Release Notes For Cisco Identity Services Engine, Release 2.3
Uploaded by
VladRelease Notes For Cisco Identity Services Engine, Release 2.3
Uploaded by
VladRelease Notes for Cisco Identity Services
Engine, Release 2.3
Revised: October 30, 2017
Contents
These release notes supplement the Cisco ISE documentation that is included with the product hardware
and software release, and cover the following topics:
• Introduction, page 2
• New Features in Cisco ISE, Release 2.3, page 2
• System Requirements, page 9
• Installing Cisco ISE Software, page 15
• Upgrading to Release 2.3, page 16
• Cisco Secure ACS to Cisco ISE Migration, page 27
• Known Limitations, page 27
• Features Not Supported in Cisco ISE, Release 2.3, page 28
• Cisco ISE License Information, page 28
• Deployment Terminology, Node Types, and Personas, page 29
• Requirements for CA to Interoperate with Cisco ISE, page 30
• Cisco ISE Installation Files, Updates, and Client Resources, page 31
• Using the Bug Search Tool, page 34
• Cisco ISE, Release 2.3.0.298 Patch Updates, page 35
• Cisco ISE, Release 2.3 Open Caveats, page 37
• Resolved Caveats, page 41
• Documentation Updates, page 40
• Related Documentation, page 41
Cisco Systems, Inc.
www.cisco.com
Introduction
Introduction
The Cisco ISE platform is a comprehensive, next-generation, contextually-based access control solution.
It offers authenticated network access, profiling, posture, BYOD device onboarding (native supplicant
and certificate provisioning), guest management, device administration (TACACS+), and security group
access services along with monitoring, reporting, and troubleshooting capabilities on a single physical
or virtual appliance. Cisco ISE is available on two physical appliances with different performance
characterization, and also as software that can be run on a VMware server. You can add more appliances
to a deployment for performance, scale, and resiliency.
Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with
centralized configuration and management. It also allows for configuration and management of distinct
personas and services. This feature gives you the ability to create and apply services where they are
needed in the network, but still operate the Cisco ISE deployment as a complete and coordinated system.
For more information about the features that are supported in Cisco ISE 2.3, see Cisco Identity Services
Engine Administrator Guide, Release 2.3.
Note We have recalled ISE 2.3 patch 1 due to an issue we found after posting. An updated patch file has been
reposted, and the new file name is ise-patchbundle-2.3.0.298-Patch1-221754.SPA.x86_64.tar.gz. If you
already installed the previously posted patch, you MUST uninstall that patch, and install the new one.
ISE Community Resource
Join the ISE Community to view resources, ask questions, and participate in discussions. See ISE
Product Documentation, Introduction to ISE, YouTube Videos, Feature and Integration Demos, and
Training Resources.
The examples and screenshots provided in the ISE Community resources might be from earlier releases
of Cisco ISE. Check the GUI for newer or additional features and updates.
New Features in Cisco ISE, Release 2.3
• CoA Logging Enhancements, page 3
• Context Visibility Enhancements, page 3
• Enable MAR Cache Distribution, page 3
• Export Command Sets and Syslog Messages, page 3
• Guest Enhancements, page 3
• IPv6 Support for External ID Store Attributes, page 4
• Key Type for Certificate Public Key, page 4
• Migration Tool Enhancements, page 4
• Network Device IP Address Range Support in all the Octets, page 4
• Policy Sets, page 5
• Posture Enhancements, page 5
• RADIUS DTLS Client Identity Check, page 5
Release Notes for Cisco Identity Services Engine, Release 2.3
2
New Features in Cisco ISE, Release 2.3
• Read-only Administrator Support, page 5
• Reports Export Summary, page 6
• Schedule Policy Export, page 6
• Security Settings Page Enhancements, page 6
• Support for Network Device with IPv6 Address, page 8
• Upgrade Enhancements, page 8
CoA Logging Enhancements
The following attributes are additionally displayed for the CoA events in the Authentication details
report that is launched from the Live Logs page:
• CoASourceComponent—The component requesting the CoA, for example, profiler, posture, BYOD
onboard (NSP), and so on.
• CoAReason—The reason for the CoA to be triggered, for example, change in endpoint profile.
• CoAType—Shows the type of CoA event, for example, reauthentication, terminate, and so on.
Context Visibility Enhancements
The Application dashboard in the Context Visibility page helps you to identify the number of endpoints
that have a specified application installed. The results are displayed in graphical and tabular formats. The
graphical representation helps you make a comparative analysis. Applications are classified into 13
categories. Applications that do not fall into any of these categories are termed Unclassified.
Enable MAR Cache Distribution
Cisco ISE allows you to add or update the MAR cache distribution for the node groups. You must ensure
that MAR is enabled in the AD page before enabling this option.
Export Command Sets and Syslog Messages
You can export the command sets and syslog messages in CSV format.
Guest Enhancements
Guests can select a social login provider as a way to provide credentials as a self-registered guest, instead
of entering username and password in the guest portal. To enable this, you can configure a social media
site as an external identity source, and configure a portal that allows users to use that external identity
source (social login provider). Facebook is the social login provider supported by this release.
Release Notes for Cisco Identity Services Engine, Release 2.3
3
New Features in Cisco ISE, Release 2.3
IPv6 Support for External ID Store Attributes
Cisco ISE allows you to configure the AD and LDAP server with IPv4 or IPv6 address when you
manually add the attribute type IP and authenticate the user.
Key Type for Certificate Public Key
You can specify the algorithm to be used for creating the public key (RSA or ECDSA). You can also
specify the bit size for the public key. The following options are available for RSA:
• 512
• 1024
• 2048
• 4096
The following options are available for ECDSA:
• 256
• 384
Migration Tool Enhancements
The migration tool provides options to migrate ACS 4.x/ACS 5.x supported objects. The migration tool
lists the data objects based on the selection. The migration tool supports:
• Migration of users, identity groups, network devices, network device groups, and user-defined
attributes from ACS 4.x/5.x to Cisco ISE.
• Migration of policy rules having AND/OR conditions.
• Migration of network devices configured with IP address ranges in all the octets.
• Migration of date and time policies into multiple objects if the time table is configured with different
timings and days.
The migration tool now supports additional endpoint custom attributes, such as Date, IP Address,
Unsigned Integer 32, and Enumeration.
Network Device IP Address Range Support in all the Octets
You can configure the network devices with IP address ranges in all the octets. You can use a hyphen (-)
or asterisk (*) as wildcard to specify a range of IP addresses. You can specify single IP address, subnet
address, or IP address range in all the octets for the network device. Cisco ISE reports a validation error
if you provide invalid IP address/range in the External REST interface.
Node Registration Made Easy
If the node uses a self-signed certificate that is not trusted, a certificate warning message is displayed.
The certificate warning message displays details about the certificate (such as, Issued-to, Issued-by,
Serial number, and so on), which can be verified against the actual certificate on the node. You can select
the Import Certificate and Proceed option to trust this certificate and proceed with registration. Cisco
Release Notes for Cisco Identity Services Engine, Release 2.3
4
New Features in Cisco ISE, Release 2.3
ISE imports the default self-signed certificate of that node to the trusted certificate store of Primary PAN.
If you do not want to use the default self-signed certificate, you can click Cancel Registration and
manually import the relevant certificate chain of that node to the trusted certificate store of Primary PAN.
Policy Sets
Network access policies have now been consolidated together under Policy Sets, which can be accessed
from Policy > Policy Sets. Each policy set is a container defined on the top level of the policy hierarchy,
under which all relevant Authentication and Authorization policy and policy exception rules for that set
are configured. Multiple rules can be defined for both authentication and authorization, all based on
conditions. Conditions and additional related configurations can now also be easily accessed and reused
directly from the new Policy Set interface.
For more information about the new policy model, see New Policy Model, page 17
Posture Enhancements
• Default policies added for anti-malware, application visibility, and firewall conditions.
• Default requirements added for application visibility, firewall, and USB conditions.
• Cisco Temporal Agent—By default, this temporal agent resides in the Cisco ISE ISO image, and is
uploaded to Cisco ISE during installation.
• Posture and client provisioning policies allow the matching of users and endpoints, including
Endpoint ID groups and endpoint custom attributes.
RADIUS DTLS Client Identity Check
You can choose the Enable RADIUS/DTLS Client Identity Verification option under RADIUS
settings if you want Cisco ISE to verify the identity of the RADIUS/DTLS clients during the DTLS
handshake. Cisco ISE fails the handshake if the client identity is not valid. Identity check is skipped for
the default devices, if configured. Identity check is performed in the following sequence:
1. If the client certificate contains the subject alternative name (SAN) attribute:
– If SAN contains the DNS name, the DNS name specified in the certificate is compared with the
DNS name that is configured for the network device in Cisco ISE.
– If SAN contains the IP address (and does not contain the DNS name), the IP address specified
in the certificate is compared with all the device IP addresses configured in Cisco ISE.
2. If the certificate does not contain SAN, subject CN is compared with the DNS name that is
configured for the network device in Cisco ISE. Cisco ISE fails the handshake in the case of
mismatch.
Read-only Administrator Support
Cisco ISE allows you to create read-only administrative users who can view the configurations on Cisco
ISE GUI, but cannot create, update, or delete data.
Release Notes for Cisco Identity Services Engine, Release 2.3
5
New Features in Cisco ISE, Release 2.3
Reports Export Summary
You can view the summary of the reports that are exported by the users in the last 48 hours along with
the status.
Schedule Policy Export
Cisco ISE allows you to schedule authentication and authorization policy export. This can be scheduled
to run once, daily, weekly, or monthly.
Security Settings Page Enhancements
The following options are added in the Security Settings page (Administration > System > Settings >
Protocols > Security Settings):
• Allow TLS 1.0—Allows TLS 1.0 for communication with legacy peers for the following workflows:
– Cisco ISE is configured as EAP server
– Cisco ISE downloads CRL from HTTPS or secure LDAP server
– Cisco ISE is configured as secure syslog client
– Cisco ISE is configured as secure LDAP client
Note Allow TLS 1.0 option is disabled by default in Cisco ISE 2.3 and above. TLS 1.0 is not
supported for TLS based EAP authentication methods (EAP-TLS, EAP-FAST/TLS) and 802.1X
supplicants when this option is disabled. If you want to use the TLS based EAP authentication
methods in TLS 1.0, check the Allow TLS 1.0 check box in the Security Settings page
(Administration > System > Settings > Protocols > Security Settings).
• Allow TLS 1.1—Allows TLS 1.1 for communication with legacy peers for the following workflows:
– Cisco ISE is configured as EAP server
– Cisco ISE downloads CRL from HTTPS or secure LDAP server
– Cisco ISE is configured as secure syslog client
– Cisco ISE is configured as secure LDAP client
Note Allow TLS 1.1 option is disabled by default in Cisco ISE 2.3 and above. TLS 1.1 is not
supported for TLS based EAP authentication methods (EAP-TLS, EAP-FAST/TLS) and 802.1X
supplicants when this option is disabled. If you want to use the TLS based EAP authentication
methods in TLS 1.1, check the Allow TLS 1.1 check box in the Security Settings page
(Administration > System > Settings > Protocols > Security Settings).
