Release Notes for Cisco Identity Services Engine, Release 1.2.x Revised: November 5, 2014, OL-27043-01 Contents These release notes describe the features, limitations and restrictions (caveats), and related information for Cisco Identity Services Engine (ISE), Release 1.2.0 and 1.2.1. These release notes supplement the Cisco ISE documentation that is included with the product hardware and software release, and cover the following topics: • Introduction, page 2 • Deployment Terminology, Node Types, and Personas, page 2 • System Requirements, page 4 • Installing Cisco ISE Software, page 7 • Upgrading Cisco ISE Software, page 9 • Cisco Secure ACS to Cisco ISE Migration, page 11 • Cisco ISE License Information, page 11 • Requirements for CA to Interoperate with Cisco ISE, page 12 • New Features in Cisco ISE, Release 1.2.1, page 12 • New Features in Cisco ISE, Release 1.2.0, page 14 • Known Issues in Cisco ISE, Release 1.2.x, page 21 • Cisco ISE Installation Files, Updates, and Client Resources, page 24 • Using the Bug Search Tool, page 28 • Cisco ISE, Release 1.2.0.899 Patch Updates, page 38 • Cisco ISE, Release 1.2.x, Open Caveats, page 91 • Cisco ISE, Release 1.2.1, Resolved Caveats, page 117 • Cisco ISE, Release 1.2.0, Resolved Caveats, page 127 Cisco Systems, Inc. www.cisco.com Introduction • Documentation Updates, page 139 • Related Documentation, page 140 Introduction The Cisco ISE platform is a comprehensive, next-generation, contextually-based access control solution. It offers authenticated network access, profiling, posture, BYOD device onboarding (native supplicant and certificate provisioning), guest management, and security group access services along with monitoring, reporting, and troubleshooting capabilities on a single physical or virtual appliance. Cisco ISE is available on two physical appliances with different performance characterization, and also as a software that can be run on a VMware server. You can add more appliances to a deployment for performance, scale, and resiliency. Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also allows for configuration and management of distinct personas and services. This feature gives you the ability to create and apply services where they are needed in the network, but still operate the Cisco ISE deployment as a complete and coordinated system. Deployment Terminology, Node Types, and Personas Cisco ISE provides a scalable architecture that supports both standalone and distributed deployments . Table 1 Cisco ISE Deployment Terminology Term Description Service Specific feature that a persona provides such as network access, profiler, posture, security group access, and monitoring. Node Individual instance that runs the Cisco ISE software. Cisco ISE is available as an appliance and also as software that can be run on a VMware server. Each instance (either running on a Cisco ISE appliance or on a VMware server) that runs the Cisco ISE software is called a node. Persona Determines the services provided by a node. A Cisco ISE node can assume any or all of the following personas: Administration, Policy Service, Monitoring, and Inline Posture. Deployment Model Determines if your deployment is a standalone, high availability in standalone (a basic two-node deployment), or distributed deployment. Types of Nodes and Personas A Cisco ISE network has two types of nodes: • Cisco ISE node, which can assume any of the following three personas: – Administration—Allows you to perform all administrative operations for Cisco ISE. It handles all system-related configurations related to functionality such as authentication, authorization, auditing, and so on. In a distributed environment, you can have one or a maximum of two nodes Release Notes for Cisco Identity Services Engine, Release 1.2.x 2 OL-27043-01 Deployment Terminology, Node Types, and Personas running the Administration persona and configured as a primary and secondary pair. If the primary Administration node goes down, you have to manually promote the secondary Administration node. There is no automatic failover for the Administration persona. – Policy Service—Provides network access, posturing, BYOD device onboarding (native supplicant and certificate provisioning), guest access, and profiling services. This persona evaluates the policies and makes all the decisions. You can have more than one node assuming this persona. Typically, there is more than one Policy Service persona in a distributed deployment. All Policy Service personas that reside behind a load balancer can be grouped together to form a node group. If one of the nodes in a node group fails, the other nodes in that group process the requests of the node that has failed, thereby providing high availability. Note At least one node in your distributed setup should assume the Policy Service persona. – Monitoring—Enables Cisco ISE to function as a log collector and store log messages from all the Administration and Policy Service personas on the Cisco ISE nodes in your network. This persona provides advanced monitoring and troubleshooting tools that you can use to effectively manage your network and resources. A node with this persona aggregates and correlates the data that it collects to provide meaningful reports. Cisco ISE allows a maximum of two nodes with this persona that can assume primary or secondary roles for high availability. Both the primary and secondary Monitoring personas collect log messages. In case the primary Monitoring persona goes down, the secondary Monitoring persona automatically assumes the role of the primary Monitoring persona. Note • Note Note At least one node in your distributed setup should assume the Monitoring persona. It is recommended that the Monitoring persona be on a separate, designated node for higher performance in terms of data collection and reporting. Inline Posture node is a gatekeeping node that is positioned behind network access devices such as wireless LAN controllers (WLCs) and VPN concentrators on the network. An Inline Posture node enforces access policies after a user has been authenticated and granted access, and handles change of authorization (CoA) requests that a WLC or VPN is unable to accommodate. Cisco ISE allows up to 10,000 Inline Posture Nodes in a deployment. You can pair two Inline Posture nodes together as a failover pair for high availability. An Inline Posture node is dedicated solely to that service and cannot operate concurrently with other Cisco ISE services. Likewise, due to the specialized nature of its service, an Inline Posture node cannot assume any persona. Inline Posture nodes are not supported on VMware server systems. Each Cisco ISE node in a deployment can assume more than one persona (Administration, Policy Service, or Monitoring) at a time. By contrast, each Inline Posture node operates only in a dedicated gatekeeping role. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 3 System Requirements Table 2 Recommended Number of Nodes and Personas in a Distributed Deployment Node / Persona Minimum Number in a Deployment Maximum Number in a Deployment Administration 1 2 (Configured as a high-availability pair) Monitor 1 2 (Configured as a high-availability pair) Policy Service 1 Inline Posture 0 • 2—when the Administration/Monitoring/Policy Service personas are on the same primary/secondary appliances • 5—when Administration and Monitoring personas are on same appliance • 40—when each persona is on a dedicated appliance 10000 for maximum network access devices (NADs) per deployment You can change the persona of a node. See the “Setting Up Cisco ISE in a Distributed Environment” chapter of the Cisco Identity Services Engine User Guide, Release 1.2 for information on how to configure personas on Cisco ISE nodes. System Requirements Note • Supported Hardware, page 5 • Supported Virtual Environments, page 6 • Supported Browsers, page 6 • Supported Devices and Agents, page 7 • Supported Antivirus and Antispyware Products, page 7 For more details on Cisco ISE hardware platforms and installation, see the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2. Release Notes for Cisco Identity Services Engine, Release 1.2.x 4 OL-27043-01 System Requirements Supported Hardware Cisco ISE software is packaged with your appliance or image for installation. Cisco ISE, Release 1.2.x is shipped on the following platforms. After installation, you can configure Cisco ISE with specified component personas (Administration, Policy Service, and Monitoring) or as an Inline Posture node on the platforms that are listed in Table 3. Table 3 Supported Hardware and Personas Hardware Platform Persona Cisco SNS-3415-K9 Any • Cisco UCS 1C220 M3 • Single socket Intel E5-2609 2.4-GHz CPU, 4 total cores, 4 total threads • 16-GB RAM • 1 x 600-GB disk • Embedded Software RAID 0 • 4 GE network interfaces Administration • Cisco UCS C220 M3 Policy Service • Dual socket Intel E5-2609 2.4-GHz CPU, 8 total cores, 8 total threads • 32-GB RAM • 2 x 600-GB disk • RAID 0+1 • 4 GE network interfaces • 1x Xeon 2.66-GHz quad-core processor • 4 GB RAM • 2 x 250 GB SATA3 HDD4 • 4x 1 GB NIC5 • 1x Nehalem 2.0-GHz quad-core processor • 4 GB RAM • 2 x 300 GB 2.5 in. SATA HDD • RAID6 (disabled) • 4x 1 GB NIC • Redundant AC power • 2x Nehalem 2.0-GHz quad-core processor • 4 GB RAM • 4 x 300 GB 2.5 in. SAS II HDD • RAID 1 • 4x 1 GB NIC • Redundant AC power (small) Cisco SNS-3495-K9 (large) 2 Configuration Monitor Cisco ISE-3315-K9 (small) Cisco ISE-3355-K9 (medium) Cisco ISE-3395-K9 (large) Any Any Any Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 5 System Requirements Table 3 Supported Hardware and Personas (continued) Hardware Platform Persona Cisco ISE-VM-K9 (VMware) Stand-alone Administration, Monitoring, and Policy Service (no Inline Posture) Configuration • For CPU and memory recommendations, refer to the “VMware Appliance Sizing Recommendations” section in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2.7 • For hard disk size recommendations, refer to the “Disk Space Requirements” section in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2. • NIC—1 GB NIC interface required (You can install up to 4 NICs.) • Supported VMware versions include: – ESX 4.x – ESXi 4.x and 5.x 1. Cisco Unified Computing System (UCS) 2. Inline posture is a 32-bit system and is not capable of symmetric multiprocessing (SMP). Therefore, it is not available on the SNS-3495 platform. 3. SATA = Serial Advanced Technology Attachment 4. HDD = hard disk drive 5. NIC = network interface card 6. RAID = Redundant Array of Independent Disks 7. Memory allocation of less than 4GB is not supported for any VMware appliance configuration. In the event of a Cisco ISE behavior issue, all users will be required to change allocated memory to at least 4GB prior to opening a case with the Cisco Technical Assistance Center. If you are moving from Cisco Secure Access Control System (ACS) or Cisco NAC Appliance to Cisco ISE, the Cisco Secure ACS 1121 and Cisco NAC 3315 appliances support small deployments, Cisco NAC 3355 appliances support medium deployments, and Cisco NAC 3395 appliances support large deployments. Supported Virtual Environments Cisco ISE supports the following virtual environment platforms: • VMware ESX 4.x • VMware ESXi 4.x • VMware ESXi 5.x Supported Browsers The Cisco ISE, Release 1.2.x administrative user interface supports a web interface using the following HTTPS-enabled browsers: • Mozilla Firefox version 5.x and later. • Microsoft Internet Explorer 8.x and later. Release Notes for Cisco Identity Services Engine, Release 1.2.x 6 OL-27043-01 Installing Cisco ISE Software Note The Cisco ISE user interface does not support using the Microsoft IE8 browser in IE7 compatibility mode. The Microsoft IE8 is supported in its IE8-only mode. Adobe Flash Player 11.2.0.0 or above must be installed on the system running the client browser. The minimum required screen resolution to view the Administration portal and for a better user experience is 1280 x 800 pixels. Supported Devices and Agents Refer to Cisco Identity Services Engine Network Component Compatibility, Release 1.2 for information on supported devices, browsers, and agents. Cisco NAC Agent Interoperability The Cisco NAC Agent versions 4.9.4.3 and later can be used on both Cisco NAC Appliance Releases 4.9(1),4.9(3), 4.9(4) and Cisco ISE Releases 1.1.3-patch 11, 1.1.4-patch 11, 1.2.0, and 1.2.1. This is the recommended model of deploying the NAC agent in an environment where users will be roaming between ISE and NAC deployments. Support for Microsoft Active Directory Cisco ISE, Release 1.2.x supports Microsoft Active Directory servers 2003, 2008, 2008 R2, 2012at all functional levels. Microsoft Active Directory server 2012 R2 and all updates are supported by Cisco ISE, Release 1.2.1. Microsoft Active Directory version 2000 or its functional level is not supported by Cisco ISE. Supported Antivirus and Antispyware Products See the following Cisco ISE documents for specific antivirus and antispyware support details for Cisco NAC Agent and Cisco NAC Web Agent: • Cisco Identity Services Engine Release 1.2 Supported Windows AV/AS Products • Cisco Identity Services Engine Release 1.2 Supported Mac OS X AV/AS Products Installing Cisco ISE Software To install Cisco ISE, Release 1.2.x software on Cisco SNS-3415 and SNS-3495 hardware platforms, turn on the new appliance and configure the Cisco Integrated Management Controller (CIMC). You can then install Cisco ISE, Release 1.2.x over a network using CIMC or a bootable USB. Note When using virtual machines (VMs), we recommend that the guest VM have the correct time set using an NTP server before installing the .ISO image on the VMs. