restore completes. Documentation Updates Table 52 Updates to Release Notes for Cisco Identity Services Engine, Release 1.1.x Date Description 5/15/14 Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 11, page 26 5/15/14 Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 11, page 46 4/14/14 Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 10, page 27 3/19/14 Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 10, page 47 2/18/14 Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 9, page 47 2/18/14 Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 9, page 27 11/11/13 Added Support for Windows 8.1 and Mac OS X 10.9, page 25 11/11/13 Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 8, page 30 11/11/13 Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 8, page 50 10/21/13 Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 10, page 65 10/21/13 Added Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 7, page 74 10/11/13 Added FIPS Compliance, page 8 10/11/13 Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 7, page 31 10/11/13 Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 7, page 51 8/30/13 Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 6, page 33 8/30/13 Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 6, page 53 8/27/13 Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 5, page 33 Release Notes for Cisco Identity Services Engine, Release 1.1.x 136 OL-26136-01 Documentation Updates Table 52 Updates to Release Notes for Cisco Identity Services Engine, Release 1.1.x Date Description 8/23/13 Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 5, page 53 8/8/13 Added Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 6, page 74 8/7/13 Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 9, page 65 8/2/13 Added Resolved issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 4, page 34 8/2/13 Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 4, page 54 7/15/13 Added Resolved issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 3, page 34 7/15/13 Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 3, page 54 6/5/13 Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 2, page 38 6/5/13 Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 2, page 58 5/21/13 Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 8, page 66 5/13/13 Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 7, page 66 5/6/13 Added Resolved Issues in Cisco ISE Version 1.1.4.218—Cumulative Patch 1, page 42 4/26/13 Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 6, page 67 4/25/13 Cisco Identity Services Engine, Release 1.1.4 4/5/13 Added Resolved Issues in Cisco ISE Version 1.1.3.124—Cumulative Patch 1, page 62 4/5/13 Added Integration with Cisco Prime Network Control System, page 80 4/2/13 • Added CSCub17140 to Cisco ISE Release 1.1.x Open Caveats, page 80 • Added CSCuc48613 to Known Issues, page 133 3/15/13 Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 5, page 68 2/28/13 Cisco Identity Services Engine, Release 1.1.3 2/25/13 Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 4, page 70 2/1/13 Added CSCud02566 to Cisco ISE Release 1.1.x Open Caveats, page 80 1/11/13 Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 3, page 70 Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 137 Documentation Updates Table 52 Updates to Release Notes for Cisco Identity Services Engine, Release 1.1.x Date Description 12/21/12 Added Resolved Issues in Cisco ISE Version 1.1.2.145—Cumulative Patch 2, page 71 11/16/12 Added Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 5, page 75 11/2/12 Added Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 4, page 76 10/31/12 Cisco Identity Services Engine, Release 1.1.2 10/12/12 9/5/12 7/27/12 • Added Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 3, page 77 • Added caveats CSCub82418 and CSCuc34292 to Cisco ISE Release 1.1.x Open Caveats, page 80 • Added CSCub82071 to Cisco ISE Release 1.1.1 Resolved Caveats, page 132 • Added Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 2, page 78 • Added CSCua32575, CSCua71361, CSCub16453, CSCub17522, and CSCub45799 to Cisco ISE Release 1.1.x Open Caveats, page 80 • Added CSCtz45714 to Cisco ISE Release 1.1.1 Resolved Caveats, page 132 Added CSCub29185 and CSCub29212 to Cisco ISE Release 1.1.x Open Caveats, page 80 7/20/12 • Added Creating Activated Guests, page 22 to New Features in Cisco ISE, Release 1.1.1, page 19 7/17/12 • Added Resolved Issues in Cisco ISE Version 1.1.1.268—Cumulative Patch 1, page 79 • Added CSCub01822 to Cisco ISE Release 1.1.x Open Caveats, page 80 7/10/12 Cisco Identity Services Engine, Release 1.1.1 Release Notes for Cisco Identity Services Engine, Release 1.1.x 138 OL-26136-01 Related Documentation Related Documentation This section provides lists of related release-specific and platform-specific documentation. Release-Specific Documents Table 53 lists the product documentation available for the Cisco ISE Release. General product information for Cisco ISE is available at http://www.cisco.com/go/ise. End-user documentation is available on Cisco.com at http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html. Table 53 Product Documentation for Cisco Identity Services Engine Document Title Location Release Notes for the Cisco Identity Services Engine, Release 1.1.x http://www.cisco.com/en/US/products/ps11640/ prod_release_notes_list.html Cisco Identity Services Engine Network Component http://www.cisco.com/en/US/products/ps11640/ Compatibility, Release 1.1.x products_device_support_tables_list.html Cisco Identity Services Engine User Guide, Release http://www.cisco.com/en/US/products/ps11640/ 1.1.x products_user_guide_list.html Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x http://www.cisco.com/en/US/products/ps11640/ prod_installation_guides_list.html Cisco Identity Services Engine Upgrade Guide, Release 1.1.x http://www.cisco.com/en/US/products/ps11640/ prod_installation_guides_list.html Cisco Identity Services Engine Migration Guide for http://www.cisco.com/en/US/products/ps11640/ Cisco Secure ACS 5.1 and 5.2, Release 1.1.x prod_installation_guides_list.html Cisco Identity Services Engine Sponsor Portal User http://www.cisco.com/en/US/products/ps11640/ Guide, Release 1.1.x products_user_guide_list.html Cisco Identity Services Engine CLI Reference Guide, Release 1.1.x http://www.cisco.com/en/US/products/ps11640/ prod_command_reference_list.html Cisco Identity Services Engine API Reference Guide, Release 1.1.x http://www.cisco.com/en/US/products/ps11640/ prod_command_reference_list.html Cisco Identity Services Engine Troubleshooting Guide, Release 1.1.x http://www.cisco.com/en/US/products/ps11640/ prod_troubleshooting_guides_list.html Regulatory Compliance and Safety Information for http://www.cisco.com/en/US/products/ps11640/ Cisco Identity Services Engine, Cisco 1121 Secure prod_installation_guides_list.html Access Control System, Cisco NAC Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler Cisco Identity Services Engine In-Box Documentation and China RoHS Pointer Card http://www.cisco.com/en/US/products/ps11640/ products_documentation_roadmaps_list.html Release Notes for Cisco Identity Services Engine, Release 1.1.x OL-26136-01 139 Related Documentation Platform-Specific Documents Links to other platform-specific documentation are available at the following locations: • Cisco ISE http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html • Cisco NAC Appliance http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html • Cisco NAC Profiler http://www.cisco.com/en/US/products/ps8464/tsd_products_support_series_home.html • Cisco NAC Guest Server http://www.cisco.com/en/US/products/ps10160/tsd_products_support_series_home.html • Cisco Secure ACS http://www.cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html This document is to be used in conjunction with the documents listed in the “Related Documentation” section. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. © 2014 Cisco Systems, Inc. All rights reserved. Release Notes for Cisco Identity Services Engine, Release 1.1.x 140 OL-26136-01