• Allow SHA-1 ciphers—Allows SHA-1 ciphers for communication with legacy peers for the
following workflows:
– Cisco ISE is configured as EAP server
– Cisco ISE is configured as RADIUS DTLS server
– Cisco ISE is configured as RADIUS DTLS client
Release Notes for Cisco Identity Services Engine, Release 2.3
6
New Features in Cisco ISE, Release 2.3
– Cisco ISE downloads CRL from HTTPS or secure LDAP server.
– Cisco ISE is configured as secure TCP syslog client.
– Cisco ISE is configured as secure LDAP client.
This option is enabled by default.
Note It is recommended to use SHA-256 or SHA-384 ciphers for enhanced security.
• Allow ECDHE-RSA ciphers—Allows ECDHE-RSA ciphers for communication with peers for the
following workflows:
– Cisco ISE is configured as EAP server
– Cisco ISE is configured as RADIUS DTLS server
– Cisco ISE is configured as RADIUS DTLS client
– Cisco ISE downloads CRL from HTTPS server
– Cisco ISE downloads CRL from secure LDAP server
– Cisco ISE is configured as secure TCP syslog client
– Cisco ISE is configured as secure LDAP client
It is recommended that you enable this option for enhanced security. This option is enabled by default.
• Allow 3DES ciphers—Allows 3DES ciphers for communication with peers for the following
workflows:
– Cisco ISE is configured as EAP server
– Cisco ISE is configured as RADIUS DTLS server
– Cisco ISE is configured as RADIUS DTLS client
– Cisco ISE downloads CRL from HTTPS server
– Cisco ISE downloads CRL from secure LDAP server
– Cisco ISE is configured as secure TCP syslog client
– Cisco ISE is configured as secure LDAP client
This option is enabled by default. Uncheck this check box for enhanced security.
• Accept certificates without validating purpose—When ISE acts as an EAP or RADIUS DTLS
server, client certificates are accepted without checking whether the Key Usage extension contains
keyAgreement bit for ECDHE-ECDSA ciphers or keyEncipherment bit for other ciphers. This
option is enabled by default.
• Allow DSS ciphers for ISE as a client—Allows DSS ciphers for communication with server for the
following workflows:
– Cisco ISE is configured as RADIUS DTLS client
– Cisco ISE downloads CRL from HTTPS server
– Cisco ISE downloads CRL from secure LDAP server
– Cisco ISE as secure TCP syslog client
– Cisco ISE as secure LDAP client
This option is enabled by default. Uncheck this check box for enhanced security.
Release Notes for Cisco Identity Services Engine, Release 2.3
7
New Features in Cisco ISE, Release 2.3
• Allow legacy unsafe TLS renegotiation for ISE as a client—Allows communication with legacy TLS
servers that do not support safe TLS renegotiation for the following workflows:
– Cisco ISE downloads CRL from HTTPS server
– Cisco ISE downloads CRL from secure LDAP server
– Cisco ISE as secure TCP syslog client
– Cisco ISE as secure LDAP client
Support for Network Device with IPv6 Address
Cisco ISE allows you to configure the network devices with IPv4 or IPv6 address. You can also export
and import the network devices with IPv4 or IPv6 address.
You can also add IPv4 or IPv6 address for the Device IP address attribute in the conditions and rules
used in the authentication and authorization policies.
Support for Network Device IP Address Range with Exclude Option
Cisco ISE allows you to exclude an IP address or IP address ranges from the specified range of IP
addresses during authentication.
Upgrade Enhancements
Cisco ISE offers an Upgrade Readiness Tool (URT) that you can run to detect and fix any data upgrade
issues before you start the upgrade process. Most of the upgrade failures occur because of data upgrade
issues. The URT is designed to validate the data before upgrade to identify, and report or fix the issue,
wherever possible. The URT is available as a separate downloadable bundle that can be run on a
Secondary Policy Administration Node or Standalone Node. There is no downtime needed to run this
tool.
See the Cisco Identity Services Engine Upgrade Guide, Release 2.3 for more information.
Wireless Setup
ISE Wireless Setup provides a very intuitive workflow to quickly set up common wireless use cases, such
as, 802.1X, Guest, BYOD. In just a few steps, the setup workflow configures both ISE and a Cisco
wireless controller, for a working end-to-end flow.
Wireless Setup is supported only for new installations. The Wireless Setup menu does not appear, if you
upgrade to Cisco ISE 2.2 from an earlier release or restore ISE from a backup.
Note ISE Wireless Setup is beta software - please do not use Wireless Setup in production networks.
Note The Wireless Setup feature is disabled by default in Cisco Identity Services Engine, Release 2.2
cumulative patch 2.
Release Notes for Cisco Identity Services Engine, Release 2.3
8
System Requirements
System Requirements
• Supported Hardware, page 9
• Supported Virtual Environments, page 11
• Supported Browsers, page 11
• Support for Microsoft Active Directory, page 11
• Supported Anti-Virus and Anti-Malware Products, page 11
• Supported Cipher Suites, page 12
Note For more details on Cisco ISE hardware platforms and installation, see the Cisco Identity Services
Engine Hardware Installation Guide, Release 2.3.
Supported Hardware
Cisco ISE software is packaged with your appliance or image for installation. Cisco ISE, Release 2.3 is
shipped on the following platforms. After installation, you can configure Cisco ISE with specified
component personas (Administration, Policy Service, Monitoring, and pxGrid) on the platforms that are
listed in Table 1.
Table 1 Supported Hardware and Personas
Hardware Platform Persona Configuration
Cisco SNS-3415-K9 Any See the Cisco Identity Services Engine Hardware
(small) Installation Guide for the appliance hardware
Cisco SNS-3495-K9 specifications.
(large)
Release Notes for Cisco Identity Services Engine, Release 2.3
9
System Requirements
Table 1 Supported Hardware and Personas (continued)
Hardware Platform Persona Configuration
Cisco SNS-3515-K9 Any See the Cisco Identity Services Engine Hardware
(small) Installation Guide for the appliance hardware
Cisco SNS-3595-K9 specifications.
(large)
Cisco ISE-VM-K9 • For CPU and memory recommendations, refer to the
(VMware, Linux “VMware Appliance Sizing Recommendations”
KVM, Microsoft section in the Cisco Identity Services Engine
Hyper-V) Hardware Installation Guide, Release 2.3.1
• For hard disk size recommendations, refer to the
“Disk Space Requirements” section in the Cisco
Identity Services Engine Hardware Installation
Guide, Release 2.3.
• NIC—1 GB NIC interface required. You can install
up to 6 NICs.
• Supported virtual machine versions include:
ESXi 5.x (5.1 U2 and later support RHEL 7), 6.x
Microsoft Hyper-V on Microsoft Windows Server
2012 R2 and later
KVM on:
– RHEL 7.0
– Ubuntu 14.04 LTS
Note If you are installing or upgrading Cisco ISE on
an ESXi 5.x server, to support RHEL 7 as the
Guest OS, update the VMware hardware version
to 9 or later. RHEL 7 is supported with VMware
hardware version 9 and later.
1. Memory allocation of less than 8 GB is not supported for any VM appliance configuration. In the event of a Cisco ISE
behavior issue, all users will be required to change allocated memory to at least 8 GB before opening a case with the Cisco
Technical Assistance Center.
Note Legacy ACS and NAC appliances (including the Cisco ISE 3300 series) are not supported with Cisco
ISE, Release 2.0 and later releases.
FIPS Mode Support
Cisco ISE uses embedded FIPS 140-2 validated cryptographic module, Cisco FIPS Object Module
Version 6.0 (Certificate #2505). For details of the FIPS compliance claims, see the FIPS Compliance
Letter.
Release Notes for Cisco Identity Services Engine, Release 2.3
10
System Requirements
Supported Virtual Environments
Cisco ISE supports the following virtual environment platforms:
• VMware ESXi 5.x (5.1 U2 and later support RHEL 7), 6.x
• Microsoft Hyper-V on Microsoft Windows Server 2012 R2 and later
• KVM on:
– RHEL 7.0
– Ubuntu 14.04 LTS
Note If you are installing or upgrading Cisco ISE on an ESXi 5.x server, to support RHEL 7 as the Guest OS,
update the VMware hardware version to 9 or later. RHEL 7 is supported with VMware hardware version
9 and later.
Supported Browsers
Supported browsers for the Admin portal include:
• Mozilla Firefox version:
– 52.1.2 ESR
– 53.0.3 and above
• Google Chrome latest version
• Microsoft Internet Explorer 10.x and 11.x
If you are using Internet Explorer 10.x, enable TLS 1.1 and TLS 1.2, and disable SSL 3.0 and TLS
1.0 (Internet Options > Advanced).
Support for Microsoft Active Directory
Cisco ISE, Release 2.3 works with Microsoft Active Directory servers 2003, 2003 R2, 2008, 2008 R2,
2012, 2012 R2, and 2016 at all functional levels.
Note Microsoft has ended support for Windows Server 2003 and 2003 R2. We recommend that you upgrade
Windows Server to a supported version.
Microsoft Active Directory version 2000 or its functional level is not supported by Cisco ISE.
Cisco ISE 2.3 supports Multi-Forest/Multi-Domain integration with Active Directory infrastructures to
support authentication and attribute collection across large enterprise networks. Cisco ISE 2.3 supports
up to 50 domain join points.
Supported Anti-Virus and Anti-Malware Products
For more information on the products supported by the ISE posture agent, see the Cisco AnyConnect
ISE Posture Support Charts in the following link:
Release Notes for Cisco Identity Services Engine, Release 2.3
11
System Requirements
https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-table
s-list.html
Supported Cipher Suites
Cisco ISE 2.3 supports TLS versions 1.0, 1.1, and 1.2. Cisco ISE supports RSA and ECDSA server
certificates. Cisco ISE supports the following elliptic curves:
• secp256r1
• secp384r1
• secp521r1
The following table lists the supported Cipher Suites for Cisco ISE 2.3.
Table 2 Supported Cipher Suites
Download CRL from HTTPS
Download CRL from LDAPS
Secure TCP syslog client
EAP server Secure LDAP client
Cipher suite RADIUS DTLS server RADIUS DTLS client for CoA
TLS 1.0 support When TLS 1.0 is allowed When TLS 1.0 is allowed
(DTLS server supports only DTLS 1.2) (DTLS client supports only
DTLS 1.2)
Note Allow TLS 1.0 option is disabled by
default in Cisco ISE 2.3 and above.
TLS 1.0 is not supported for TLS
based EAP authentication methods
(EAP-TLS, EAP-FAST/TLS) and
802.1X supplicants when this option
is disabled. If you want to use the TLS
based EAP authentication methods in
TLS 1.0, check the Allow TLS 1.0
check box in the Security Settings
page (Administration > System >
Settings > Protocols > Security
Settings).
TLS 1.1 support When TLS 1.1 is allowed When TLS 1.1 is allowed
Note Allow TLS 1.1 option is disabled by
default in Cisco ISE 2.3 and above.
TLS 1.1 is not supported for TLS
based EAP authentication methods
(EAP-TLS, EAP-FAST/TLS) and
802.1X supplicants when this option
is disabled. If you want to use the TLS
based EAP authentication methods in
TLS 1.1, check the Allow TLS 1.1
check box in the Security Settings
page (Administration > System >
Settings > Protocols > Security
Settings).