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 7 Installing Cisco ISE Software Perform Cisco ISE initial configuration according to the instructions in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2. Before you run the setup program, ensure that you know the configuration parameters listed in Table 4. Table 4 Cisco ISE Network Setup Configuration Parameters Prompt Description Example Hostname Must not exceed 19 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). The first character must be a letter. isebeta1 (eth0) Ethernet interface address Must be a valid IPv4 address for the Gigabit Ethernet 0 (eth0) interface. 10.12.13.14 Netmask Must be a valid IPv4 netmask. 255.255.255.0 Default gateway Must be a valid IPv4 address for the default gateway. 10.12.13.1 DNS domain name Cannot be an IP address. Valid characters include ASCII characters, mycompany.com any numerals, the hyphen (-), and the period (.). Primary name server Must be a valid IPv4 address for the primary name server. 10.15.20.25 Add/Edit another name server Must be a valid IPv4 address for an additional name server. (Optional) Allows you to configure multiple name servers. To do so, enter y to continue. Primary NTP server Must be a valid IPv4 address or hostname of a Network Time Protocol clock.nist.gov (NTP) server. Add/Edit another NTP server Must be a valid NTP domain. (Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue. System Time Zone Must be a valid time zone. For details, see Cisco Identity Services UTC (default) Engine CLI Reference Guide, Release 1.2, which provides a list of time zones that Cisco ISE supports. For example, for Pacific Standard Time (PST), the System Time Zone is PST8PDT (or UTC-8 hours). The time zones referenced are the most frequently used time zones. You can run the show timezones command from the Cisco ISE CLI for a complete list of supported time zones. Note We recommend that you set all Cisco ISE nodes to the UTC time zone. This setting ensures that the reports, logs, and posture agent log files from the various nodes in the deployment are always synchronized with the time stamps. Release Notes for Cisco Identity Services Engine, Release 1.2.x 8 OL-27043-01 Upgrading Cisco ISE Software Table 4 Cisco ISE Network Setup Configuration Parameters (continued) Prompt Description Username admin (default) Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default (admin), you must create a new username. The username must be three to eight characters in length and composed of valid alphanumeric characters (A–Z, a–z, or 0–9). Password Identifies the administrative password that is used for CLI access to MyIseYPass2 the Cisco ISE system. You must create this password (there is no default). The password must be a minimum of six characters in length and include at least one lowercase letter (a–z), one uppercase letter (A–Z), and one numeral (0–9). Note Example For additional information on configuring and managing Cisco ISE, see Release-Specific Documents, page 140 to access other documents in the Cisco ISE documentation suite. Upgrading Cisco ISE Software Cisco Identity Services Engine (ISE) supports upgrades from the CLI only. Supported upgrade paths include: Note • Cisco ISE, Release 1.1.0, with Patch 5 or later applied • Cisco ISE, Release 1.1.1, with Patch 7 or later applied • Cisco ISE, Release 1.1.2, with Patch 10 or later applied • Cisco ISE, Release 1.1.3, with Patch 11 or later applied • Cisco ISE, Release 1.1.4, with Patch 11 or later applied • Cisco ISE, Release 1.2.0, with Patch 8 or later applied Upgrade to Cisco ISE, Release 1.2.0.899 is not required before upgrading to Release 1.2.1.198. Follow the upgrade instructions in the Cisco Identity Services Engine Upgrade Guide, Release 1.2 to upgrade to Cisco ISE, Release 1.2.x. Note When you upgrade to Cisco ISE, Release 1.2.x, you may be required to open network ports that were not used in previous releases of Cisco ISE. For more information, see "Appendix C, Cisco SNS-3400 Series Appliance Ports Reference" in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2. Upgrade Considerations and Requirements Read the following sections before you upgrade to Cisco ISE, Release 1.2.x: • No iPEP Support in Cisco ISE 1.2.x Patches, page 10 Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 9 Upgrading Cisco ISE Software • Firewall Ports That Must be Open for Communication, page 10 • VMware Operating System to be Changed to RHEL 5 (64-bit), page 10 • Guest Users Identity Source, page 10 • Other Known Upgrade Considerations and Issues, page 11 iPEP Support on Cisco ISE 1.2.x Cisco ISE, Release 1.2 and 1.2.1 can be installed on an iPEP node by using the Cisco ISE 1.2.1 version of iPEP. Firewall Ports That Must be Open for Communication The replication ports have changed in Cisco ISE, Release 1.2 and if you have deployed a firewall between the primary Administration node and any other node, the following ports must be open before you upgrade to Release 1.2: • TCP 1528—For communication between the primary administration node and monitoring nodes. • TCP 443—For communication between the primary administration node and all other secondary nodes. • TCP 12001—For global cluster replication. For a full list of ports that Cisco ISE, Release 1.2 uses, refer to the Cisco SNS-3400 Series Appliance Ports Reference. VMware Operating System to be Changed to RHEL 5 (64-bit) Cisco ISE, Release 1.2.x has a 64-bit architecture. If a Cisco ISE node is running on a virtual machine, ensure that the virtual machine's hardware is compatible with 64-bit systems: Note You must power down the virtual machine before you make these changes and power it back on after the changes are done. • Enable BIOS settings that are required for 64-bit systems. See the following resources for more information: Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=1003945 • Ensure that you choose Linux as the Guest Operating System and Red Hat Enterprise Linux 5 (64-bit) as the version. See http://kb.vmware.com/selfservice/microsites/search.do?language=en _US&cmd=displayKC&externalId=1005870 for more information. Guest Users Identity Source In previous releases of Cisco ISE, guest-user records were available in the Internal Users database. Cisco ISE, Release 1.2.x introduces a Guest Users database, which is different than the Internal Users database. If you have added the Internal Users database to the identity-source sequence, the Guest Users database also becomes part of the identity-source sequence. If guest-user logins are not required, remove the Guest Users database from the identity-source sequence. Release Notes for Cisco Identity Services Engine, Release 1.2.x 10 OL-27043-01 Cisco Secure ACS to Cisco ISE Migration Other Known Upgrade Considerations and Issues Refer to the Cisco Identity Services Engine Upgrade Guide, Release 1.2.x for other known upgrade considerations and issues: • http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter _01.html#ID50 • http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter _01.html#ID244 Cisco Secure ACS to Cisco ISE Migration Cisco ISE, Release 1.2.x supports migration from Cisco Secure ACS, Release 5.3 only. You must upgrade the Cisco Secure ACS deployment to Release 5.3 before you attempt to perform the migration process to Cisco ISE, Release 1.2. Cisco ISE does not provide full parity to all the features available in ACS 5.3, especially policies. After migration, you may notice some differences in the way existing data types and elements appear in the new Cisco ISE environment. It is recommended to use the migration tool for migrating specific objects like network devices, internal users, and identity store definitions from ACS. Once the migration is complete, you can manually define the policies for relevant features that are appropriate to Cisco ISE. The migration tool only supports Mozilla Firefox, versions 3.6, 6, 7, 8, 9, and 10. Microsoft Windows Internet Explorer (IE8 and IE7) browsers are not currently supported in this release. Complete instructions for moving a Cisco Secure ACS 5.3 database to Cisco ISE Release 1.2.x are available in the Cisco Identity Services Engine, Release 1.2 Migration Tool Guide. Cisco ISE License Information Cisco ISE comes with a 90-day Base and Advanced Package Evaluation License already installed on the system. After you have installed the Cisco ISE software and initially configured the primary Administration persona, you must obtain and apply a Base, Plus, Advanced, or Wireless license. Cisco ISE, Release 1.2 Patch 8 and 1.2.1 includes the new Plus license. The Plus license provides the following services: • Bring Your Own Device (BYOD) • Profiling • Endpoint Protection Service (EPS) • TrustSec SGT The Advanced license provides access to the same features as the Plus license, as well as additional services. The Plus license does not include Base services. Note Some of the validation messages and alarms may report in terms of Advanced license instead of the Plus license. For example, attempting to install a Plus license without a Base license results in ISE incorrectly report it as an attempt to install an Advanced license without a Base license. Similarly, ISE will report the expiration of a Plus license as the expiration of an Advanced license. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 11 Requirements for CA to Interoperate with Cisco ISE For more detailed information on license types and obtaining licenses for Cisco ISE, see Cisco Identity Service Engine Hardware Installation Guide, Release 1.2. Cisco ISE, Release 1.2.x, supports licenses with two hardware IDs. You can obtain a license based on the hardware IDs of both the primary and secondary Administration nodes. For more information on Cisco ISE, Release 1.2.x licenses, see the Cisco Identity Services Engine Licensing Note. Requirements for CA to Interoperate with Cisco ISE While using a CA server with Cisco ISE, make sure that the following requirements are met: • Key size should be 1024, 2048, or higher. In CA server, the key size is defined using certificate template. You can define the key size on Cisco ISE using the supplicant profile. • Key usage should allow signing and encryption in extension. • While using GetCACapabilities through the SCEP protocol, cryptography algorithm and request hash should be supported. It is recommended to use RSA + SHA1. • Online Certificate Status Protocol (OCSP) is supported. This is not directly used in BYOD, but a CA which can act as an OCSP server can be used for certificate revocation. New Features in Cisco ISE, Release 1.2.1 Cisco ISE, Release 1.2.1 offers the following features and services: • New Plus License, page 12 • Certificate Renewal, page 12 • Upgrade Enhancements, page 13 New Plus License Cisco ISE, Release 1.2.1 includes the new Plus license. The Plus license provides the following services: • Bring Your Own Device (BYOD) • Profiling • Endpoint Protection Service (EPS) • TrustSec SGT The Advanced license provides access to the same features as the Plus license, as well as additional services. The Plus license does not include Base services. For more information, refer to the “Cisco ISE Licenses” chapter in the Cisco Identity Services Engine User Guide, Release 1.2. Certificate Renewal This release of Cisco ISE allows users to renew certificates that have expired or are about to expire on their personal devices. Release Notes for Cisco Identity Services Engine, Release 1.2.x 12 OL-27043-01 New Features in Cisco ISE, Release 1.2.1 By default, Cisco ISE rejects a request that comes from a device whose certificate has expired. However, you can change this default behavior and configure ISE to process such requests and prompt the user to renew the certificate. If you choose to allow the user to renew the certificate, Cisco recommends that you configure an authorization policy rule which checks if the certificate has been renewed before processing the request any further. Processing a request from a device whose certificate has expired may pose a potential security threat. Hence, you must configure appropriate authorization profiles and rules to ensure that your organization’s security is not compromised. Some devices allow you to renew the certificates before and after their expiry. But on Windows devices, you can renew the certificates only before it expires. Apple iOS, Mac OSX, and Android devices allow you to renew the certificates before or after their expiry. Newly Added Dictionary Attributes The following attributes are added to the Cisco ISE certificate dictionary and are used in policy conditions to allow a user to renew the certificate: • Days to Expiry: This attribute provides the number of days for which the certificate is valid. You can use this attribute to create a condition that can be used in authorization policy. This attribute can take a value from 0 to 15. A value of 0 indicates that the certificate has already expired. A value of 1 indicates that the certificate has less than 1 day before it expires. • Is Expired: This Boolean attribute indicates whether a certificate has expired or not. Newly Added Authorization Policy Simple Condition A new simple condition is now added that should be used in authorization policy to ensure that a certificate (expired or about to expire) is renewed before Cisco ISE processes the request further. This simple condition is