Release Notes for Cisco Identity Services Engine, Release 2.3
12
System Requirements
Table 2 Supported Cipher Suites
ECC DSA ciphers
ECDHE-ECDSA-AES256-GCM-SHA384 Yes Yes
ECDHE-ECDSA-AES128-GCM-SHA256 Yes Yes
ECDHE-ECDSA-AES256-SHA384 Yes Yes
ECDHE-ECDSA-AES128-SHA256 Yes Yes
ECDHE-ECDSA-AES256-SHA When SHA-1 is allowed When SHA-1 is allowed
ECDHE-ECDSA-AES128-SHA When SHA-1 is allowed When SHA-1 is allowed
ECC RSA ciphers
ECDHE-RSA-AES256-GCM-SHA384 When ECDHE-RSA is allowed When ECDHE-RSA is allowed
ECDHE-RSA-AES128-GCM-SHA256 When ECDHE-RSA is allowed When ECDHE-RSA is allowed
ECDHE-RSA-AES256-SHA384 When ECDHE-RSA is allowed When ECDHE-RSA is allowed
ECDHE-RSA-AES128-SHA256 When ECDHE-RSA is allowed When ECDHE-RSA is allowed
ECDHE-RSA-AES256-SHA When ECDHE-RSA/SHA-1 is allowed When ECDHE-RSA/SHA-1 is
allowed
ECDHE-RSA-AES128-SHA When ECDHE-RSA/SHA-1 is allowed When ECDHE-RSA/SHA-1 is
allowed
DHE RSA ciphers
DHE-RSA-AES256-SHA256 No Yes
DHE-RSA-AES128-SHA256 No Yes
DHE-RSA-AES256-SHA No When SHA-1 is allowed
DHE-RSA-AES128-SHA No When SHA-1 is allowed
RSA ciphers
AES256-SHA256 Yes Yes
AES128-SHA256 Yes Yes
AES256-SHA When SHA-1 is allowed When SHA-1 is allowed
AES128-SHA When SHA-1 is allowed When SHA-1 is allowed
3DES ciphers
DES-CBC3-SHA When 3DES/SHA-1 is allowed When 3DES/DSS and SHA-1 are
enabled
DSS ciphers
DHE-DSS-AES256-SHA No When 3DES/DSS and SHA-1 are
enabled
DHE-DSS-AES128-SHA No When 3DES/DSS and SHA-1 are
enabled
EDH-DSS-DES-CBC3-SHA No When 3DES/DSS and SHA-1 are
enabled
Weak RC4 ciphers
Release Notes for Cisco Identity Services Engine, Release 2.3
13
System Requirements
Table 2 Supported Cipher Suites
RC4-SHA When “Allow weak ciphers” option is No
enabled in the Allowed Protocols page and
when SHA-1 is allowed
RC4-MD5 When “Allow weak ciphers” option is No
enabled in the Allowed Protocols page
EAP-FAST anonymous provisioning only: Yes No
ADH-AES-128-SHA
Peer certificate restrictions
Validate KeyUsage Client certificate should have KeyUsage=Key
Agreement and ExtendedKeyUsage=Client
Authentication for the following ciphers:
• ECDHE-ECDSA-AES128-GCM-SHA256
• ECDHE-ECDSA-AES256-GCM-SHA384
• ECDHE-ECDSA-AES128-SHA256
• ECDHE-ECDSA-AES256-SHA384
Validate ExtendedKeyUsage Client certificate should have KeyUsage=Key Server certificate should have
Encipherment and ExtendedKeyUsage=Server
ExtendedKeyUsage=Client Authentication Authentication
for the following ciphers:
• AES256-SHA256
• AES128-SHA256
• AES256-SHA
• AES128-SHA
• DHE-RSA-AES128-SHA
• DHE-RSA-AES256-SHA
• DHE-RSA-AES128-SHA256
• DHE-RSA-AES256-SHA256
• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-RSA-AES256-SHA384
• ECDHE-RSA-AES128-SHA256
• ECDHE-RSA-AES256-SHA
• ECDHE-RSA-AES128-SHA
• EDH-RSA-DES-CBC3-SHA
• DES-CBC3-SHA
• RC4-SHA
• RC4-MD5
Release Notes for Cisco Identity Services Engine, Release 2.3
14
Installing Cisco ISE Software
Installing Cisco ISE Software
To install Cisco ISE, Release 2.3 software on Cisco SNS-3415, SNS-3495, SNS-3515, and SNS-3595
hardware platforms, turn on the new appliance and configure the Cisco Integrated Management
Controller (CIMC). You can then install Cisco ISE, Release 2.3 over a network using CIMC or a bootable
USB.
Note When using virtual machines (VMs), we recommend that the guest VMs have the correct time set using
an NTP server before installing the .ISO image or OVA file on the VMs.
Perform Cisco ISE initial configuration according to the instructions in the Cisco Identity Services
Engine Hardware Installation Guide, Release 2.3. Before you run the setup program, ensure that you
know the configuration parameters listed in Table 3.
Table 3 Cisco ISE Network Setup Configuration Parameters
Prompt Description Example
Hostname Must not exceed 19 characters. Valid characters include isebeta1
alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). The
first character must be a letter.
(eth0) Ethernet Must be a valid IPv4 address for the Gigabit Ethernet 0 (eth0) 10.12.13.14
interface address interface.
Netmask Must be a valid IPv4 netmask. 255.255.255.0
Default gateway Must be a valid IPv4 address for the default gateway. 10.12.13.1
DNS domain name Cannot be an IP address. Valid characters include ASCII characters, mycompany.com
any numerals, the hyphen (-), and the period (.).
Primary name Must be a valid IPv4 address for the primary name server. 10.15.20.25
server
Add/Edit another (Optional) Allows you to configure multiple name servers. Must be Enter y to add additional name
name server a valid IPv4 address for an additional name server. server or n to configure the next
parameter.
Primary NTP Must be a valid IPv4 address or hostname of a Network Time Protocol clock.nist.gov
server (NTP) server.
Add/Edit another (Optional) Allows you to configure multiple NTP servers. Must be a Enter y to add additional NTP
NTP server valid IPv4 address or hostname. server or n to configure the next
parameter.
System Time Zone Must be a valid time zone. For details, see Cisco Identity Services UTC (default)
CLI Reference Guide, Release 2.3, which provides a list of time
zones that Cisco ISE supports. For example, for Pacific Standard
Time (PST), the System Time Zone is PST8PDT (or UTC-8 hours).
The time zones referenced are the most frequently used time zones.
You can run the show timezones command from the Cisco ISE CLI
for a complete list of supported time zones.
Note We recommend that you set all Cisco ISE nodes to the UTC
time zone. This setting ensures that the reports, logs, and
posture agent log files from the various nodes in the
deployment are always synchronized with the time stamps.
Release Notes for Cisco Identity Services Engine, Release 2.3
15
Upgrading to Release 2.3
Table 3 Cisco ISE Network Setup Configuration Parameters (continued)
Prompt Description Example
Username Identifies the administrative username used for CLI access to the admin (default)
Cisco ISE system. If you choose not to use the default (admin), you
must create a new username. The username must be three to eight
characters in length and composed of valid alphanumeric characters
(A–Z, a–z, or 0–9).
Password Identifies the administrative password that is used for CLI access to MyIseYPass2
the Cisco ISE system. You must create this password (there is no
default). The password must be a minimum of six characters in
length and include at least one lowercase letter (a–z), one uppercase
letter (A–Z), and one numeral (0–9).
Note For additional information on configuring and managing Cisco ISE, see Release-Specific Document,
page 41.
Upgrading to Release 2.3
You can directly upgrade to Release 2.3 from the following Cisco ISE releases:
• 2.0
• 2.0.1
• 2.1
• 2.2
If you are on a version earlier than Cisco ISE, Release 2.0, you must first upgrade to one of the releases
listed above and then upgrade to Release 2.3.
You can upgrade to Release 2.3 from the GUI or the CLI.
Supported Operating System for Virtual Machines
Release 2.3 supports Red Hat Enterprise Linux (RHEL) 7.0.
If you are upgrading Cisco ISE nodes on VMware virtual machines, after you upgrade, ensure that you
change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power
down the VM, change the Guest Operating System to RHEL 7, and power on the VM after the change.
Release Notes for Cisco Identity Services Engine, Release 2.3
16
Upgrade Considerations and Requirements
Upgrade Considerations and Requirements
New Policy Model
All network access policies and policy sets, including authentication, authorization and exceptions, have
now been consolidated together under the improved Policy Sets area, which can be accessed from Policy
> Policy Sets. Each policy set is a container defined on the top level of the policy hierarchy, under which
all relevant Authentication and Authorization policy and policy exception rules for that set are
configured.
Multiple rules can be defined for both authentication and authorization, all based on conditions.
Conditions and additional related configurations can now also be easily accessed and reused directly
from the new Policy Set interface. The order by which the policy sets are matched is determined by the
order in which they appear in the new interface, beginning from the first row of the Policy Set table and
continuing to check until a match is found. If no match is found then the system default policy set is
used. The same logic is used to match and select the correct authentication and then the correct
authorization rules, beginning from the top of each table and checking each rule until a match is found.
The default rule is used if no other rule is matched.
The new policy model represents all policies that could also have been added in previous versions by
using the old user interface, but offering a much more simplified and improved interface from which you
can logically manage network access.
Standalone Authentication and Authorization Policy Changes
The standalone authentication rules from ISE 2.2 and below versions are converted to the new policy
model. There are two separate scenarios based on the allowed protocols that are assigned to the
authentication rules.
1. If all the “outer parts” in the system are assigned the same allowed protocol, including the default
part, then all original authentication rules are converted to ISE 2.3 as follows:
• All the “outer parts” are converted to a single policy set in the new policy model. The new policy
set will be called Default, and on the Policy Set level, no conditions are defined and the uniform
Allowed Protocol will be assigned. All inner parts are converted to rules as part of the authentication
policy within the new Default policy set.
The following table demonstrates the conversion for an old set of standalone authentication rules
that use the same allowed protocol (Scenario -1). In the table, each line is in the following format:
Name (Condition/Results)
For example for Authentication outer part 1 (Outer Condition/Allowed Protocol A):
– Name—Authentication outer part 1
– Condition—Outer Condition
– Results—Allowed Protocol A
Release Notes for Cisco Identity Services Engine, Release 2.3
17
Upgrade Considerations and Requirements
Table 4 Standalone Authentication Policies Using Same Allowed Protocol
Before Cisco ISE 2.3 - Default
Authentication After Upgrade to Cisco ISE 2.3 - Policy Sets
Authentication outer part 1 (Outer Condition Default (No conditions/Allowed Protocol A)
1/Allowed Protocol A) Authentication Policy (container)
Authentication inner part 1.1 (Inner
Authentication outer part 1 - Authentication
Condition 1.1/Identity Store A)
inner part 1.1 (Outer Condition 1 + Inner
Authentication inner part 1.2 (Inner Condition 1.1/Identity Store A)
Condition 1.2/Identity Store A) Authentication outer part 1 - Authentication
Authentication inner part 1.3 (Inner inner part 1.2 (Outer Condition 1 + Inner
Condition 1.3/Identity Store A) Condition 1.2/Identity Store A)
Authentication inner 1 Default (No Authentication outer part 1 - Authentication
conditions/Identity Store B) inner part 1.3 (Outer Condition 1 + Inner
Condition 1.3/Identity Store A)
Authentication outer part 2 (Outer Condition
2/Allowed Protocol A) Authentication outer part 1 - Authentication
inner 1 Default (Outer Condition 1/Identity
Authentication inner part 2.1 (Inner
Store B)
Condition 2.1/Identity Store A)
Authentication outer part 2 - Authentication
Authentication inner part 2.2 (Inner
inner part 2.1 (Outer Condition 2 + Inner
Condition 2.2/Identity Store A)
Condition 2.1/Identity Store A)
Authentication inner part 2.3 (Inner
Authentication outer part 2 - Authentication
Condition 2.3/Identity Store A)
inner part 2.2 (Outer Condition 2 + Inner
Authentication inner 2 Default (No Condition 2.2/Identity Store A)
conditions/Identity Store B)
Authentication outer part 2 - Authentication
Authentication outer part 3 (Outer Condition inner part 2.3 (Outer Condition 2 + Inner
3/Allowed Protocol A) Condition 2.3/Identity Store A)
Authentication inner 3 Default (No Authentication outer part 2 - Authentication
conditions/Identity Store B) inner 2 Default (Outer Condition 2/Identity
Default Authentication Outer Part (No Store B)
conditions/Allowed Protocol A/Default Authentication outer part 3 - Authentication
Identity Store) inner 3 Default (Outer Condition 3/Identity
Exception 1 Store B)
Authorization Rule 1 Default Authentication Outer Part (No
conditions/Default Identity Store)
Authorization Rule 2
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
2. If at least one of the “outer parts” in the system are assigned a different allowed protocol than the
others, including the default part, then all original authentication rules are converted to 2.3 as
follows:
Release Notes for Cisco Identity Services Engine, Release 2.3
18
Upgrade Considerations and Requirements
• Each of the “outer parts” is converted to a separate policy set in the new policy model. The new
policy set will be named based on the name of the original outer part for that specific new set. On
the Policy Set level for each policy set, the original outer part conditions and the Allowed Protocol
will be assigned. All inner parts for each outer part are converted to authentication rules, one to one,
as part of the authentication policy within their new policy set.
The following table demonstrates the conversion for an old set of standalone authentication rules
that use different allowed protocols (Scenario -2). In the table, each line is in the following format:
Name (Condition/Results)
For example for Authentication outer part 1 (Outer Condition/Allowed Protocol A):
– Name—Authentication outer part 1
– Condition—Outer Condition
– Results—Allowed Protocol A
Release Notes for Cisco Identity Services Engine, Release 2.3
19
Upgrade Considerations and Requirements
Table 5 Standalone Authentication Policies Using Different Allowed Protocols
Before Cisco ISE 2.3 - Default
Authentication After Upgrade to Cisco ISE 2.3 - Policy Sets
Authentication outer part 1 (Outer Condition Default Authentication outer part 1 (Outer condition 1/Allowed Protocol A)
1/Allowed Protocol A) Authentication Policy (container)
Authentication inner part 1.1 (Inner
Authentication inner part 1.1 (Inner Condition 1.1/Identity Store A)
Condition 1.1/Identity Store A)
Authentication inner part 1.2 (Inner Condition 1.2/Identity Store A)
Authentication inner part 1.2 (Inner
Condition 1.2/Identity Store A) Authentication inner part 1.3 (Inner Condition 1.3/Identity Store A)
Authentication inner part 1.3 (Inner Authentication inner 1 Default (No conditions/Identity Store B)
Condition 1.3/Identity Store A) Exception 1
Authentication inner 1 Default (No Authorization Policy (container)
conditions/Identity Store B)
Authorization Rule 1
Authentication outer part 2 (Outer Condition
2/Allowed Protocol B) Authorization Rule 2
Authentication inner part 2.1 (Inner Default Authentication outer part 2 (Outer Condition 2/Allowed Protocol B)
Condition 2.1/Identity Store A) Authentication Policy (container)
Authentication inner part 2.2 (Inner Authentication inner part 2.1 (Inner Condition 2.1/Identity Store A)
Condition 2.2/Identity Store A)
Authentication inner part 2.2 (Inner Condition 2.2/Identity Store A)
Authentication inner part 2.3 (Inner
Authentication inner part 2.3 (Inner Condition 2.3/Identity Store A)
Condition 2.3/Identity Store A)
Authentication inner 2 Default (No conditions/Identity Store B)
Authentication inner 2 Default (No
conditions/Identity Store B) Exception 1
Authentication outer part 3 (Outer Condition Authorization Policy (container)
3/Allowed Protocol C) Authorization Rule 1
Authentication inner 3 Default (No Authorization Rule 2
conditions/Identity Store B)
Default Authentication outer part 3 (Outer Condition 3/Allowed Protocol C)
Default Authentication Outer Part (No
conditions/Allowed Protocol A/Identity Store Authentication Policy (container)
C) Authentication inner 3 Default (No conditions/Identity Store B)
Exception 1 Exception 1
Authorization Rule 1 Authorization Policy (container)
Authorization Rule 2 Authorization Rule 1
Authorization Rule 2
Default (No conditions/Allowed Protocol A)
Authentication Policy (container)
Default Authentication Rule (No conditions/Identity Store C)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
Release Notes for Cisco Identity Services Engine, Release 2.3
20
Upgrade Considerations and Requirements
Policy Set Changes
When upgrading to ISE 2.3 from previous versions, the new policy sets appear differently than older ISE
versions as described here, however, the behavior remains exactly the same.
The policies from ISE 2.2 and below versions are converted to the new policy model. There are two
separate scenarios based on the allowed protocols that are assigned to the authentication rules.
1. If all the “outer parts” in a single policy set are assigned the same allowed protocol, all original
policy sets are converted to ISE 2.3 as follows:
• All the “outer parts” are converted to a single policy set in the new policy model. The new policy
set will have the same name as that of the original policy set. For example, if the policy set was
named “All Employees” in the old model, it will be called “All Employees” in the new model as well.
The following table demonstrates the conversion for an old policy set that contains authentication
rules which use the same allowed protocol (Scenario -1). In the table, each line is in the following
format:
Name (Condition/Results)
For example for Authentication outer part 1 (Outer Condition/Allowed Protocol A):
– Name—Authentication outer part 1
– Condition—Outer Condition
– Results—Allowed Protocol A
Release Notes for Cisco Identity Services Engine, Release 2.3
21
Upgrade Considerations and Requirements
Table 6 Conversion of Policy Sets Using Same Allowed Protocol
Old policy set from Cisco ISE 2.2 or earlier New policy sets after upgrade to Cisco ISE 2.3
Policy Set A (Condition A/No results) Policy Set A (Condition A/Allowed Protocol A)
Authentication outer part 1 (Outer Condition Authentication Policy (container)
1/Allowed Protocol A)
Authentication outer part 1 - Authentication inner part
Authentication inner part 1.1 (Inner Condition 1.1 (Outer Condition 1 + Inner Condition 1.1/Identity
1.1/Identity Store A) Store A)
Authentication inner part 1.2 (Inner Condition Authentication outer part 1 - Authentication inner part
1.2/Identity Store A) 1.2 (Outer Condition 1 + Inner Condition 1.2/Identity
Store A)
Authentication inner part 1.3 (Inner Condition
1.3/Identity Store A) Authentication outer part 1 - Authentication inner part
1.3 (Outer Condition 1 + Inner Condition 1.3/Identity
Authentication inner 1 Default (No
Store A)
conditions/Identity Store B)
Authentication outer part 1 - Authentication inner 1
Authentication outer part 2 (Outer Condition
Default (Outer Condition 1/Identity Store B)
2/Allowed Protocol A)
Authentication outer part 2 - Authentication inner part
Authentication inner part 2.1 (Inner Condition
2.1 (Outer Condition 2 + Inner Condition 2.1/Identity
2.1/Identity Store A)
Store A)
Authentication inner part 2.2 (Inner Condition
Authentication outer part 2 - Authentication inner part
2.2/Identity Store A)
2.2 (Outer Condition 2 + Inner Condition 2.2/Identity
Authentication inner part 2.3 (Inner Condition Store A)
2.3/Identity Store A)
Authentication outer part 2 - Authentication inner part
Authentication inner 2 Default (No 2.3 (Outer Condition 2 + Inner Condition 2.3/Identity
conditions/Identity Store B) Store A)
Authentication outer part 3 (Outer Condition Authentication outer part 2 - Authentication inner 2
3/Allowed Protocol A) Default (Outer Condition 2/Identity Store B)
Authentication inner 3 Default (No Authentication outer part 3 - Authentication inner 3
conditions/Identity Store B) Default (Outer Condition 3/Identity Store B)
Default Authentication Outer Part (No Default Authentication Outer Part (No
conditions/Allowed Protocol A/Identity Store C) conditions/Identity Store C)
Exception 1 Exception 1
Authorization Rule 1 Authorization Policy (container)
Authorization Rule 2 Authorization Rule 1
Authorization Rule 2
• The newly upgraded policy set contains a list of authentication rules that are converted by combining
the outer and inner conditions from the original policy set. Each new authentication rule that is
created during conversion is named based on the name of the old outer part with the suffix including
the inner part name. For example, as in the table above, if the old policy set is called "Policy Set A,"
one of its authentication "outer parts" is called Outer Part 1, and one of its authentication "inner
parts" is called Inner Part 1, then the newly created authentication rule is called "Outer Part 1 – Inner
Part 1" within Policy Set A. In the same manner, if the old policy set is called "All Employees"
policy set, one of its authentication "outer parts" is called London, and one of its authentication
"inner parts" is called Wired - MAB, then the newly created authentication rule is called "London –
Release Notes for Cisco Identity Services Engine, Release 2.3
22
Upgrade Considerations and Requirements
Wired-MAB" within the “All Employees” policy set. The Default outer part for the authentication
policy is converted as the default authentication rule. The system default policy rule appears as the
last rule in the entire authentication table, regardless of the other rules that were created or
converted, and this rule cannot be moved or deleted.
• The conditions defined on the outer part (based on which the authentication rules are matched) are
combined with the inner part conditions (which indicate the identity store to be used for
authentication). The new combined conditions are configured in a single authentication rule within
the policy set in the new model. A new individual rule within the policy set is created for each
separate outer part of the old policy set.
2. When there are two or more allowed protocols selected for the “outer parts” in a policy set, all
original policy sets are converted to ISE 2.3 as follows:
• Each “outer part” of each authentication rule within the old policy set is converted to a new, separate
policy set in the new model. This new policy set places the “conditions” from the same original
“outer part” under the Authentication Policy section in the new policy model.