called CertRenewalRequired. CWA Redirect To Renew Certificates If a user certificate is revoked before its expiry, Cisco ISE checks the CRL published by the CA and rejects the authentication request. In case, if a revoked certificate has expired, the CA may not publish this certificate in its CRL. In this scenario, it is possible for Cisco ISE to renew a certificate that has been revoked. To avoid this, before you renew a certificate, ensure that the request gets redirected to Central Web Authentication (CWA) for a full authentication. You must create an authorization profile to redirect the user for CWA. Upgrade Enhancements Cisco ISE, Release 1.2.1 includes the following upgrade enhancements for a seamless upgrade experience. Virtual Machine Resource Checks The upgrade software now checks if the virtual machine’s hardware (such as hard disk size, CPU speed, etc.) meets the recommended specifications before it begins the upgrade. If the VM resources do not meet the recommended specification, the upgrade will fail without making any changes to the existing Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 13 New Features in Cisco ISE, Release 1.2.0 ISE installation. The console will display a message stating the minimum resource requirements and that the upgrade can be retried after the virtual machine’s hardware has been updated to meet those requirements. Upgrade Bundle SHA-256 Checksum Verification The upgrade software verifies the SHA-256 checksum of the upgrade bundle before starting the upgrade process. This check ensures that upgrade does not fail because of corrupt upgrade software leaving the system in a corrupt state. If the upgrade bundle is corrupted, the console displays a message asking the administrator to re-download the upgrade bundle and try the upgrade again. Monitoring Database Object Checks In earlier releases, Cisco ISE upgrade has failed because of missing Monitoring database objects. In this release, the upgrade software checks for the Monitoring database objects to ensure that they are present before the upgrade begins. In the rare cases where the database objects are still missing, the administrator must restore from a backup taken before the upgrade. Enhanced Show Tech Support Command Output The show tech-support command is enhanced and now includes the database health report, alert log errors, processes that consume resources, database memory usage, and so on. This output is readable and is also available in the Support Bundle. You can run the show tech-support command on demand to look for the health of the database. The output can help the administrator with troubleshooting, if needed.. Database Enhancements This release includes several database enhancements that improve Cisco ISE performance. Index entries and corrupt data blocks are identified before the upgrade begins. This release also includes several database enhancements that improve Cisco ISE performance. New Features in Cisco ISE, Release 1.2.0 Cisco ISE, Release 1.2 offers the following features and services: • Support for UCS Hardware, page 15 • Improved Performance and Scalability, page 15 • Mobile Device Management Interoperability with Cisco ISE, page 15 • MAB from Non-Cisco Switches, page 16 • Support for Universal Certificates, page 16 • Policy Sets, page 16 • Profiler Feed Service, page 16 • Logical Profiles, page 17 • Enhanced Guest and Sponsor Pages, page 17 • RADIUS Authentication Suppression, page 17 • Collection Filters, page 17 Release Notes for Cisco Identity Services Engine, Release 1.2.x 14 OL-27043-01 New Features in Cisco ISE, Release 1.2.0 • Support for Secure Syslogs, page 17 • Support for Windows 2012 Active Directory, page 18 • Global Search, page 18 • Session Trace, page 18 • Enhancement to Client Provisioning, page 18 • Enhanced Reports and Alarms, page 18 • Enhancements to Live Authentications Page, page 20 • Enhancements to Cisco NAC Agent, page 20 • External RESTful Services, page 21 For more information on key features of Cisco ISE, see the “Overview” chapter in the Cisco Identity Services Engine User Guide, Release 1.2. Support for UCS Hardware Cisco ISE, Release 1.2.0, supports Cisco Unified Computing System (UCS) C220 hardware, which is shipped on the following platforms: • SNS-3415 (small) • SNS-3495 (large) Refer to Table 3 for other platforms supported by Cisco ISE. For more information, refer to the Cisco Identity Service Engine Hardware Installation Guide, Release 1.2. Improved Performance and Scalability Cisco ISE, Release 1.2.0 offers better performance and scale compared to previous versions. Cisco ISE 1.2 has moved from a 32-bit architecture to a 64-bit architecture, improving the overall performance from 100,000 concurrent endpoints per ISE deployment in ISE 1.1.x to 250,000 concurrent endpoints in ISE 1.2 Mobile Device Management Interoperability with Cisco ISE This release of Cisco ISE can interoperate with Mobile Device Management (MDM) servers to secure, monitor, and support mobile devices that are deployed across mobile operators, service providers, and enterprises. Cisco ISE, Release 1.2.0 supports MDM servers from the following vendors: • Airwatch, Inc. • Good Technology • MobileIron, Inc. • Zenprise, Inc. • SAP Afaria • FiberLink Maas360 Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 15 New Features in Cisco ISE, Release 1.2.0 • Cisco Mobile Collaboration Management Services (MCMS) For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2. MAB from Non-Cisco Switches Cisco ISE, Release 1.2.0 supports Machine Authentication Bypass (MAB) from non-Cisco switches using the Cisco ISE endpoints database. For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2. Support for Universal Certificates Cisco ISE, Release 1.2.0 supports the use of wildcard server certificates for HTTPS (web-based services) and EAP protocols that use SSL/TLS tunneling. With the use of universal certificates, you no longer have to generate a unique certificate for each Cisco ISE node. Also, you no longer have to populate the SAN field with multiple FQDN values to prevent certificate warnings. Using an asterisk (*) in the SAN field allows you to share a single certificate across multiple nodes in a deployment and helps prevent certificate-name mismatch warnings. For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2. Note The universal certificates are referred as wildcard certificates in the user guide. Policy Sets This release of Cisco ISE allows you to create a set of authentication and authorization policy for various use cases. Policy sets are similar to access services in Cisco Secure ACS 5.x releases. For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2. Profiler Feed Service Cisco ISE, Release 1.2.x provides a profiler feed service for publishing new profile definitions, updated profile definitions, and new OUI databases posted from IEEE. With the introduction of the profiler feed service, the profiler conditions, exception actions, and NMAP scan actions are classified as Cisco provided or administrator created (see the System Type attribute) in Cisco ISE. Also, endpoint profiling policies are classified as Cisco provided, administrator created, or administrator modified (see the System Type attribute). You can perform different operations on the profiler conditions, exception actions, NMAP scan actions, and endpoint profiling policies depending on the System Type attribute. You can retrieve new and updated endpoint profiling policies and the updated OUI database as a feed from a designated Cisco feed server through a subscription in Cisco ISE. You can also receive email notifications at an administrator email address that is configured for applied, success, and failure messages. You can also provide additional subscriber information to receive notifications. You can send the subscriber information back to Cisco to maintain the records and they are treated as privileged and confidential. Release Notes for Cisco Identity Services Engine, Release 1.2.x 16 OL-27043-01 New Features in Cisco ISE, Release 1.2.0 Note To ensure that the most up-to-date OUI database is installed, run the feed service after any Cisco ISE patch or maintenance installation. For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2. Logical Profiles Cisco ISE profiles can be grouped in logical profiles. A logical profile is a container for a category of profiles or associated profiles, irrespective of Cisco-provided or administrator-created endpoint profiling policies. An endpoint-profiling policy can be associated with multiple logical profiles. You can use the logical profile in an authorization-policy condition to help create an overall network-access policy for a category of profiles. For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2. Enhanced Guest and Sponsor Pages This release of Cisco ISE provides new default themes for the Guest and Sponsor portal pages. You can customize the pages by uploading logos and editing the color schemes. When guests access the Guest portal using a mobile device, they are routed automatically to a mobile-optimized version of the Guest portal. For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2. RADIUS Authentication Suppression This release of Cisco ISE allows you to configure RADIUS settings to detect the clients that fail to authenticate and to suppress the repeated reporting of successful authentications. For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2. Collection Filters You can configure collection filters to suppress syslog messages being sent to the monitoring and external servers. The suppression can be performed at the Policy Service Node level based on different attribute types. For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2. Support for Secure Syslogs Cisco ISE, Release 1.2.0 can be configured to send secure syslogs to Monitoring nodes and between Cisco ISE nodes, by enabling TLS-protected syslog collectors. For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 17 New Features in Cisco ISE, Release 1.2.0 Support for Windows 2012 Active Directory Cisco ISE, Release 1.2.0 supports Microsoft Windows 2012 Active Directory. Global Search Cisco ISE, Release 1.2.0 provides a system-wide endpoint search box that you can use to quickly find and filter endpoints and users on a network. The search result includes detailed session information about each of the matching results, such as the type of access, location, endpoint MAC and IP address, and authorization profile. You can also export these results for further analysis. For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2. Session Trace Cisco ISE, Release 1.2.0 provides a more efficient troubleshooting functionality. After search results are displayed, you can click the “play” button for more details. A new detailed screen with full session information for the endpoint is displayed. For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2. Enhancement to Client Provisioning Starting from Cisco ISE Release 1.2.0, it is mandatory to include the client provisioning URL in authorization policy, to enable the NAC Agent to popup in the client machines. This prevents request from any random clients and ensures that only clients with proper redirect URL can request for posture assessment. For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2. Enhanced Reports and Alarms Cisco ISE, Release 1.2.0 reports are enhanced to have a new look and feel that is more simple and easy to use. The reports are grouped into logical categories for information related to authentication, session traffic, device administration, configuration and administration, and troubleshooting. A new scheduling service that allows you to queue reports and receive notification when they are available. Table 5 Changes to Reports in Cisco ISE, Release 1.2 Report Name Change Endpoint Time to Profiler Removed Authentication Failure Code Lookup Removed Network Device Log Message Removed PAC Provisioning Removed Policy CoA Removed Posture Trend Removed Endpoint Operations History Removed Release Notes for Cisco Identity Services Engine, Release 1.2.x 18 OL-27043-01 New Features in Cisco ISE, Release 1.2.0 Table 5 Changes to Reports in Cisco ISE, Release 1.2 Report Name Change AAA Down Summary Removed. If a AAA server is down, you can see it on the dashboard and in the Health Summary report. TOP N AAA Down by Network Device Removed. If a AAA server is down, you can see it on the dashboard and in the Health Summary report. Authentication Trend Renamed as Authentication Summary report. TOP N Authentication by Allowed Protocol Moved to the Authentication Summary report. You can filter the report by Allowed Protocols. Server Authentication Summary Moved to the Authentication Summary report. You can filter the report by Server. TOP N Authentication by Server Moved to the Top N Authentication report. You can filter the report by Server. TOP N Authentication by Machine Renamed as Top N Authentication by Endpoint. Failure Reason Authentication Summary Moved to the Authentication Summary report. You can filter the report by Failure Reason. TOP N Authentication by Network Device Moved to the Authentication Summary report. You can filter the report by Network Device. Session Status Summary Renamed as Network Device Session Status report. User Authentication Summary Moved to the Authentication Summary report. You can filter the report by User. Radius Terminated Sessions Moved to the Session View report. You can filter the report by Terminated Sessions. In Cisco ISE, Release 1.2.0, a new dashlet is on the dashboard that allows you to enable and disable alarms and make minor configuration changes. The following is a list of alarms that are removed in Cisco ISE, Release 1.2: • Administrator Account Disabled • Max Administrator Sessions Exceeded • Restore Successful • Purge Backup Success • Replication Syn Failure • High CPU Utilization • Purge Failure • Purge Success • Application Exceeded Maximum Disk space • Base License count • Advanced License count • Admin Account Lockout • NTP Server not Reachable • Disk Cleanup Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 19 New Features in Cisco ISE, Release 1.2.0 • Successful Node Registration • Successful Patch Install • Successful Patch RollBack • Successful Node Deregistration • Successful Update Node • UnSuccessful Add Node • UnSuccessful Patch Install • UnSuccessful Patch Roll Back • UnSuccessful Remove Node • UnSuccessful Update Node For more information, refer to the Cisco Identity Services Engine User Guide, Release 1.2. Enhancements to Live Authentications Page The Live Authentications page on the Cisco ISE dashboard shows the details corresponding to authentication entries. In addition to these live authentication entries, the Live Authentications page is enhanced to show the live-session entries. You can also get a detailed report on a session. For more information on the enhancements to the Authentications page, see Cisco Identity Services Engine User Guide, Release 1.2. Enhancements to Cisco NAC Agent The following enhancements have been added to Cisco NAC Agent in Cisco ISE, Release 1.2.0. Cisco NAC Agent for Windows • Support for the Polish Language. • Support for the Microsoft Windows 8 Operating System. In Windows 8, Internet Explorer 10 has two modes: Desktop and Metro. In Metro mode, the ActiveX plugins are restricted. You cannot download the Cisco NAC Agent in Metro mode. You must switch to Desktop mode, ensure ActiveX controls are enabled, and then launch Internet Explorer to download the Cisco NAC Agent. If users are still not able to download Cisco NAC agent, check and enable “compatibility mode.” • Support for the Log Packager option in the Agent Icon to collect support logs. • New for Cisco ISE 1.2.0 patch 3: support for Microsoft Windows 8.1. Cisco NAC Agent for Mac OS X • Support for the Collect Support Logs option in the Agent Icon to collect Agent logs and support information. • Notification screen appears automatically when the Agent window is buried by other windows. • Support for the Acceptable Use Policy (AUP). • New for Cisco ISE 1.2.0 patch 3: support for Mac OS X 10.9. Release Notes for Cisco Identity Services Engine, Release 1.2.x 20 OL-27043-01 Known Issues in Cisco ISE, Release 1.2.x External RESTful Services External RESTful Services (ERS) is a new Cisco ISE component that allows you to perform Create, Read, Update, and Delete (CRUD) operations on Cisco ISE resources. ERS also allows you to run advanced queries against the Cisco ISE database and perform bulk operations such as mass updates or deletions. ERS is based on HTTPS and REST methodology. These APIs provide an interface to the ISE configuration data by enabling internal user identities, endpoints, endpoint groups, identity groups, SGTs, and profiler policies to perform CRUD operations on the ISE data. Refer to the Cisco Identity Services Engine API Reference Guide, Release 1.2 for more information. Known Issues in Cisco ISE, Release 1.2.x • Mobile Devices Without VLAN, page 21 • Web Portal Customization for the Russian Language, page 22 • Device Registration Portal, page 22 • Cisco ISE Hostname Character Length Limitation with Active Directory, page 22 • Windows Internet Explorer 8 Known Issues, page 22 – Issue Accessing the Cisco ISE Administrator User Interface – User Identity Groups Issue • Known Supplicant Compatibility Issue Involving VLAN Change Operation on Windows Client Machines, page 23 • Issues with Message Size in Monitoring and Troubleshooting, page 23 • Issues with Accessing Monitoring and Troubleshooting, page 23 • Inline Posture Restrictions, page 23 • Custom Language Templates, page 23 • Issues with Monitoring and Troubleshooting Restores, page 23 • Issue with Network Device Session Status Report, page 24 • BYOD Connectivity Issue with Devices running Windows 7, page 24 • Issue with Converged Access Switches, page 24 • Issue with Cisco ISE Mapping to OUI, page 24 Mobile Devices Without VLAN When a mobile device completes the guest flow without VLAN/IP refresh enabled in the Guest Portal, it matches the permit access authorization policy, followed by a CoA termination that deletes the session. The device then goes through the guest flow again and forms a loop. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 21 Known Issues in Cisco ISE, Release 1.2.x Web Portal Customization for the Russian Language When you want to customize a web portal to use the Russian language template, the Browser Locale Mapping for the Russian template is “ru-ru.” However, this default mapping does not work on iPhones. If you encounter this issue, you can create a duplicate template with the Browser Locale Mapping set to “ru.” Device Registration Portal When a guest user registers a device using its MAC address, the device does not appear in the Device Registration Portal under the list of Registered Devices. This issue is seen in secondary Policy Service nodes in a distributed deployment and occurs because of replication latency issues. As a workaround click the Refresh button to view the newly registered device. Cisco ISE Hostname Character Length Limitation with Active Directory It is important that Cisco ISE hostnames be limited to 15 characters or less, if you use Microsoft Active Directory on the network. Active Directory does not validate hostnames larger than 15 characters. This can cause a problem if you have multiple Cisco ISE hosts in your deployment that have hostnames longer than 15 characters. If the first 15 characters are identical, Active Directory will not be able to distinguish them. Windows Internet Explorer 8 Known Issues • Issue Accessing the Cisco ISE Administrator User Interface • User Identity Groups Issue Issue Accessing the Cisco ISE Administrator User Interface When you access the Cisco ISE administrator user interface using the host IP address as the destination in the Internet Explorer 8 address bar, the browser automatically redirects the session to a different location. This situation occurs when you install a real SSL certificate issued by a certificate authority like VeriSign. If possible, we recommend using the Cisco ISE hostname or fully qualified domain name (FQDN) that was used to create the trusted SSL certificate to access the administrator user interface via Internet Explorer 8. User Identity Groups Issue If you create and operate 100 or more User Identity Groups, a script in the Cisco ISE administrator user interface can cause Internet Explorer 8 to run slowly, looping until a pop-up appears asking you if you want to cancel the running script. (If the script continues to run, your computer might become unresponsive.) Release Notes for Cisco Identity Services Engine, Release 1.2.x 22 OL-27043-01 Known Issues in Cisco ISE, Release 1.2.x Known Supplicant Compatibility Issue Involving VLAN Change Operation on Windows Client Machines There is a known issue with the Intel Supplicant version 12.4.x for Windows client machines with regard to a VLAN change for wireless deployments. The client machine has no connectivity because the NIC IP address is in the compliant/non compliant VLAN when it should be in the pre posture/pending VLAN. Note This issue affects any supplicant that cannot perform an IP address refresh on a VLAN change in a wireless environment. This issue is related to the VLAN detect (Access VLAN to Authentication VLAN change) functionality, where the Cisco NAC Agent is not working correctly with wireless adapters. Issues with Message Size in Monitoring and Troubleshooting Cisco ISE monitoring and troubleshooting functions are designed to optimize data collection performance messages of 8k in size. As a result, you may notice a slightly different message performance rate when compiling 2 k message sizes regularly. Issues with Accessing Monitoring and Troubleshooting Although more than three concurrent users can log into Cisco ISE and view monitoring and troubleshooting statistics and reports, more than three concurrent users accessing Cisco ISE can result in unexpected behavior like (but not limited to) monitoring and troubleshooting reports and other pages taking excessive amounts of time to launch, and the application sever restarting on its own. Inline Posture Restrictions • Inline Posture is not supported in a virtual environment, such as VMware. • The Simple Network Management Protocol (SNMP) Agent is not supported by Inline Posture. • The Cisco Discovery Protocol (formerly known as CDP) is not supported by Inline Posture. Custom Language Templates If you create a custom-language template with a name that conflicts with a default template name, the template is automatically renamed after an upgrade and restore. After an upgrade and restore, default templates revert back to their default settings, and any templates with names that conflict with the default names are renamed as follows: user_{LANG_TEMP_NAME}. Issues with Monitoring and Troubleshooting Restores During a Monitoring and Troubleshooting restore, the Cisco ISE application on the Monitoring node restarts and the GUI is unavailable until the restore completes. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 23 Cisco ISE Installation Files, Updates, and Client Resources Issue with Network Device Session Status Report Network Device Session Status report hangs during report generation. If the Network device is not configured with SNMP and SNMP community string is not provided, then the report generation hangs and never completes. Workaround for this issue is to enter the SNMP credentials while launching the Network Device Session Status report. If there is a large number of network devices configured in ISE, then it is recommended to provide snmpCommunity value along with the networkDeviceIP. BYOD Connectivity Issue with Devices running Windows 7 Devices running Windows 7 operating system do not connect by default if "invalid" security certificate is presented from the server side. This issue is seen if self-signed certificates are in use, or if the certificate is signed by a root CA, which is not in the trusted list of the client. Workaround for this issue is to create a PEAP network profile before connecting to the Single SSID BYOD network. After a PEAP network profile is created, Windows 7 displays a user prompt. Issue with Converged Access Switches The current available IOS releases for converged access switches, such as 3850 or 3650, may not send Calling-Station-ID in the RADIUS accounting requests, which may result in incorrect session states and endpoint profiles in ISE. Enter the following commands in the switch to ensure that the ISE data is updated appropriately. radius-server attribute 31 mac format ietf upper-case radius-server attribute 31 send nas-port-detail See Also CSCuo46999. Issue with Cisco ISE Mapping to OUI After installing or upgrading to Cisco ISE 1.2.1, the OUI entries may be missing in the database, which might result in the endpoints matching incorrect authorization policies. You need to run the feed service to update the OUI. It is recommended to run the feed service after the patch installation to ensure that the latest OUIs are installed. Cisco ISE Installation Files, Updates, and Client Resources There are three resources you can use to download to provision and provide policy service updates: • Cisco ISE Downloads from the Download Software Center, page 25 • Cisco ISE Live Updates, page 25 • Cisco ISE Offline Updates, page 26 Release Notes for Cisco Identity Services Engine, Release 1.2.x 24 OL-27043-01 Cisco ISE Installation Files, Updates, and Client Resources Cisco ISE Downloads from the Download Software Center In addition to the .ISO installation package required to perform a fresh installation of Cisco ISE as described in Installing Cisco ISE Software, page 7, you can use the Download software web page to retrieve other Cisco ISE software elements, like Windows and Mac OS X agent installers and AV/AS compliance modules. Downloaded agent files may be used for manual installation on a supported endpoint or used with third-party software distribution packages for mass deployment. To access the Cisco Download Software center and download the necessary software: Step 1 Go to the Download Software web page at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You may need to provide login credentials. Step 2 Navigate to Products > Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software. Choose from the following Cisco ISE installers and software packages available for download: Step 3 • Cisco ISE installer .ISO image • Supplicant Provisioning Wizards for Windows and Mac OS X Native Supplicants • Windows client machine agent installation files (including MST and MSI versions for manual provisioning) • Mac OS X client machine agent installation files • AV/AS compliance modules Click Download or Add to Cart. Cisco ISE Live Updates Cisco ISE Live Update locations allow you to automatically download Supplicant Provisioning Wizard, Cisco NAC Agent for Windows and Mac OS X, AV/AS support (Compliance Module), and agent installer packages