The following table demonstrates the conversion for an old policy set from ISE 2.2 and previous
versions to ISE 2.3 (Scenario - 2):
Release Notes for Cisco Identity Services Engine, Release 2.3
23
Upgrade Considerations and Requirements
Old policy set from Cisco ISE 2.2 or earlier New policy sets after upgrade to Cisco ISE 2.3
Policy Set A (Condition A/No results) Policy Set A - Authentication outer part 1 (Condition A + Outer condition
1/Allowed Protocol A)
Authentication outer part 1 (Outer
Condition 1/Allowed Protocol A) Authentication Policy (container)
Authentication inner part 1.1 (Inner Authentication inner part 1.1 (Inner Condition 1.1/Identity Store A)
Condition 1.1/Identity Store A) Authentication inner part 1.2 (Inner Condition 1.2/Identity Store A)
Authentication inner part 1.2 (Inner
Authentication inner part 1.3 (Inner Condition 1.3/Identity Store A)
Condition 1.2/Identity Store A)
Authentication inner 1 Default (No conditions/Identity Store B)
Authentication inner part 1.3 (Inner
Condition 1.3/Identity Store A) Exception 1
Authentication inner 1 Default (No Authorization Policy (container)
conditions/Identity Store B) Authorization Rule 1
Authentication outer part 2 (Outer Authorization Rule 2
Condition 2/Allowed Protocol A)
Policy Set A - Authentication outer part 2 (Condition A + Outer condition
Authentication inner part 2.1 (Inner 2/Allowed Protocol B)
Condition 2.1/Identity Store A)
Authentication Policy (container)
Authentication inner part 2.2 (Inner
Condition 2.2/Identity Store A) Authentication inner part 2.1 (Inner Condition 2.1/Identity Store A)
Authentication inner 2 Default (No Authentication inner part 2.2 (Inner Condition 2.2/Identity Store A)
conditions/Identity Store B) Authentication inner 2 Default (No conditions/Identity Store B)
Authentication outer part 3 (Outer Exception 1
Condition 3/Allowed Protocol A)
Authorization Policy (container)
Authentication inner 3 Default (No
Authorization Rule 1
conditions/Identity Store B)
Authorization Rule 2
Default Authentication Outer Part (No
conditions/Allowed Protocol A/Identity Policy Set A - Default Authentication outer part 3 (Condition A + Outer
Store C) Condition 3/Allowed Protocol C)
Exception 1 Authentication Policy (container)
Authorization Rule 1 Authentication inner 3 Default (No conditions/Identity Store B)
Authorization Rule 2 Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
Policy Set A - Default (Condition A/Allowed Protocol A)
Authentication Policy (container)
Default Authentication Rule (No conditions/Identity Store C)
Exception 1
Authorization Policy (container)
Authorization Rule 1
Authorization Rule 2
Release Notes for Cisco Identity Services Engine, Release 2.3
24
Upgrade Considerations and Requirements
• Each new policy set that is created during conversion is named based on the name of the old policy
set from which it was extracted with the suffix including the outer part name. For example, as in the
table above, if the old policy set is called “Policy Set A” and one of its authentication “outer parts”
is called Outer Part 1, then the newly created policy set is called “Policy Set A – Outer Part 1.” In
the same manner, if the old policy set is called “London” and one of its authentication “outer parts”
is called Wired MAB, then the newly created policy set is called “London – Wired MAB.”
The Default outer part for each old policy set is also converted to a new policy set just as are all the
other outer parts, for example “London – Default”. The system default policy set appears as the last
policy set in the entire table, regardless of the other policy sets that were created or converted, and
cannot be moved or deleted.
• The conditions defined on the top level of the old policy set are combined with the outer
authentication part conditions, designed to select the correct allowed protocol. The new combined
conditions are configured in the top level rule for each new policy set in the new model. A new
individual policy set is created for each outer part of each old policy set.
Authorization Rule/Exception Changes
Authorization rules, as well as global and local exceptions, are also maintained from within the policy
sets now. All authorization rules and exceptions within the old policy set are applied to all of the new
policy sets resulting from the authentication policy rule conversion as well. The authorization policy
changes are applicable for all the policy sets that are upgraded, regardless of the allowed protocols
configured on the outer parts.
Policy Sets Evaluation
The policy sets in the new interface are checked for matches according to the order in which they appear
in the Policy Set table. For example, if the old “London” policy set has three outer parts with different
statuses before conversion, and the old “New York” set contains only the Default outer part, then the
table in the new Policy Set interface appears with the new policy sets and the system default policy set
in the following order:
Policy Set Name
London – Wired MAB
London – Wireless MAB
London – Default
New York - Default
Default
If the first two sets don’t match, then the system checks “London –Default”. If “London – Default” does
not match, then the system checks “New York – Default”. The system only uses “Default” as the policy
if “New York – Default” also does not match.
The same logic is used to match and select the correct authentication and then the correct authorization
rules, beginning from the top of each table and checking each rule until a match is found. The default
rule is used, if no other rule is matched.
Release Notes for Cisco Identity Services Engine, Release 2.3
25
Upgrade Considerations and Requirements
Status of the Newly Converted Policy Sets
While converting policy sets that use different Allowed Protocols for the authentication rules, the
statuses of the newly converted policy sets are determined based on the status of old policy sets and the
status of the “outer part” of the old policy sets, as follows:
Status of “outer part” of old policy
Status of Old policy set set Status of new policy set
Disable Disable Disable
Disable Monitor Disable
Disable Enable Disable
Monitor Disable Disable
Monitor Monitor Monitor
Monitor Enable Monitor
Enable Disable Disable
Enable Monitor Monitor
Enable Enable Enable
Status of the Newly Converted Authentication Rules
While converting policy sets that use same Allowed Protocols for the authentication rules, the status of
the newly converted authentication rule is determined based on the status of the "outer part" of the old
authentication rule and the status of the “inner part” of the corresponding old authentication rule, as
follows:
Status of “Inner Part” of
Status of "Outer Part" of Corresponding Old Authentication Status of the Converted
Old Authentication Rule Rule Authentication Rule
Disable Disable Disable
Disable Monitor Disable
Disable Enable Disable
Monitor Disable Disable
Monitor Monitor Monitor
Monitor Enable Monitor
Enable Disable Disable
Enable Monitor Monitor
Enable Enable Enable
Release Notes for Cisco Identity Services Engine, Release 2.3
26
Cisco Secure ACS to Cisco ISE Migration
Prepare for Upgrade
Before you start the upgrade process, ensure that you perform the following tasks:
• Change VMware virtual machine guest operating system and settings
• Open firewall ports for communication
• Back up configuration and operational data
• Back up system logs
• Check the validity of certificates
• Export certificates and private keys
• Disable PAN automatic failover and backup schedules before upgrade
• NTP server should be configured correctly and be reachable
• Record profiler configuration
• Obtain Active Directory and internal administrator account credentials
• Activate MDM vendor before upgrade
• Create repository and copy the upgrade bundle
• Check load balancer configuration
Refer to the Cisco ISE Upgrade Guide, Release 2.3 for a list of pre and post upgrade tasks.
Cisco Secure ACS to Cisco ISE Migration
You can directly migrate to Cisco ISE, Release 2.3 only from Cisco Secure ACS, Release 4.2 and 5.5 or
later. See Cisco Identity Services Engine Migration Tool Guide for more information.
You cannot migrate to Release 2.3 from Cisco Secure ACS 5.1, 5.2, 5.3, 5.4, 4.1, or earlier versions, or
from Cisco Network Admission Control (NAC) Appliance. From Cisco Secure ACS, Releases 4.1, 5.1,
5.2, 5.3, or 5.4, you must upgrade to a supported version, and then migrate to Cisco ISE, Release 2.3.
Note If you are installing Cisco ISE, Release 2.3 on Cisco SNS-3500 series appliances with ACS PIDs (Cisco
SNS-3515-ACS-K9 and Cisco SNS-3595-ACS-K9), you must update the BIOS and CIMC firmware on
the hardware appliance before you install Cisco ISE, Release 2.3. Refer to the Cisco Identity Services
Engine Hardware Installation Guide for information on how to update the BIOS and CIMC firmware.
Known Limitations
Policy Hits Displayed in Policy Sets
The total hits counter that is displayed at the top of the policy set is updated whenever Cisco ISE receives
interim accounting updates. However, the authentication and authorization policy hit counters are not
refreshed based on interim accounting updates. Hence, you might see some difference between the total
hits displayed in the policy set summary and the total number of authentication and authorization
policies displayed in the Authentication Policy and Authorization Policy sections.
Release Notes for Cisco Identity Services Engine, Release 2.3
27
Features Not Supported in Cisco ISE, Release 2.3
ECDSA Certificates
• ECDSA certificates that are used for EAP authentication are supported only for the endpoints with
Android version 6.x and later.
• Cisco ISE supports ECDSA certificates with key length 256 and 384 only. You can select the key
length in Administration > System > Certificates > Certificate Management > System
Certificates page.
Cisco Temporal Agent
We recommend that you run the Cisco Temporal Agent within two minutes of downloading the agent
from the Client Provisioning Portal, if not, you might encounter the “Posture Failed Due to Server
Issues” error message.
Reverse DNS Lookup Configuration
Configure reverse DNS lookup for all Cisco ISE nodes in your distributed deployment in the DNS
server(s). Otherwise, you may run into deployment-related issues after upgrade (“ISE Indexing Engine”
status turns to “not running”). The secondary PAN cannot join the primary PAN to make a cluster for
ISE Indexing engine if reverse DNS is not configured (displays error in VCS pages).
The ise-elasticsearch.log file on secondary PAN will include the SSL Exception “No subject alternative
name present”, if reverse DNS is missing.
Features Not Supported in Cisco ISE, Release 2.3
• IPN / iPEP configuration is not supported with Cisco ISE, Release 2.0 and later.
• You cannot access the Operations menu from the primary Monitoring node in Cisco ISE, Release
2.1 and later; it appears only in the Primary Administration Node (PAN).
Cisco ISE License Information
Cisco ISE licensing provides the ability to manage the application features and access, such as the
number of concurrent endpoints that can use Cisco ISE network resources.
All Cisco ISE appliances are supplied with a 90-day Evaluation license. To continue to use Cisco ISE
services after the 90-day Evaluation license expires, and to support more than 100 concurrent endpoints
on the network, you must obtain and register Base licenses for the number of concurrent users on your
system. If you require additional functionality, you will need Plus and/or Apex licenses to enable that
functionality.
Cisco ISE, Release 2.3, supports licenses with two UIDs. You can obtain a license based on the UIDs of
both the primary and secondary Administration nodes.
For more detailed information on license types and obtaining licenses for Cisco ISE, see the “Cisco ISE
Licenses” chapter in the Cisco Identity Services Engine Administration Guide, Release 2.3.
For more information on Cisco ISE, Release 2.3 licenses, see the Cisco Identity Services Engine Data
Sheet.
Release Notes for Cisco Identity Services Engine, Release 2.3
28
Deployment Terminology, Node Types, and Personas
Cisco Identity Services Engine Ordering Guide is available at:
http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656
177.pdf
Deployment Terminology, Node Types, and Personas
Cisco ISE provides a scalable architecture that supports both standalone and distributed deployments.
Table 7 Cisco ISE Deployment Terminology
Term Description
Service Specific feature that a persona provides such as network access, profiler,
posture, security group access, and monitoring.
Node Individual instance that runs the Cisco ISE software. Cisco ISE is available
as an appliance and also as software that can be run on a VMware server.
Each instance (either running on a Cisco ISE appliance or on a VMware
server) that runs the Cisco ISE software is called a node.
Persona Determines the services provided by a node. A Cisco ISE node can assume
any or all of the following personas: Administration, Policy Service,
Monitoring, and pxGrid.
Deployment Model Determines if your deployment is a standalone, high availability in
standalone (a basic two-node deployment), or distributed deployment.
Types of Nodes and Personas
A Cisco ISE network has the following types of nodes:
• Cisco ISE node, which can assume any of the following personas:
– Administration—Allows you to perform all administrative operations for Cisco ISE. It handles
all system-related configurations related to functionality such as authentication, authorization,
auditing, and so on. In a distributed environment, you can have one or a maximum of two nodes
running the Administration persona and configured as a primary and secondary pair. If the
primary Administration node goes down, you have to manually promote the secondary
Administration node. There is no automatic failover for the Administration persona.