that support client provisioning and posture policy services. These live update portals should be configured in Cisco ISE upon initial deployment to retrieve the latest client provisioning and posture software directly from Cisco.com to the Cisco ISE appliance. Prerequisite: If the default Update Feed URL is not reachable and your network requires a proxy server, you may need to configure the proxy settings in Administration > System > Settings > Proxy before you are able to access the Live Update locations. If proxy settings are enabled to allow access to the profiler and posture/client provisioning feeds, then it will break access to the internal MDM server as Cisco ISE cannot bypass proxy services for MDM communication. To resolve this, you can configure the proxy service to allow internal communication to the MDM servers. For more information on proxy settings, see the “Specifying Proxy Settings in Cisco ISE” section in the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 25 Cisco ISE Installation Files, Updates, and Client Resources Client Provisioning and Posture Live Update portals: • Client Provisioning portal—https://www.cisco.com/web/secure/pmbu/provisioning-update.xml The following software elements are available at this URL: – Supplicant Provisioning Wizards for Windows and Mac OS X Native Supplicants – Windows versions of the latest Cisco ISE persistent and temporal agents – Mac OS X versions of the latest Cisco ISE persistent agents – ActiveX and Java Applet installer helpers – AV/AS compliance module files For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the “Downloading Client Provisioning Resources Automatically” section of the “Configuring Client Provisioning” chapter in the Cisco Identity Services Engine User Guide, Release 1.2. • Posture portal—https://www.cisco.com/web/secure/pmbu/posture-update.xml The following software elements are available at this URL: – Cisco predefined checks and rules – Windows and Mac OS X AV/AS support charts – Cisco ISE operating system support For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the “Downloading Posture Updates Automatically ” section of the “Configuring Client Posture Policies” chapter in the Cisco Identity Services Engine User Guide, Release 1.2. If you do not enable the automatic download capabilities described above, you can choose to download updates offline. See Cisco ISE Offline Updates, page 26. Cisco ISE Offline Updates Cisco ISE offline updates allow you to manually download Supplicant Provisioning Wizard, agent, AV/AS support, compliance modules, and agent installer packages that support client provisioning and posture policy services. This option allows you to upload client provisioning and posture updates when direct Internet access to Cisco.com from a Cisco ISE appliance is not available or not permitted by a security policy. Offline updates are not available for Profiler Feed Service. To upload offline client provisioning resources, complete the following steps: Step 1 Go to the Download Software web page at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You may need to provide login credentials. Step 2 Navigate to Products > Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software. Choose from the following Off-Line Installation Packages available for download: • win_spw-<version>-isebundle.zip— Off-Line SPW Installation Package for Windows • mac-spw-<version>.zip — Off-Line SPW Installation Package for Mac OS X Release Notes for Cisco Identity Services Engine, Release 1.2.x 26 OL-27043-01 Cisco ISE Installation Files, Updates, and Client Resources Step 3 • compliancemodule-<version>-isebundle.zip — Off-Line Compliance Module Installation Package • macagent-<version>-isebundle.zip — Off-Line Mac Agent Installation Package • nacagent-<version>-isebundle.zip — Off-Line NAC Agent Installation Package • webagent-<version>-isebundle.zip — Off-Line Web Agent Installation Package Click Download or Add to Cart. For more information on adding the downloaded installation packages to Cisco ISE, refer to the “Adding Client-Provisioning Resources from a Local Machine” section of the “Configuring Client Provisioning” chapter in the Cisco Identity Services Engine User Guide, Release 1.2. You can update the checks, operating system information, and antivirus and antispyware support charts for Windows and Macintosh operating systems offline from an archive on your local system using posture updates. For offline updates, you need to ensure that the versions of the archive files match the version in the configuration file. Use offline posture updates when you have configured Cisco ISE and want to enable dynamic updates for the posture policy service. To upload offline posture updates, complete the following steps: Step 1 Go to https://www.cisco.com/web/secure/pmbu/posture-offline.html. Save the posture-offline.zip file to your local system. This file is used to update the operating system information, checks, rules, and antivirus and antispyware support charts for Windows and Macintosh operating systems. Step 2 Access the Cisco ISE administrator user interface and choose Administration > System > Settings > Posture. Step 3 Click the arrow to view the settings for posture. Step 4 Choose Updates. The Posture Updates page appears. Step 5 From the Posture Updates page, choose the Offline option. Step 6 From the File to update field, click Browse to locate the single archive file (posture-offline.zip) from the local folder on your system. Note Step 7 The File to update field is a required field. You can only select a single archive file (.zip) that contains the appropriate files. Archive files other than .zip (like .tar, and .gz) are not allowed. Click the Update Now button. Once updated, the Posture Updates page displays the current Cisco updates version information under Update Information. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 27 Using the Bug Search Tool Using the Bug Search Tool This section explains how to use the Bug Search Tool to search for a specific bug or to search for all bugs in a release. • Search Bugs Using the Bug Search Tool • Export to Spreadsheet Search Bugs Using the Bug Search Tool In Cisco ISE, use the Bug Search Tool to view the list of outstanding and resolved bugs in a release. This section explains how to use the Bug Search Tool to search for a specific bug or to search for all the bugs in a specified release. Step 1 Go to https://tools.cisco.com/bugsearch/search. Step 2 At the Log In screen, enter your registered Cisco.com username and password; then, click Log In. The Bug Toolkit page opens. Note If you do not have a Cisco.com username and password, you can register for them at http://tools.cisco.com/RPF/register/register.do. Step 3 To search for a specific bug, enter the bug ID in the Search For field and press Enter. Step 4 To search for bugs in the current release: a. Click Select from list link. The Select Product page is displayed. b. Choose Security > Access Control and Policy > Cisco Identity Services Engine. c. Click OK. d. When the search results are displayed, use the filter tools to find the types of bugs you are looking for. You can search for bugs based on different criteria such as status, severity, and modified date. Export to Spreadsheet The Bug Search Tool provides the following option to export bugs to an Excel spreadsheet: • Click Export Results to Excel link in the Search Results page under the Search Bugs tab to export all the bug details from your search to the Excel spreadsheet. Presently, up to 10000 bugs can be exported at a time to an Excel spreadsheet. If you are unable to export the spreadsheet, log into the Technical Support Website at http://www.cisco.com/cisco/web/support/index.html for more information or call Cisco TAC (1-800-553-2447). Release Notes for Cisco Identity Services Engine, Release 1.2.x 28 OL-27043-01 Cisco ISE, Release 1.2.1.198 Patch Updates Cisco ISE, Release 1.2.1.198 Patch Updates The following patch releases apply to Cisco ISE release 1.2.1: Resolved Issues in Cisco ISE Version 1.2.1.198—Cumulative Patch 1, page 35 Resolved Issues in Cisco ISE Version 1.2.1.198—Cumulative Patch 3 Table 6 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.1.198 cumulative patch 3. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2. for instructions on how to apply the patch to your system. Table 6 Cisco ISE Patch Version 1.2.1.198-Patch 3 Resolved Caveats Caveat Description CSCuq01548 ISE posture dropped during Change of Authorization (CoA) due to invalid HTTP User-Agent [Trident 7.0]. This fix addresses an issue where a third-party User-Agent does not allow the download of the NAC agent. CSCuq02222 The Simple Network Management Protocol (SNMP) Query probe failed to discover endpoints using periodic polling. This fix addresses an issue where the ARP table failed to discover the MAC addresses of endpoints that were connected to a Catalyst switch using the SNMP Query probe. CSCup88315 Apple iOS 8 beta failing External Web Authentication (WebAuth) with ISE. This fix addresses an issue where Apple devices running iOS 8 beta software failed to complete external web authentication. CSCum41138 NAS IP Address showing MnT address in ISE live logs after CoA REST API. This fix addresses an issue in the Operations > Authentications > Show Live Authentications page. The NAS IP Address field failed to display the IP address of the network device, when Change of Authorization (CoA) was triggered via the Rest API. CSCun74636 OSX Mavericks is profiled as Apple device based on incorrect User-Agent. This fix addresses an issue where Cisco ISE failed to identify OSX Mavericks device based on the endpoint profiling policies. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 29 Cisco ISE, Release 1.2.1.198 Patch Updates Table 6 Cisco ISE Patch Version 1.2.1.198-Patch 3 Resolved Caveats (continued) Caveat Description CSCun00427 ISE 1.2 match operator returns true when LHS is NULL and RHS is constant. This fix addresses an issue that occurred when there was a MATCHES operator in a rule/policy: if the LeftHandSide of the rule/policy was returning NULL value and the RightHandSide was CONSTANT, the operator was getting evaluated as TRUE. The operator is now evaluated as FALSE. CSCui08084 Guest user is not terminated on the switch when suspended via Edit Account. This fix addresses an issue with the Guest Account created using the Sponsor Portal. When suspending the Guest Account, the Account was suspended but the wired session on the switch was not terminated. CSCuq26320 EAP-FAST authenticated provisioning with Android doesn't work This fix addresses an issue where EAP-FAST authentication for specific Android versions was not working. CSCun75458 ISE Apache Struts 2 vulnerabilities. Previous versions of Cisco ISE included a version of Apache Struts2 that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-0050,CVE-2014-0094 CSCuo63900 ISE Apache Struts 1 vulnerabilities. This product includes a version of third-party software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-0112,CVE-2014-0114 Cisco has analyzed these vulnerabilities and concluded that the product is not impacted. Release Notes for Cisco Identity Services Engine, Release 1.2.x 30 OL-27043-01 Cisco ISE, Release 1.2.1.198 Patch Updates Table 6 Cisco ISE Patch Version 1.2.1.198-Patch 3 Resolved Caveats (continued) Caveat Description CSCur00532 ISE evaluation for CVE-2014-6271 and CVE-2014-7169 (AKA ShellShock). This fix addresses an issue in ISE nodes that are SSH enabled. If SSH is enabled, a remote user with ISE CLI credentials will be able to exploit the vulnerability and run generic Linux commands. PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.5/7.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch =1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:U/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.ht ml Workaround Disable SSH and reload ISE node as follows: ise1/admin# configure terminal ise1/admin(config)# no service sshd enable ise1/admin(config)# end ise1/admin# reload Save the current ADE-OS running configuration? (yes/no) [yes] ? yes Continue with reboot? [y/n] y CSCul28451 RADIUS Accounting Report “Account Session Time” blank. This fix addresses an issue in the Operations > Reports > Auth Services Status > Radius Accounting page. In the click here for Accounting detail report option for the Stop Account Status Type, the Account Session field did not display the difference between a session’ start and stop time. CSCup79399 Cisco ISE-related reports return blank page while launching from PI. This fix addresses an issue where all Cisco ISE reports opened from Cisco Prime Infrastructure resulted in a “Web page not available” error. CSCul16354 Supplicant Provisioning Wizard (SPW) cannot be set up for MAC And Windows without Java. The fix addresses an issue where SPW did not install on MAC and Windows without the support of Java. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 31 Cisco ISE, Release 1.2.1.198 Patch Updates Table 6 Cisco ISE Patch Version 1.2.1.198-Patch 3 Resolved Caveats (continued) Caveat Description CSCuj64206 Parent Endpoint Identity Group cannot be created in Windows 7, Internet Explorer 10. This fix addresses an issue when an Endpoint Identity Group could not be created without a Parent Group in Windows 7 Internet Explorer 10. The following error message was displayed: “Invalid group name. Please select a parent group from the list displayed.” Workaround Use Internet Explorer 8. CSCuq11441 ISE posture was dropped via Change of Authorization (CoA) due to invalid HTTP User-Agent [Trident 5.0] This fix addresses an issue where the posture validation was dropped via CoA terminate because of an unknown User-Agent. Resolved Issues in Cisco ISE Version 1.2.1.198—Cumulative Patch 2 Table 7 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.1.198 cumulative patch 2. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2. for instructions on how to apply the patch to your system. Release Notes for Cisco Identity Services Engine, Release 1.2.x 32 OL-27043-01 Cisco ISE, Release 1.2.1.198 Patch Updates Table 7 Cisco ISE Patch Version 1.2.1.198-Patch 2 Resolved Caveats Caveat Description CSCul21337 The Posture Troubleshooting tool was vulnerable to blind SQL injection. This fix addresses an issue where a vulnerability in the web framework of Cisco ISE may allow an attacker to impact the integrity by executing arbitrary SQL queries. PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.5/5.4: https://intellishield.cisco.com/security/alertmanager/ cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:P/I:P/A:P/ E:F/RL:OF/RC:C CVE ID CVE-2014-3275 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/ CVE-2014-3275 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html CSCul39011 The Mobile Device Management (MDM) client failed to reject queries when MDM server was not responding. This fix addresses an issue where timeouts were caused when the MDM server was not reachable during authorization policy evaluation. CSCul58758 Redirected to null page in the browser after Local Web Authentication (LWA) flow with WLC-5500 series. This fix addresses an issue where a guest user enters the username and password in the Guest Login page, but is not redirected to the specified URL. CSCul86970 GUI does not display the Allow only listed IP addresses option to connect. This fix addresses an issue in the Admin Access settings page, where the following option was not displayed in the UI: Allow only listed IP addresses to connect. CSCum37237 Insufficient permission error with bulk import of guest account. This fix addresses an issue where an error message was encountered when sponsors imported and printed guest usernames, formed from the guests email addresses. CSCum57372 NAS identifier does not appear the authentication details in the web UI. This fix addresses an issue where the Network Access Server (NAS) Identifier information did not appear in the Authentication Details page. CSCun28502 Sponsor, My Devices, and Guest portals does not have a defined character limit. This fix addresses an issue in the Administration > Web Portal Management > Settings page. The Sponsor, My Devices, and Guest portals contain the Language Template option. The Language Template option contains a list of configurations. The text fields in each configuration allow any one of the following character count: 128,512, 256, or 4000. An error message was displayed for specific fields, such as AUP and Notifications, when the character limit was above 4000 characters. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 33 Cisco ISE, Release 1.2.1.198 Patch Updates Table 7 Cisco ISE Patch Version 1.2.1.198-Patch 2 Resolved Caveats (continued) Caveat Description CSCun74285 ISE safe mode did not bypass admin portal certificate authentication. This fix addresses an issue where ISE safe mode did not bypass user certificate authentication and did not enable local admin credentials. CSCun74460 Incorrect Daylight Saving Time (DST) time zone offset in ISE affects remote syslog targets. This fix addresses an issue where the DST time zone offset was incorrect in the prrt log. CSCun84251 Error after application ise reset-config on 1.2.0.899 Patch 6. This fix addresses an issue where an error was found when the application reset-config ise command was run. CSCun94304 ISE RSA server configuration may fail to replicate to PSNs. This fix addresses an issue where the RSA configuration (sdconf.rec) did not load properly and data did not replicate from the PAP node to other nodes. CSCuo13099 ISE Sponsor, email ID used as username with space in it, throws an error. This fix addresses an issue where the guest user email IDs with spaces encountered an error when used in usernames. CSCuo39442 ISE 1.2 does not validate remote log target names. This fix addresses an issue where the Remote Logging Target names displayed in the Administration > System > Logging > Remote Logging Targets page reported the following error message: Name should not contain space(s) or any of the following characters: ! % ^ : ; , [ { | } ] \ ` " = ?. The above error message was displayed even though hyphen or period was used. CSCuo58919 Endpoint static group assignment toggles between true or false option every 55 seconds. This fix addresses an issue where the Static Group Assignment check box in the Administration > Identity Management > Identities > Endpoints page toggled between true or false value every 55 seconds. CSCuo63448 Modifying the ISE parent profile disables child profile. This fix addresses an issue where in the Profiling Policies page, on modifying a parent profile, endpoints failed to reach the correct profile policy. CSCuo75506 ISE authorization profile with Central WebAuth (CWA) and custom guest portal does not redirect to default settings. This fix addresses an issue where a CWA authorization profile was configured and if the CWA authorization profile was edited again, the changes were displayed only in the UI, but failed to reflect in the attributes. CSCuo88571 The IP release renew operation was not performed on Mac OSX devices. This fix addresses an issue where a user logged into the guest portal was unable to renew the IP address after clicking Accept in the Acceptable Use Policy (AUP) page. CSCup33018 Apple iOS 8 beta fails Native Supplicant Provisioning flow. This fix addresses an issue where with single or dual SSIDs, Apple devices running iOS 8 beta software failed to complete provisioning. Release Notes for Cisco Identity Services Engine, Release 1.2.x 34 OL-27043-01 Cisco ISE, Release 1.2.1.198 Patch Updates Table 7 Cisco ISE Patch Version 1.2.1.198-Patch 2 Resolved Caveats (continued) Caveat Description CSCup50216 ISE 1.2+ API update was overwritten by the profiler. This fix addresses an issue where the ERS API failed to update existing endpoints in static groups. CSCup51902 Exporting active endpoints does not work from the admin node. This fix addresses an issue where exporting active endpoints from a Cisco ISE server Administration node did not work. CSCup63424 Downloading software to effect release or renew of guest virtual LAN (VLAN) was not accomplished. This fix addresses an issue where the IP address release or renew operation in the VLAN release or renew page, was nonfunctional when it was not the latest version of the Java Applet. CSCup99806 Custom data access permissions were not working as expected. This fix addresses an issue where Custom data access permission did not work according to the mapped RBAC policy in the Network Device page. Resolved Issues in Cisco ISE Version 1.2.1.198—Cumulative Patch 1 Table 8 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.1.198 cumulative patch 1. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2. for instructions on how to apply the patch to your system. Table 8 Cisco ISE Patch Version 1.2.1.198-Patch 1 Resolved Caveats Caveat Description CSCty01787 Error in Generating XML Output for EndPointIPAddress API This fix addresses an issue where an internal error was displayed in the XML when calling the EndPointByIPAddress API for a given IP address appearing in the AuthSessionList. CSCul25066 ISE Wireless Upgrade License Type Doesn't include Profiler Feed Service This fix addresses an issue where customers upgrading to ISE 1.2 who had the Wireless Upgrade license to add advanced license functionality to their deployment received the following alert: “Feed Service error : The Advance License installed on the ISE nodes have been expired.” Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 35 Cisco ISE, Release 1.2.1.198 Patch Updates Table 8 Cisco ISE Patch Version 1.2.1.198-Patch 1 Resolved Caveats Caveat Description CSCul29344 ISE 1.2 HTML Custom Pages for Different Portals Not Working This fix addresses an issue where the sample HTML for custom Guest Portal pages provided in the user guide did not work correctly. CSCum29186 With Account Creation Time Zone Change Not Reflecting New Updated Allowed Time This fix addresses an issue where changing the time zone during Guest account creation was not reflected with the newly updated allowed time to login. CSCum54099 ISE Does Not Send Sponsor-related syslog Message to External syslog Server This fix addresses an issue where ISE did not send messages like 86008 or 86006 to the external syslog server. It only sent the 86028 messages. CSCum69410 ISE 1.2 CWA with DRW Included Doesn't Register Endpoint This fix addresses an issue where the endpoint DB didn’t indicate that an endpoint was registered after a CWA user entered their MAC address on the Guest Device Registration screen. CSCum85930 ISE 1.2 Custom Guest Portal Images and CSS Broken on Final Redirect This fix addresses an issue where custom CWA portal may not have loaded images or CSS as expected. CSCum88817 ISE 1.2 Logs Filled with Unnecessary License Validity Info This fix addresses an issue where ISE was logging license checks in INFO mode, which caused massive output in the log files. CSCum96035 This fix addresses an issue that occurred when a user typed in a password that violated the password policy on the default custom portal password-change page and the page refreshes instead of displaying an error message. CSCun15601 Invalid Text Message Template Error Shown if Sponsor is CC'ed in Guest Mail This fix addresses an issue where the message “This is an invalid text message template. Contact your system administrator for assistance.” was shown while sending Guest account through Mail/SMS if the sponsor is CC’ed. CSCun36594 ISE 1.2 Endpoint Identity Group is Lost When Importing From CSV This fix addresses an issue that occurred after importing endpoints from a CSV file where the “Endpoint Identity Group” was changed from the one specified in the file to Profiled. CSCun41732 Cisco ISE Certificate Trusted List is Not Fully Read When a Corrupted Certificate is Present This fix addresses an issue where Cisco ISE could not load the complete Trusted certificate list when a corrupted certificate was present in the list. CSCun51094 Bulk Import of Guests by Sponsor Falls in Wrong Guest Role This fix addresses an issue where imported guest users always get the role of default Guest during a bulk import from the Sponsor portal. CSCun67719 Guest Portal: Error Message When Password Expired Confusing The Cisco ISE Guest portal provides a generic error for events such as guest user account expired and gives no information on the cause of the issue. Release Notes for Cisco Identity Services Engine, Release 1.2.x 36 OL-27043-01 Cisco ISE, Release 1.2.1.198 Patch Updates Table 8 Cisco ISE Patch Version 1.2.1.198-Patch 1 Resolved Caveats Caveat Description CSCun68637 SNMP Query Fails to Complete during NMAP-triggered Probe This fix addresses an issue where an SNMP query failed to execute when it was triggered by an NMAP probe. CSCun93673 ISE 1.2 Endpoint Export Results in Empty File if Using Lower Case Letter This fix addresses an issue where exporting endpoints results in an empty file if you search using lower case letters. CSCun97606 ISE Roaming Authentication Failing This fix addresses an issue that occurred when attributes about endpoints differed from one PSN to another when using multiple PSNs for profiling or authentication. CSCuo32987 Endpoint Register Broken This fix addresses an issue where attempts at ERS API endpoint register end in HTTP 500 Internal Server Error. CSCuo34449 ISE Posture Dropped via CoA Terminate Due to Invalid HTTP User-Agent This fix addresses an issue where a client application that initiated HTTP using User-Agent was not recognized by ISE, and triggered ISE to clear that session and send a Radius CoA Terminate command to NAD. CSCuo56780 ISE RADIUS Service Denial of Service Vulnerability This fix addresses an issue where the RADIUS service may become unresponsive when receiving accounting packets from two different Network Access Servers (NASs). PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:U/RC:C CVE ID CVE-2014-3276 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-327 6 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 37 Cisco ISE, Release 1.2.0.899 Patch Updates Table 8 Cisco ISE Patch Version 1.2.1.198-Patch 1 Resolved Caveats Caveat Description CSCuo63892 CIAM: ISE-commons-fileupload-1-0 This fix addresses third-party software vulnerabilities. PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 7.