– Policy Service—Provides network access, posturing, BYOD device onboarding (native
supplicant and certificate provisioning), guest access, and profiling services. This persona
evaluates the policies and makes all the decisions. You can have more than one node assuming
this persona. Typically, there is more than one Policy Service persona in a distributed
deployment. All Policy Service personas that reside behind a load balancer can be grouped
together to form a node group. If one of the nodes in a node group fails, the other nodes in that
group process the requests of the node that has failed, thereby providing high availability.
Note SXP service must be enabled on a dedicated node.
– Monitoring—Enables Cisco ISE to function as a log collector and store log messages from all
the Administration and Policy Service personas on the Cisco ISE nodes in your network. This
persona provides advanced monitoring and troubleshooting tools that you can use to effectively
manage your network and resources.
Release Notes for Cisco Identity Services Engine, Release 2.3
29
Requirements for CA to Interoperate with Cisco ISE
A node with this persona aggregates and correlates the data that it collects to provide
meaningful reports. Cisco ISE allows a maximum of two nodes with this persona that can
assume primary or secondary roles for high availability. Both the primary and secondary
Monitoring personas collect log messages. In case the primary Monitoring persona goes down,
the secondary Monitoring persona automatically assumes the role of the primary Monitoring
persona.
Note At least one node in your distributed setup should assume the Monitoring persona. It is
recommended that the Monitoring persona be on a separate, designated node for higher
performance in terms of data collection and reporting.
– pxGrid—Cisco pxGrid is a method for network and security devices to share data with other
devices through a secure publish and subscribe mechanism. These services are applicable for
applications that are used external to ISE and that interface with pxGrid. The pxGrid services
can share contextual information across the network to identify the policies and to share
common policy objects. This extends the policy management.
Table 8 Recommended Number of Nodes and Personas in a Distributed Deployment
Minimum
Number in a
Node / Persona Deployment Maximum Number in a Deployment
Administration 1 2 (Configured as a high-availability pair)
Monitor 1 2 (Configured as a high-availability pair)
Policy Service 1 • 2—when the Administration/Monitoring/Policy
Service personas are on the same primary/secondary
appliances
• 5—when Administration and Monitoring personas are
on same appliance
• 40—when each persona is on a dedicated appliance
pxGrid 0 2 (Configured as a high-availability pair)
You can change the persona of a node. See the “Set Up Cisco ISE in a Distributed Environment” chapter
in the Cisco Identity Services Engine Administrator Guide, Release 2.3 for information on how to
configure personas on Cisco ISE nodes.
Requirements for CA to Interoperate with Cisco ISE
While using a CA server with Cisco ISE, make sure that the following requirements are met:
• Key size should be 1024, 2048, or higher. In CA server, the key size is defined using certificate
template. You can define the key size on Cisco ISE using the supplicant profile.
• Key usage should allow signing and encryption in extension.
• While using GetCACapabilities through the SCEP protocol, cryptography algorithm and request
hash should be supported. It is recommended to use RSA + SHA1.
Release Notes for Cisco Identity Services Engine, Release 2.3
30
Cisco ISE Installation Files, Updates, and Client Resources
• Online Certificate Status Protocol (OCSP) is supported. This is not directly used in BYOD, but a
CA which can act as an OCSP server can be used for certificate revocation.
Note EJBCA 4.x is not supported by Cisco ISE for proxy SCEP. EJBCA is supported by Cisco ISE
for standard EAP authentication like PEAP, EAP-TLS, and so on.
• If you use an enterprise PKI to issue certificates for Apple iOS devices, ensure that you configure
key usage in the SCEP template and enable the “Key Encipherment” option. For example, if you use
Microsoft CA, edit the Key Usage Extension in the certificate template. In the Encryption area, click
the Allow key exchange only with key encryption (key encipherment) radio button and also
check the Allow encryption of user data check box.
• Cisco ISE supports the use of RSASSA-PSS algorithm for trusted certificates and endpoint
certificates for EAP-TLS authentication. When you view the certificate, the signature algorithm is
listed as 1.2.840.113549.1.1.10 instead of the algorithm name.
However, if you use the Cisco ISE internal CA for the BYOD flow, the Admin certificate should not be
signed using the RSASSA-PSS algorithm (by an external CA). The Cisco ISE internal CA cannot verify
an Admin certificate that is signed using this algorithm and the request would fail.
Cisco ISE Installation Files, Updates, and Client Resources
There are three resources you can use to download to provision and provide policy service in Cisco ISE:
• Cisco ISE Downloads from the Download Software Center, page 31
• Cisco ISE Live Updates, page 32
• Cisco ISE Offline Updates, page 33
Cisco ISE Downloads from the Download Software Center
In addition to the .ISO installation package required to perform a fresh installation of Cisco ISE as
described in Installing Cisco ISE Software, page 15, you can use the Download software web page to
retrieve other Cisco ISE software elements, like Windows and Mac OS X agent installers and AV/AS
compliance modules.
Downloaded agent files may be used for manual installation on a supported endpoint or used with
third-party software distribution packages for mass deployment.
To access the Cisco Download Software center and download the necessary software:
Step 1 Go to the Download Software web page at
http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You may need to provide login
credentials.
Step 2 Choose Products > Security > Access Control and Policy > Cisco Identity Services Engine > Cisco
Identity Services Engine Software.
The following Cisco ISE installers and software packages are available for download:
• Cisco ISE installer.ISO image
• Supplicant Provisioning Wizards for Windows and Mac OS X Native Supplicants
Release Notes for Cisco Identity Services Engine, Release 2.3
31
Cisco ISE Installation Files, Updates, and Client Resources
• Windows client machine agent installation files (including MST and MSI versions for manual
provisioning)
• Mac OS X client machine agent installation files
• AnyConnect agent installation files
• AV/AS compliance modules
Step 3 Click Download or Add to Cart.
Cisco ISE Live Updates
Cisco ISE Live Update locations allow you to automatically download Supplicant Provisioning Wizard,
Cisco NAC Agent for Windows and Mac OS X, AV/AS support (Compliance Module), and agent
installer packages that support client provisioning and posture policy services. These live update portals
should be configured in Cisco ISE upon initial deployment to retrieve the latest client provisioning and
posture software directly from Cisco.com to the Cisco ISE appliance.
Prerequisite:
If the default Update Feed URL is not reachable and your network requires a proxy server, you must
configure the proxy settings in Administration > System > Settings > Proxy before you access the Live
Update locations. If proxy settings are enabled to allow access to the profiler and posture/client
provisioning feeds, it will break access to the MDM server as Cisco ISE cannot bypass proxy services
for MDM communication. To resolve this, you can configure the proxy service to allow communication
to the MDM servers. For more information on proxy settings, see the “Specify Proxy Settings in Cisco
ISE” section in the “Administer Cisco ISE” chapter of the Cisco Identity Services Engine Administrator
Guide, Release 2.3.
Client Provisioning and Posture Live Update portals:
• Client Provisioning portal—https://www.cisco.com/web/secure/pmbu/provisioning-update.xml
The following software elements are available at this URL:
– Supplicant Provisioning Wizards for Windows and Mac OS X Native Supplicants
– Windows versions of the latest Cisco ISE persistent and temporal agents
– Mac OS X versions of the latest Cisco ISE persistent agents
– ActiveX and Java Applet installer helpers
– AV/AS compliance module files
For more information on automatically downloading the software packages that become available at
this portal to Cisco ISE, see the “Download Client Provisioning Resources Automatically” section
in the “Configure Client Provisioning” chapter in the Cisco Identity Services Engine Administrator
Guide, Release 2.3.
• Posture portal—https://www.cisco.com/web/secure/pmbu/posture-update.xml
The following software elements are available at this URL:
– Cisco predefined checks and rules
– Windows and Mac OS X AV/AS support charts
– Cisco ISE operating system support
Release Notes for Cisco Identity Services Engine, Release 2.3
32
Cisco ISE Installation Files, Updates, and Client Resources
For more information on automatically downloading the software packages that become available at
this portal to Cisco ISE, see the “Download Posture Updates Automatically” section in the
“Configure Client Posture Policies” chapter in the Cisco Identity Services Engine Administrator
Guide, Release 2.3.
If you do not want to enable the automatic download capabilities described above, you can choose to
download updates offline (see Cisco ISE Offline Updates, page 33).
Cisco ISE Offline Updates
Cisco ISE offline updates allow you to manually download Supplicant Provisioning Wizard, agent,
AV/AS support, compliance modules, and agent installer packages that support client provisioning and
posture policy services. This option allows you to upload client provisioning and posture updates when
direct Internet access to Cisco.com from a Cisco ISE appliance is not available or not permitted by a
security policy.
Offline updates are also available for Profiler Feed Service. For more information, see the Configure
Profiler Feed Services Offline section in the Cisco Identity Services Engine Administrator Guide.
To upload offline client provisioning resources:
Step 1 Go to the Download Software web page at
http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You may need to provide login
credentials.
Step 2 Choose Products > Security > Access Control and Policy > Cisco Identity Services Engine > Cisco
Identity Services Engine Software.
The following Off-Line Installation Packages are available for download:
• win_spw-<version>-isebundle.zip— Off-Line SPW Installation Package for Windows
• mac-spw-<version>.zip — Off-Line SPW Installation Package for Mac OS X
• compliancemodule-<version>-isebundle.zip — Off-Line Compliance Module Installation
Package
• macagent-<version>-isebundle.zip — Off-Line Mac Agent Installation Package
• nacagent-<version>-isebundle.zip — Off-Line NAC Agent Installation Package
• webagent-<version>-isebundle.zip — Off-Line Web Agent Installation Package
Step 3 Click Download or Add to Cart.
For more information on adding the downloaded installation packages to Cisco ISE, refer to the “Add
Client Provisioning Resources from a Local Machine” section in the “Configure Client Provisioning”
chapter in the Cisco Identity Services Engine Administrator Guide, Release 2.3.
You can update the checks, operating system information, and antivirus and antispyware support charts
for Windows and Macintosh operating systems offline from an archive on your local system using
posture updates.
For offline updates, you need to ensure that the versions of the archive files match the version in the
configuration file. Use offline posture updates when you have configured Cisco ISE and want to enable
dynamic updates for the posture policy service.
Release Notes for Cisco Identity Services Engine, Release 2.3
33
Using the Bug Search Tool
To upload offline posture updates:
Step 1 Go to https://www.cisco.com/web/secure/pmbu/posture-offline.html.
Save the posture-offline.zip file to your local system. This file is used to update the operating system
information, checks, rules, and antivirus and antispyware support charts for Windows and Macintosh
operating systems.
Step 2 Launch the Cisco ISE administrator user interface and choose Administration > System > Settings >
Posture.
Step 3 Click the arrow to view the settings for posture.
Step 4 Choose Updates.
The Posture Updates page appears.
Step 5 Choose the Offline option.
Step 6 Click Browse to locate the archive file (posture-offline.zip) from the local folder on your system.
Note The File to Update field is a required field. You can select only a single archive file (.zip) that
contains the appropriate files. Archive files other than .zip (like .tar, and .gz) are not allowed.
Step 7 Click the Update Now button.
Using the Bug Search Tool
You can use the Bug Search Tool to view the list of outstanding and resolved bugs in a release. This
section explains how to use the Bug Search Tool to search for a specific bug or to search for all the bugs
in a specified release.
Step 1 Go to https://tools.cisco.com/bugsearch/search.
Step 2 Enter your registered Cisco.com username and password, and then click Log In.
The Bug Toolkit page opens.
Note If you do not have a Cisco.com username and password, you can register for them at
http://tools.cisco.com/RPF/register/register.do.
Step 3 To search for a specific bug, enter the bug ID in the Search For field and press Enter.
Step 4 To search for bugs in the current release:
a. Click the Select from List link.
The Select Product page is displayed.
b. Choose Security > Access Control and Policy > Cisco Identity Services Engine (ISE) 3300
Series Appliances.
c. Click OK.
Release Notes for Cisco Identity Services Engine, Release 2.3
34
Cisco ISE, Release 2.3.0.298 Patch Updates
d. When the search results are displayed, use the filter tools to find the types of bugs you are looking
for. You can search for bugs based on different criteria, such as status, severity, or modified date.
Click the Export Results to Excel link in the Search Results page to export all the bug details from your
search to an Excel spreadsheet. Presently, up to 10,000 bugs can be exported at a time to the Excel
spreadsheet.
Cisco ISE, Release 2.3.0.298 Patch Updates
This section provides information on patches that were made available after the initial availability of the
Cisco ISE 2.3 release. Patches are cumulative such that any patch version also includes all fixes delivered
in the preceding patch versions. Cisco ISE version 2.3.0.298 was the initial version of the Cisco ISE 2.3
release. After installation of the patch, you can see the version information from Settings > About
Identity Services Engine page in the Cisco ISE GUI and from the CLI in the following format
“2.3.0.298 patch N”; where N is the patch number.
Note Within the bug database, issues resolved in a patch have a version number with different nomenclature
in the format, “2.3(0.9NN)” where NN is also the patch number, displayed as two digits. For example,
version “2.3.0.298 patch 1" corresponds to the following version in the bug database “2.3(0.901)”.
Note We recommend you to clear your browser cache after you install a patch on Cisco ISE, Release 2.3.
The following patch releases apply to Cisco ISE release 2.3:
Resolved Issues in Cisco ISE Version 2.3.0.298—Cumulative Patch 1, page 35
Known Issues in Cisco ISE Version 2.3.0.298—Cumulative Patch 1, page 37
Resolved Issues in Cisco ISE Version 2.3.0.298—Cumulative Patch 1
Note We have recalled ISE 2.3 Patch 1 due to an issue we found after posting. An updated patch file has been
reposted, and the new file name is ise-patchbundle-2.3.0.298-Patch1-221754.SPA.x86_64.tar.gz. If you
already installed the previously posted patch, you MUST uninstall that patch, and install the new one.
Table 9 lists the issues that are resolved in Cisco Identity Services Engine, Release 2.3 cumulative
patch 1. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.3, log in to the
Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you
might be required to provide your Cisco.com login credentials), navigate to Security > Access Control
and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy
of the patch file to your local machine.
Patch 1 might not work with older versions of SPW. MAC users need to upgrade their SPW to
MacOsXSPWizard 2.1.0.42 or later and Windows users need to upgrade their SPW to WinSPWizard
2.1.0.51 or later.
Then refer to the “Installing a Software Patch” section of the “Administer Cisco ISE” chapter of the
Cisco Identity Services Engine Administrator Guide, Release 2.3. for instructions on how to apply the
patch to your system.
Release Notes for Cisco Identity Services Engine, Release 2.3
35
Cisco ISE, Release 2.3.0.298 Patch Updates
Table 9 Cisco ISE Patch Version 2.3.0.298-Patch 1 Resolved Caveats
Caveat Description
CSCvd79546 Few Log Categories are not displayed in the Logging Categories page after upgrade.
Workaround Perform a full synchronization between the PPAN and SPAN before
upgrade.
CSCve82240 A comma is appended to the Sponsor's email address configured in the sponsor
portal.
Workaround Modify the email field manually and delete the comma.
CSCve84667 The Machine Access Restriction (MAR) cache distributed search is active despite
the node group being disabled for MAR cache distribution.
CSCve87511 Cisco ISE fails to support social login if the proxy server is configured.
CSCve99612 An error is reported in the Portal Settings and Customization page.
CSCvf22318 An ElasticSearch and database shards errors occur on the Endpoints Context
Visibility page.
CSCvf22676 Live logs do not occasionally show the actual authorization policy that is evaluated
when a policy is renamed.
CSCvf22827 LDAP Test Binding message does not include information about subjects, groups,
and response time.
CSCvf24580 RADIUS authentication report: RADIUS records are not filtered correctly with
“Today” and “Yesterday” options.
CSCvf24878 Unable to use different encryption keys when modifying scheduled backup.
CSCvf32212 Add a link to Social Login identity source in the Overview page of Guest Access
work center.
CSCvf33792 The guest flow diagram appears correctly on screens with lower resolution only
when the Portal Settings section is closed.
CSCvf34219 IPv6 TACACS+ authentication communicates only via port 49 in upgraded setup.
CSCvf34315 ISE 2.3 Guest Social login does not require AUP acceptance.
CSCvf36007 Allow Access only on these Days and Times option does not work for Social Login
flow after first login.
CSCvf36016 If Self-registration option is disabled and Social login with registration form option
is enabled, the registration form may not appear in the Portal Page Customization
tab.
CSCvf36031 Enhancements to social login for self-registered guests.
CSCvf37931 An overlap error occurs while editing network devices with multiple IPv6 addresses.
CSCvf41048 Policy sets do not reflect any changes made to the endpoint or user identity group
names.
CSCvf41249 Cannot fetch LDAP Groups and Attributes from UI unless issuing Test Binding
when Secure LDAP is configured using AD schema.
CSCvf42061 An “Exception: all shards failed” error is reported on the Endpoints Context
Visibility page.
Release Notes for Cisco Identity Services Engine, Release 2.3
36
Cisco ISE, Release 2.3 Open Caveats
Table 9 Cisco ISE Patch Version 2.3.0.298-Patch 1 Resolved Caveats
Caveat Description
CSCvf42554 The Context Visibility tab occasionally fails to display the page when navigating
between tabs.
CSCvf44080 Prevent database corruption affecting order of policy sets or policy rules in a table.
CSCvf44272 ISE 2.2 Patch 2 core files should not be written to root partition.
Delete core files from the root directory.
CSCvf44549 In the Conditions Studio page, the scroll bar cannot be dragged to view the saved
conditions specified in a policy rule.
CSCvf44658 Policy Information Points (PIP) Identity Store returns incorrect attribute value after
AD is renamed.
CSCvf47157 Renamed identity stores are not reflected in referenced policies.
CSCvf47170 Policy processing occasionally fails to hit the correct policy set.
CSCvf47316 Fix for Entry Definition Framework (EDF) memory leak upon rollback.
CSCvf53116 The Upgrade Readiness Tool for upgrading from ISE 2.1/2.2 to 2.3 fails with the
ORA-32004: obsolete or deprecated parameter(s) error.
CSCvf55764 Few attribute validations fail in policy conditions.
CSCvf69018 Issue with reverse lookup when nodes are registered to Cisco ISE after applying ISE
2.2 Patch 1.
CSCvf75225 PAN runs high CPU due to 100K limit in the Redis server.
CSCvf87844 Filtering of endpoints in the Context Visibility page occasionally does not display
existing endpoints.
CSCvg19509 Log rotation of the syslog (/var/log/messages) fails occasionally and leads to /var
partition filing.
Workaround Contact TAC to clean the disk if an alarm is triggered.
Known Issues in Cisco ISE Version 2.3.0.298—Cumulative Patch 1
Conditions Studio Editor After Upgrade to ISE 2.3
When you create conditions using the Conditions Studio editor after upgrade, you can click the Attribute
Value drop-down list or click the icon next to the Attribute Value text box to choose the required
attribute. If the Attribute Value drop-down list is not displayed, you must use the mouse or trackpad,
scroll up to the top of the page, and click the Attribute Value text box.
Cisco ISE, Release 2.3 Open Caveats
The following table lists the caveats that are open in Release 2.3.
Release Notes for Cisco Identity Services Engine, Release 2.3
37
Cisco ISE, Release 2.3 Open Caveats
Table 10 Cisco ISE Release 2.3 Open Caveats
Caveat Description
CSCvf21215 If an extra interface is added to an ISE node on which Threat Centric NAC service is
enabled, the RabbitMQ service does not start when the services are restarted.
CSCvf02262 TLS messages are not included in ISE 2.3 Secure Communication Audit report.
CSCvf05516 Wireless LAN Controller (WLC) version 7.x and below does not redirect HTTPS
traffic during Facebook guest authentication.
CSCvf21586 Corrupted text seen in some of ISE Menus in Chrome browser.
CSCvf22676 Live logs are not showing the actual authorization policy that is evaluated when a
policy is renamed. (Resolved in ISE 2.3 Patch 1)
CSCvf28836 Irrelevant message displayed on AnyConnect agent when AnyConnect Temporal
agent starts system scan.
CSCvf29467 Results column is hidden in the Client Provisioning Policy page when multiple
policies are edited at the same time.
CSCvf32212 Add a link to Social Login identity source in the Overview page of Guest Access work
center. (Resolved in ISE 2.3 Patch 1)
CSCvf41249 Cannot fetch LDAP Groups and Attributes from UI unless issuing Test Binding when
Secure LDAP is configured using AD schema. (Resolved in ISE 2.3 Patch 1)
CSCvf22827 LDAP Test Binding message doesn't include information about subjects, groups, and
response time. (Resolved in ISE 2.3 Patch 1)
CSCvf32298 The counter displayed in the Sponsor portal Manage Accounts tab and the username
fields are not updated simultaneously when a self-registered user is created.
CSCvf32394 Global default SMS Service Provider option is always re-selected if the other
attributes are updated in the Self-registered guest portal.
CSCvf33475 When Configuration and Operational backup are taken at the same time from different
browsers, it takes too long time to complete.
CSCvf33792 The guest flow diagram is displayed properly on screens with smaller resolution only
when the Portal Settings section is closed. (Resolved in ISE 2.3 Patch 1)
CSCvf34219 IPv6 TACACS+ authentication is not working on any other port apart from port 49 in
upgraded setup. (Resolved in ISE 2.3 Patch 1)
CSCvf34315 ISE 2.3 Guest Social login does not require AUP acceptance.
CSCvf35162 Hostname/IP and port number details are not included in LDAP Test Bind message in
ISE 2.3
CSCvf36016 If Self-registration option is disabled and Social login with registration form option
is enabled, the registration form is missing in Portal Page Customization tab.
(Resolved in ISE 2.3 Patch 1)
CSCvf37416 When RADIUS authentication report is exported, RADIUS Status column in CSV file
shows 1 for passed authentications and 0 for failed authentications.
CSCvf34216 Not able to select Work Centers > Guest Access > Identity Groups option after
opening the Authentication Detail report from the Live Logs page.
CSCvf24037 File Name column in Backup and Restore table is not sorted correctly.
CSCvf10863 Guest reports does not include social media ID, user first/last name, and hyperlink to
cross launch Facebook.
Release Notes for Cisco Identity Services Engine, Release 2.3
38
Cisco ISE, Release 2.3 Open Caveats
Table 10 Cisco ISE Release 2.3 Open Caveats (continued)
Caveat Description
CSCvf36007 Allow Access only on these Days and Times option does not work for Social Login
flow after first login. (Resolved in ISE 2.3 Patch 1)
CSCvf31074 AD group name is not displayed in the TACACS+ detailed report.
CSCvf37338 AnyConnect temporal agent is not included in Policy elements > Results > Client
provisioning > Resources page after upgrading to ISE 2.3.
CSCvf33702 AccountCreate request fails with "401 Unauthorized" error if Authorization header is
specified.
CSCvf37763 Authorization policy is not correctly displayed in Live sessions/Live logs page after
COA.
CSCvf37931 Overlap error is thrown while editing a network device having more than one IPv6
address. (Resolved in ISE 2.3 Patch 1)
CSCvf39420 Adding a custom field to Sponsor portal throws error.
CSCvf32824 Offline status should be displayed in red with bold font for pxGrid services.
CSCvf22109 When you access the ISE GUI for the very first time, cursor is not displayed in the
ISE login username field in Chrome browser, if ISE certificate is not trusted.
Workaround
• Open a new browser tab and re-type the ISE URL.
• Have a trusted certificate for the connection.
Release Notes for Cisco Identity Services Engine, Release 2.3
39
Documentation Updates
Table 10 Cisco ISE Release 2.3 Open Caveats (continued)
Caveat Description
CSCvd73072 The following error might occur in the Client Provisioning page while downloading
the Cisco Temporal Agent:
Your device does not comply with the network’s security guidelines and
has limited connectivity.
This might be due to the following reasons:
• The client cancels the download of Cisco temporal agent.
• The client is moved to noncompliance state due to the expiry of the configured
timer for client remediation.
Workaround Clear the session in the WLC/ISE GUI to download the Cisco temporal
agent.
CSCvd38467 When iPhone is upgraded to 10.3.x, EAPTLS flow doesn’t work as per expected
behavior. Profile installation fails and displays the following error message:
Profile Installation Failed
The server certificate for
“https://<ISE-FQDN-or-IP>:<ISE-web-portal-port>/auth/OTAMobileConfig?..
.”
Workaround If ISE root certificate shows untrusted certificate, on Apple iDevices, go
to General > About > Certificate Trust Settings and manually set trust in the ISE
root certificate.
Note This only happens when you run unknown trusted certificates. It is
recommended to deploy well known certificates to your PSNs to prevent
installation failure.
Documentation Updates
Table 11 Updates to Release Notes for Cisco Identity Services Engine, Release 2.3
Date Description
10/19/2017 Added Resolved Issues in Cisco ISE Version 2.3.0.298—Cumulative Patch 1 and
Known Issues in Cisco ISE Version 2.3.0.298—Cumulative Patch 1.
Release Notes for Cisco Identity Services Engine, Release 2.3
40
Resolved Caveats
Resolved Caveats
Table 12 Cisco ISE Release 2.3 Resolved Caveats
Caveat Description
CSCvc74300 /var/log/secure file size is increasing rapidly.
CSCvc74307 /var/cache/logwatch temp files are not removed.
CSCvc86247 High CPU usage caused by infinite loop threads on PSN.
CSCve73657 If the default condition in authentication inner policy is set to a value other than
DenyAccess, the default value gets reverted to DenyAccess after restart.
CSCvc83519 When an ISE node is rebooted, TC-NAC containers in the ISE node are not able to
communicate with Internet or other hosts.
CSCvc87853 SNMP process stops and restarts by itself after continuous snmpwalk queries.
CSCvd49843 Native Supplicant Profile with external CA/SCEP fails when ISE Internal CA is
disabled.
CSCvd61267 /var/log/messages log rotate does not work while creating new messages log file after
log rotation
CSCve51586 pxGrid stuck in initialization state if IP access restriction is configured.
CSCve77317 ISE 2.1 to 2.3 upgrade failed with “UPS upgrade handler failed” message.
CSCvf00883 pxGrid authorization denied and also takes 20 minutes to start working after primary
pxGrid node is down.
Related Documentation
Release-Specific Document
General product information for Cisco ISE is available at http://www.cisco.com/go/ise. End-user
documentation is available on Cisco.com at
http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html.
Cisco Identity Services Engine Ordering Guide is available at
http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656
177.pdf
Platform-Specific Documents
Links to other platform-specific documentation are available at the following locations:
• Cisco UCS C-Series Servers
http://www.cisco.com/en/US/docs/unified_computing/ucs/overview/guide/UCS
_rack_roadmap.html
Release Notes for Cisco Identity Services Engine, Release 2.3
41
Accessibility Features in Cisco ISE 2.3
• Cisco Secure ACS
http://www.cisco.com/c/en/us/support/security/secure-access-control-system/tsd-products-support-
series-home.html
• Cisco NAC Appliance
http://www.cisco.com/c/en/us/support/security/nac-appliance-clean-access/tsd-products-support-se
ries-home.html
• Cisco NAC Profiler
http://www.cisco.com/c/en/us/support/security/nac-profiler/tsd-products-support-series-home.html
• Cisco NAC Guest Server
http://www.cisco.com/c/en/us/support/security/nac-guest-server/tsd-products-support-series-home.
html
Accessibility Features in Cisco ISE 2.3
Cisco ISE 2.3 supports accessibility for the user facing web portals only. Cisco Web Accessibility
Design Requirements (ADRs) are based on W3C Web Content Accessibility Guidelines (WCAG) 2.0
Level AA requirements. Cisco ADRs cover all Section 508 standards and more. Cisco ADRs website,
http://wwwin.cisco.com/accessibility/acc_center/adrs_web/main.html, provides all information and
resources for the accessibility requirements.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS Version 2.1.
This document is to be used in conjunction with the documents listed in the “Related Documentation” section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of
Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The
use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any
examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only.
Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2017 Cisco Systems, Inc. All rights reserved.
Release Notes for Cisco Identity Services Engine, Release 2.3
42
You might also like
- Cisco Identity Services Engine (ISE) Technical Decision Maker (TDM)No ratings yetCisco Identity Services Engine (ISE) Technical Decision Maker (TDM)51 pages
- Release Notes For Cisco Identity Services Engine, Release 3.1No ratings yetRelease Notes For Cisco Identity Services Engine, Release 3.131 pages
- Command Syntax Comparison & Contrast: Command/Function Ios/Ios-Xe Ios-Xr Nx-Os CommentsNo ratings yetCommand Syntax Comparison & Contrast: Command/Function Ios/Ios-Xe Ios-Xr Nx-Os Comments4 pages
- Cisco Identity Services Engine: How To BuyNo ratings yetCisco Identity Services Engine: How To Buy8 pages
- Data - Sheet - Cisco Identity Services Engine (ISE) PDFNo ratings yetData - Sheet - Cisco Identity Services Engine (ISE) PDF6 pages
- Cisco Identity Services Engine: Product OverviewNo ratings yetCisco Identity Services Engine: Product Overview6 pages
- Cisco Identity Services Engine Installation Guide, Release 2.3No ratings yetCisco Identity Services Engine Installation Guide, Release 2.388 pages
- Cisco Identity Services Engine Installation Guide, Release 2.4No ratings yetCisco Identity Services Engine Installation Guide, Release 2.490 pages
- New Demo Scenarios Cisco Identity Services EngineNo ratings yetNew Demo Scenarios Cisco Identity Services Engine123 pages
- Cisco Identity Services Engine Administrator GuideNo ratings yetCisco Identity Services Engine Administrator Guide1,234 pages
- Cisco Identity Services Engine: BenefitsNo ratings yetCisco Identity Services Engine: Benefits2 pages
- Cisco ISE:: Cisco Identity Services EngineNo ratings yetCisco ISE:: Cisco Identity Services Engine7 pages
- Cisco Identity Services Engine (ISE) : Policy AdministrationNo ratings yetCisco Identity Services Engine (ISE) : Policy Administration3 pages
- Cisco Identity Services Engine (ISE) : Policy AdministrationNo ratings yetCisco Identity Services Engine (ISE) : Policy Administration3 pages
- Cisco Identity Services Engine API Reference Guide, Release 2.xNo ratings yetCisco Identity Services Engine API Reference Guide, Release 2.x80 pages
- Cisco Identity Services Engine User Guide, Release 1.2No ratings yetCisco Identity Services Engine User Guide, Release 1.2786 pages
- Cisco Identity Services Engine Installation Guide, Release 2.6No ratings yetCisco Identity Services Engine Installation Guide, Release 2.6100 pages
- Implementing and Configuring Cisco Identity Services Engine (SISE) v3.0No ratings yetImplementing and Configuring Cisco Identity Services Engine (SISE) v3.04 pages
- User Guide For Cisco Secure ACS To Cisco ISE Migration Tool, Release 2.3No ratings yetUser Guide For Cisco Secure ACS To Cisco ISE Migration Tool, Release 2.362 pages
- Cisco ISE Interview Questions and Answers - NetworkingNo ratings yetCisco ISE Interview Questions and Answers - Networking35 pages
- Cisco ISE: Technology Partner Ecosystem: At-A-GlanceNo ratings yetCisco ISE: Technology Partner Ecosystem: At-A-Glance2 pages
- SteamOS Deployment and Configuration: Definitive Reference for Developers and EngineersFrom EverandSteamOS Deployment and Configuration: Definitive Reference for Developers and EngineersNo ratings yet
- Deploying Certificates Cisco Meeting Server: Design your certificates for CMS services and integrate with Cisco UCM Expressway and TMSFrom EverandDeploying Certificates Cisco Meeting Server: Design your certificates for CMS services and integrate with Cisco UCM Expressway and TMSNo ratings yet
- (ISC)2 Certified Cloud Security Professional CCSP Realistic Practice TestsFrom Everand(ISC)2 Certified Cloud Security Professional CCSP Realistic Practice TestsNo ratings yet
- 300Mbps Wireless N Gigabit Router: TL-WR1042NDNo ratings yet300Mbps Wireless N Gigabit Router: TL-WR1042ND2 pages
- Anyconnect VPN Phone With Certificate Authentication On An Asa Configuration ExampleNo ratings yetAnyconnect VPN Phone With Certificate Authentication On An Asa Configuration Example14 pages
- Carsten Bock - Rich Communications Using SIP and Kamailio.p127No ratings yetCarsten Bock - Rich Communications Using SIP and Kamailio.p12723 pages
- WEP Crack Using Aircrack-Ng by Arunabh DasNo ratings yetWEP Crack Using Aircrack-Ng by Arunabh Das146 pages
- BRKRST-3371 - Advances in BGP (2013 Orlando) - 90 MinsNo ratings yetBRKRST-3371 - Advances in BGP (2013 Orlando) - 90 Mins112 pages
- DS-2DF8836I5X-AELW (B) 8MP 36× Network Laser Speed Dome: Key FeaturesNo ratings yetDS-2DF8836I5X-AELW (B) 8MP 36× Network Laser Speed Dome: Key Features5 pages
- UMTS Interface Protocol: ZTE UniversityNo ratings yetUMTS Interface Protocol: ZTE University57 pages
- ## Postman Document ##: 1) Status Code & Methods ExampleNo ratings yet## Postman Document ##: 1) Status Code & Methods Example6 pages
- Troubleshooting Guide IKE VPN Initialization Rev0No ratings yetTroubleshooting Guide IKE VPN Initialization Rev014 pages
- Nokia 7250 IXR-e Series Interconnect Routers: Ready For GrowthNo ratings yetNokia 7250 IXR-e Series Interconnect Routers: Ready For Growth7 pages