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-0050 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html CSCuo73070 ISE 1.2 GUI Elements Missing Due to No Advanced License CSCuo76078 This fix addresses an issue where the error “No valid system license exists” appeared for the sponsor portal and guest portal after the installation of a Cisco ISE Patch. Cisco ISE, Release 1.2.0.899 Patch Updates The following patch releases apply to Cisco ISE release 1.2.0: • Open Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 12, page 39 • Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 12, page 48 • Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 11, page 53 • Open Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 10, page 54 • Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 10, page 55 • Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 9, page 58 • Enhancements in Cisco ISE Version 1.2.0.899—Cumulative Patch 8, page 62 • Open Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 8, page 62 • Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 8, page 63 • Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 7, page 65 • Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 6, page 69 • Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 5, page 72 • Enhancements in Cisco ISE Version 1.2.0.899—Cumulative Patch 4, page 79 • Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 4, page 79 Release Notes for Cisco Identity Services Engine, Release 1.2.x 38 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates • Support for Windows 8.1 and Mac OS X 10.9 in Cisco ISE Version 1.2.0.899—Cumulative Patch 3, page 81 • Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 3, page 81 • New Features in Cisco ISE Version 1.2.0.899—Cumulative Patch 2, page 86 • Support for Apple iOS 7 in Cisco ISE Version 1.2.0.899—Cumulative Patch 2, page 89 • Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 2, page 89 • Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 1, page 91 Open Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 12 Table 9 lists the open issues in Cisco ISE 1.2.0 Patch 12 that may be resolved in other releases. Table 9 Cisco ISE Patch Version 1.2.0.899-Patch 12 Open Caveats Caveat Description CSCty46687 The Cisco Identity Services Engine (ISE) is affected by a cross-site scripting (XSS) vulnerability. CSCty46691 The Cisco Identity Services Engine (ISE) is vulnerable to SQL injection. CSCty60811 Clients are not redirected to the Posture Remediation page to download the NAC agent. CSCtz29311 SecPAP promotion is slow with FCS 1.1(alpha data) to 1.1.1.183 upgrades. CSCtz99443 Node replication status in the deployment page always shows 'IN-PROGRESS' message to the Secondary nodes that are deployed over WAN. CSCua10173 Changing or disabling alert rules or criteria triggers HTTP Status 400 - Request not processed message. CSCub19047 Characters such as Hyphen (-) and dot (.) are not supported as part of the VLAN ID\Name. CSCub35768 ISE Upgrade from 1.0 to 1.1 failed because data access permission to the user is denied. CSCub64247 Cisco Application Deployment Engine (ADE) OS does not accept users with passwords containing front slash. CSCub87687 Language templates in the guest portal sets a limit of 4000 characters. CSCub99130 Corruption of database results in the loss of ISE certificates and keys. CSCuc26772 Network devices are not displayed in the navigation pane when the Network Device Group is selected. CSCud20339 Onboarding a device using single/dual SSID with Transport Layer Security (TLS) profiles fails. CSCud46215 Detailed authentication failure message is not displayed for sponsor user group. CSCud52161 Active Directory (AD) operation failure because of an unspecified error in ISE. CSCud79538 ISE fails with two active certificates. CSCud86135 During initialization failure ISE sends wrong alarms. CSCud92384 Incorrect error messages displayed when ISE application server is down. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 39 Cisco ISE, Release 1.2.0.899 Patch Updates Table 9 Cisco ISE Patch Version 1.2.0.899-Patch 12 Open Caveats Caveat Description CSCue14481 “Internal error” message displayed when the number of guest user accounts created is 100,000. CSCue23875 The monitoring database stops adding new entries for operating system strings that exceed the maximum value of 100 characters. CSCue27949 The reset-passwd command does not allow the usage of special characters. CSCue30432 Launch program remediation does not allow the usage of double quotes. CSCue33447 Editing authorization profile by adding static Internal Protocol (IP) address or host name changes the redirect back to 'Default' and the 'Value' is empty. CSCue46758 Identity Services Engine (ISE): 86107-Session cache entry missing during guest authentication. CSCuf33854 Nessus 53491 - Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) renegotiation DoS OpenSSL reported medium vulnerabilities. CSCuf60933 Slow GUI with large Cisco Telepresence System (CTS) Egress Matrix. CSCuf84159 Identity Services Engine (ISE) admin access does not work with External RSA authentication. CSCug20348 Machine authentication with Active Directory (AD) fail with MNT error “24485 Machine authentication against Active Directory has failed because of wrong password” and does not reflect the issue. CSCug27409 Import of comma-separated value (CSV) file for Network Devices failed in ISE 1.1.3. CSCug34679 Identity Services Engine (ISE) drops keep alive authentications coming from wireless LAN controller (WLC) marking ISE as dead. CSCug51137 User authentication over 3 days failed with Uncaught exception. CSCug51530 Failed to send message: Socket closed, MsgType: 901. CSCug90087 Database lock not removed after execution of reset monitoring database command. CSCuh23877 “Identity Store Unavailable” alarm not getting triggered after authentication failed. CSCuh41473 Active Directory (AD) group not saved as external admin group if containing a "!" character. CSCuh47459 Connection error on Backup and Restore page after successful restore and backup. CSCuh50486 Identity Services Engine (ISE) validates only if Domain Name Server (DNS) entry for the host exists, but not for Internet Protocol (IP) address. CSCuh54734 Acknowledgment of alarms does not work when the instances are over 1000 occurrences. CSCuh57033 Error message not displayed to mobile users in Central WebAuth (cwa) with invalid credentials. CSCuh79430 Machine Access Restriction (MAR) Cache on Access Control Server (ACS) not corrected when Machine removed from Active Directory (AD). CSCuh79607 Identity Services Engine (ISE) Active Directory (AD) group matching fails due to forward slash in AD group name. CSCuh86591 Identity Services Engine (ISE) Simple Network Management Protocol (SNMP) profiling failed when connected to 48 ports stacked under 24 ports switch master. Release Notes for Cisco Identity Services Engine, Release 1.2.x 40 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Table 9 Cisco ISE Patch Version 1.2.0.899-Patch 12 Open Caveats Caveat Description CSCuh87451 Browser redirected to the guest portal when declining acceptable use policy (AUP) through a Device Registration Web Authentication (DRW). CSCuh89530 404 Error on MnT GUI and wrong persona in deployment page after customer database restore. CSCuh96440 Could not determine prior Cisco Agent Installation on Windows or MAC OS X machines in pre-posture state. CSCui01605 Admin cannot duplicate and save policy-set if existing policy set has user defined simple condition. CSCui09203 Identity Services Engine (ISE) fails When accounting message with long class string. CSCui15711 Internal error encountered while creating guest user with a time profile that was deleted and recreated with the same name. CSCui16843 Operational backup or restore failed when primary monitoring node is not reachable due to power down or inner shut down. CSCui25164 Identity Services Engine (ISE) sponsors cannot view accounts that it created after change of group. CSCui48401 Spaces in email when creating user in sponsor portal caused error in Identity Services Engine (ISE). CSCui53920 Identity Services Engine (ISE) 1.2 dashboard metric % posture compliance is wrongly calculated for posture status other than “Complaint” or “Not Applicable”. CSCui63474 Dynamic Host Configuration Protocol (DHCP) Switched Port Analyzer (SPAN) not starting unless Internet Protocol (IP) is assigned to the interface. CSCui65057 Current iso-to-usb.sh script does not set the proper path for syslinux when used on CentOS 6.4. CSCui65835 Devices in the network device list is not visible when customer logs in with Active Directory (AD) credentials in to Web GUI. CSCui72087 Default access restrictions not securely enforced on several pages existing within the Inbox, Alarms, and Schedule pages. CSCui82602 Guest Cache Issues for Identity Groups. CSCui82615 Guest account cache issues for time profiles set by the sponsor. CSCuj19173 MemberOf attribute fails with regular expression if group belong to an Organizational Unit (OU) in Active Directory (AD). CSCuj20969 Network Device Session status report fails for a switch with message “SNMP information is not configured for this device in ISE.” CSCuj30442 ISE Application Deployment Engine (ADE) does not allow the deletion of certain files from local repository. CSCuj30585 ISE Client Provisioning Portal (CPP) allows MAC configuration for WebAgent. CSCuj42566 ISE guest reporting does not identify the sponsor who effects changes to a guest account. CSCuj58037 iPEP ISE 1.2 in routed mode does not use service Internet Protocol (IP) for RADIUS packets. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 41 Cisco ISE, Release 1.2.0.899 Patch Updates Table 9 Cisco ISE Patch Version 1.2.0.899-Patch 12 Open Caveats Caveat Description CSCuj61976 Admin Graphical User Interface (GUI) fails to display certain GUI pages when using Firefox 25. CSCuj63421 Creating ISE shared reports via interactive viewer is broken. CSCuj64008 Profiler feed service policy for Amazon Kindle Fire tablet to be devised. CSCuj68540 Monitoring (MnT) schema upgrade script is logging INFO messages as ERROR and WARNING. CSCuj71399 Performing backup through the GUI or CLI throws “A backup or restore is already in progress” error. CSCuj71819 Accented characters in guest username displayed in HEX format in ISE GUI. CSCuj76383 Admin user receives two email notifications for password expiry. CSCuj88351 Loading a corrupted Certificate Authority (CA) certificate on startup causes config rollback with related problems. CSCuj99801 External RESTful Services (ERS) error codes are not consistent for the same action pertaining to different categories. CSCuj99912 ISE 1.2 External RESTful Services (ERS) filter by name for Security Group Tag (SGT) category fails. CSCul00148 Start and end time profiles display according to ISE timezone instead of Guest timezone. CSCul00743 The Operation > Authentication page is blank for invalid characters in username. CSCul00985 Ubuntu laptop users without posture checks are redirected to the Client Provisioning Portal (CPP) page after Centralized Web Authentication (CWA). CSCul02830 Active Directory (AD) test connection fails for domain\user-ID. CSCul05429 Authorization rule does not match CVPN3000/ASA/PIX7x-Tunnel-Group-Name. CSCul05764 Incorrect references when Certificate Authority (CA) ID Store Name is changed. CSCul08673 Export of custom report for a date range failed. CSCul30358 Active Base license count exceeds the allowed license count. CSCul37463 Scheduled backup does not work on upgrading from previous version to 1.2. CSCul45573 Network Access Device (NAD) config does not accept % in RADIUS shared secret/SNMP community string. CSCul47387 Character limit should be increased for policy rule name. CSCul53156 Device Registration page is blank when used with AddTrust certificates. CSCul56940 Endpoint profiling is incorrect when two Cisco or Linksys routers are connected to a Multi-Domain Authentication (MDA) port. CSCul65329 ADclient cache is not cleared via the application configure ise command. CSCul82600 Unable to delete custom attribute even after deleting the linked authentication policy. CSCul86934 On executing the reset-config command, ISE Secure Shell (SSH) sessions are allowed only from allowed Internet Protocol (IP) access subnets. CSCul88799 Cisco Integrated Management Controller (CIMC) KVM console displays “Out of Range” against a green background, on entering the “terminal length X” command. Release Notes for Cisco Identity Services Engine, Release 1.2.x 42 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Table 9 Cisco ISE Patch Version 1.2.0.899-Patch 12 Open Caveats Caveat Description CSCul92356 Devices registered by Guest users fall into the Unknown group. CSCul94611 ISE Dashboard fails to display live consolidated and correlated statistical data. CSCul94858 Certificate Revocation List (CRL) retrieval does not use globally configured proxy server. CSCul95195 Custom Supplicant Provisioning Wizard (SPW) for Telstra RADIUS proxy with differentUserName and nonBroadCast options unchecked. CSCul96935 An hour difference between Graphical User Interface (GUI) and Command Line Interface (CLI) during daylight savings time. CSCum05014 ISE does not display endpoint profiling policies in the Graphical User Interface (GUI) CSCum41336 ISE reports fail on Network Control System (NCS) platform cross launch. CSCum41378 Static profile assignments to an endpoint Identity group for some devices are removed resulting in device reprofiling. CSCum46269 Active endpoints count on the dashboard does not match the actual active endpoints, when there is a surge of endpoints. CSCum48676 ISE 1.2 does not display information in the System Summary Applet on the dashboard if the Logging Category is set to a severity level other than INFO. CSCum49249 External RESTful Services (ERS) Application Programming Interface (API) does not list all endpoints as specified in the Software Development Kit (SDK) guide. CSCum53319 Diagnostics for failure to download the Certificate Revocation List (CRL) should be precise. CSCum58581 MAC OSX 10.9 device is not redirected to the Bring Your Own Device (BYOD) flow when using the guest device registration page. CSCum60924 Extensible Authentication Protocol (EAP) chaining mode does not allow more than one value for the EapAuthentication attribute. CSCum68149 The Live Authentication Report page does not display the accurate currenttime and currentdate attributes. CSCum69229 Create Random Accounts setting using Google Chrome does not display the desired results. CSCum70441 Incorrect value is displayed for the GET request sent to find the total internal users in ISE External RESTful Services (ERS) Application Programming Interface (API). CSCum72386 Endpoints delete all confirmation messages when “No” button is deactivated. CSCum73765 Profiling with SNMP v3 Query fails when triggered by SNMP trap/RADIUS Accounting probe. CSCum86183 Notifications for license expiry alarm are received from deregistered nodes. CSCum86331 ISE does not allow comma in Organizational unit name (OU) or Organization name (O) fields when creating a Certificate Signing Request (CSR). CSCum95069 Inline Posture Node (IPN) sends only username for authorization when Extensible Authentication Protocol (EAP) chaining is configured. CSCun00882 ISE does not create logs of erroneous usernames in the sponsored guest portal. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 43 Cisco ISE, Release 1.2.0.899 Patch Updates Table 9 Cisco ISE Patch Version 1.2.0.899-Patch 12 Open Caveats Caveat Description CSCun21197 In a simple authentication condition, if the operator “Ends with” or “Not ends with” is used, it is not saved properly. CSCun23340 Randomly created guest users are not displayed in Firefox. CSCun23357 Uploaded guest users are not displayed in Firefox. CSCun25832 Unable to activate expired guest accounts. CSCun28218 ISE: Java Memory Leak outside of Heap space. CSCun31175 Registered endpoint report does not include manually added devices. CSCun33755 Unable to create the required number of Guest accounts from the sponsor portal. CSCun33774 The status of a new guest user account that is created in the sponsor portal is Active instead of Awaiting Initial Login. CSCun42967 ISE 1.2: The SNMP process stops randomly. CSCun45607 ISE incorrectly authenticates users based on the authorization PAC file. CSCun46242 Deletion of the Thawte Primary Root CA from ISE results in failure of provisioning and posture updates. CSCun48940 ISE Radius authentication over Gig1 stops if Gig0 down. CSCun53951 ISE presents self-signed certificate instead of CA-signed certificate. CSCun57304 The KRON command is not working for backup logs. CSCun59740 ISE 1.2: Only 5000 entries are displayed when viewing Guest Live reports. CSCun81620 Editing a guest condition in PAN applies the same changes to the previously condition. CSCun89615 ISE duplicate attributes cause failure to locate network devices. CSCun89771 Running ISE reports for 30 days generates only up to 100 pages. CSCun92193 In Certificate Authentication Profile (CAP), ISE selects incorrect information from the SAN field for multiple entries. CSCun94882 ISE 1.2: Change of Network Device Group name does not reflect in CSV export. CSCun95554 The monitoring node stops logging for email notification configured on ISE. CSCun96746 ISE self registering guest users do not inherit specified time profile. CSCun97251 ISE 1.1.4: Cannot find machine with DNS suffix which does not exist on the Domain Controller Group List. CSCun98217 Cross-Domain referer leakage in Admin portal. CSCuo00404 ISE 1.2: ACL syntax checker is incorrect. CSCuo05180 Cannot authorize external certificate authenticated users by using the device's identity group as an “other condition”. CSCuo05345 Cannot match an Authorization policy rule configured with an “other condition” of IdentityGroup:Name. CSCuo14398 ISE 1.2: ISE disregards the current password policy when editing an internal user. CSCuo14953 ISE: MobileIron MDM test connection passes but Save fails. CSCuo16506 Internal users cannot change their password in the guest portal. Release Notes for Cisco Identity Services Engine, Release 1.2.x 44 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Table 9 Cisco ISE Patch Version 1.2.0.899-Patch 12 Open Caveats Caveat Description CSCuo19521 Repository in the WebGUI with special characters fails. CSCuo24274 SNMP should run in all interfaces not only in Gig0. CSCuo24384 ISE: Guest:Mobile Portal in Custom portals does not follow browser local language. CSCuo39832 ISE takes IP address from same subnet and has incorrect ARP entries. CSCuo41482 GUI admin Active Directory (AD) login fails with HTTP error 500. CSCuo41713 Identity Services Engine (ISE) 1.2: Installation of patch 5 in distributed deployment caused first time login users to go active. CSCuo54987 Identity Services Engine (ISE) does not drop Radius packet if value is too large for database. CSCuo58786 Authentication, authorization, and accounting (AAA) services not available during purging of guest users. CSCuo60767 Identity Services Engine (ISE) UTF-8 character encoding displayed garbage characters on screen for profiler attribute. CSCuo62245 Failed to purge data from the operations database. CSCuo63358 Incorrect success message being displayed, when provisioning Apple iOS Device through supplicant portal in Bring Your Own Device (BYOD) SSID. CSCuo64251 Unable to manage ISE AD user device as it does not show up in “My Devices” portal. CSCuo66847 When a user edits a saved scheduled report, it ceases to exist. CSCuo67423 Reconfiguring the IP address of an iPEP node with the service IP that was previously used results in missing tabs in high availability configuration. CSCuo68012 ISE services fail to start when time zone is set to Asia/Riyadh89. CSCuo78051 A custom portal setting is saved but the configured setting fails to reflect in the GUI. CSCuo78457 An SNMP probe that is configured to match a profile using the “CONTAINS” operator fails. CSCuo78949 Changing the password policy in the GUI of Primary PAP server does not change the password policy in the iPEP server. CSCuo79012 Unable to support SNMP triggered queries with NAD using iOS version with deprecated STACK-MIB. CSCuo80929 An “value too large” error message is displayed for guest usernames with special characters. CSCuo93398 Unable to integrate the Active Directory (AD) with ISE using the admin GUI. CSCuo94313 Unable to pull Lightweight Directory Access Protocol (LDAP) groups for admin/service accounts containing the “+” sign in the password. CSCuo95635 Change of Endpoint Device Group name appears correctly in the Identity Group Assignment option but fails in the Identity Group. CSCuo95660 Endpoints exported to comma-separated values (CSV) file displays an incorrect endpoint device group name. CSCuo97007 Failed to start database during initial setup for Identity Services Engine (ISE). Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 45 Cisco ISE, Release 1.2.0.899 Patch Updates Table 9 Cisco ISE Patch Version 1.2.0.899-Patch 12 Open Caveats Caveat Description CSCuo99160 Identity Services Engine (ISE) 1.2: Failed registration and GUI error thrown when Policy Service Node (PSN) failed to ping Primary Administration Node (PAN) during registration. CSCup03116 Identity Services Engine (ISE) 1.2: Editing NDG does not update AuthC/AuthZ conditions. CSCup05013 Identity Services Engine (ISE) 1.2: p8 IOS-XE switch profiled as unknown endpoint. CSCup08017 Accidental Ctrl + C should not break Restore/Upgrade during important operations. CSCup15453 Identity Services Engine (ISE) Guest Sponsor Mapping Report causes CPU on primary MnT node to increase dramatically. CSCup16700 Reset password does not check for valid user before asking for new password. CSCup17245 “Value our of range” error displayed when editing a guest account. CSCup20844 Identity Services Engine (ISE) NAC agent does not popup if machine and user authentication is connected to switch sw: 15.2(1)E. CSCup22534 Multiple vulnerabilities in OpenSSL/CiscoSSL released during June 2014. CSCup27305 Identity Services Engine (ISE) 1.2: DACL Validator does not enforce source must be “any”. CSCup32455 Identity Services Engine (ISE) 1.2: Password for admin user detected in clear text in the file support\dbexport\ise-dbimport.sh. CSCup38457 Importing guest account using comma-separated value (CSV) failed through sponsor portal. CSCup42129 Swiss/posture INFO logs filling ise-psc.log and not moving to DEBUG level. CSCup45530 Identity Services Engine (ISE) External RESTful Services (ERS): Cannot modify staticProfileAssignment field without specifying the endpoint's current profileId. CSCup45594 Identity Services Engine (ISE): External RADIUS server is not persistent after failover. CSCup47501 Identity Services Engine (ISE) 1.2.1: Inline Posture Enforcement (iPEP) node interface driver booting out of order with no response when cable remains plugged into interface Gig Etho. CSCup47873 Identity Services Engine (ISE) upgrade failed due to LOB corruption. (Please check on this LOB term) CSCup55211 Identity Services Engine (ISE) 1.2: Mobile Device Management (MDM) input Validation with % in password cannot login. CSCup57288 Bring Your Own Device (BYOD) DUAL SSID with native supplicant provisioning results in a second entry in the live authentication log. CSCup57871 ERS cannot filter by username, if it is a number. CSCup60155 Guest users are deleted when upgrading or restoring a backup from ISE 1.1.x to ISE 1.2.1. CSCup64698 On IPN ISE 1.2, latency is caused by HDPARM process for every 10 minutes. CSCup67195 While upgrading from ISE 1.2 to ISE 1.2.1, upgrade failure occurs in Step 3 due to invalid certificate. Release Notes for Cisco Identity Services Engine, Release 1.2.x 46 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Table 9 Cisco ISE Patch Version 1.2.0.899-Patch 12 Open Caveats Caveat Description CSCup69753 After deleting a profile in Simple Certificate Enrollment Protocol (SCEP), an error message is displayed when the associated Registration Authority (RA) certificate is removed. CSCup69985 ISE VM on which DB is restored is not accessible via SSH and GUI. Only ping and console are available. CSCup72664 In ISE 1.2, the guest account time profile is reset to one day. CSCup80194 ISE deletes VLAN to SGT mappings while deploying IP-to-SGT mapping. CSCup88564 Use a different name for a newly created time profile. When the old time profile is deleted, you cannot reuse the same time profile name for a newly created time profile. CSCup89812 Upgrade from ISE 1.1.2 to ISE 1.2 fails because of posture rules. CSCuq11966 Multi-nested custom profiles cannot be created. CSCuq14441 Replication fails on deployment when custom portal is deleted. CSCuq17787 ISE crashes when the value of Type Field Length is set to 2. CSCuq22514 In ISE 1.2, when the authorization and authentication policies are set to Monitor Only mode, the details of the policy names are not displayed. CSCuq22636 ISE does not ask for LLDP attributes for triggered RADIUS or SNMP traps. CSCuq24719 When upgrading to ISE 1.2 Patch 9, account start time is not updated in Sponsor portal. CSCuq32696 ISE Policy Service Node (PSN) removes proxy-state attributes from Inline Posture Node (IPN/IPEP). CSCuq35206 In ISE 1.2, the shutdown command is present in the running configuration of the interface while the interface is operational. CSCuq35663 Attribute retrieval for a user fails when AD sends back photo thumbnail. CSCuq39743 Import guest users on ISE using sponsor bypass mandatory fields. CSCuq40153 Quick filter option does not work when it is used to search endpoint profiles using a MAC address. CSCuq43889 IP address learned from SNMP query should trigger DNS probe. CSCuq45219 Renewing Ticket Granting Ticket (TGT) fails if there are Read Only (RO) domain controllers. CSCuq48588 Replace cross-signed thawte Primary Root CA with its normal version. CSCuq52277 Error occurs when there are too many node entries in Subject Alternative Name (SAN) field in CA certificate. CSCuq53846 A user logging in with an expired guest account is redirected to the default Cisco branded portal without displaying an error message. CSCuq64817 DB import fails in ISE 1.2. CSCuq83249 After upgrade from ISE 1.2 Patch 8 to ISE 1.2.1 Patch 1, guest user authentication fails if they login after the time profile validity time. CSCuq85679 Change of Authorization (CoA) is not sent from ISE to Wireless LAN Controller (WLC) for guest users. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 47 Cisco ISE, Release 1.2.0.899 Patch Updates Table 9 Cisco ISE Patch Version 1.2.0.899-Patch 12 Open Caveats Caveat Description CSCuq85955 For an LWA deployment, ISE sends CoA disconnect with empty session ID. CSCuq86420 Triggered SNMP Query via Radius traps not working. CSCuq90710 Posture policies are not listed after creation. CSCuq92558 PSNs move to Replication Stopped state when the application server does not start normally. CSCuq92574 In ISE 1.2.1, Bring Your Own Device (BYOD) profile installation fails. CSCuq93969 Authorization profile using CWA returns to default when static host is used. CSCuq95245 ISE 1.2, CoA fails when guest credentials are suspended in the Sponsor portal. CSCuq96971 In ISE 1.2.1, Framed-Pool attribute is not available in the authorization profile. CSCuq97996 MyDevices portal does not display MAC addresses added by the AD user. CSCur00110 Sponsor login fails when child user group is added as a guest in the sponsor group. CSCur03113 Local Web Authentication (LWA) language template is corrupted after upgrading to ISE 1.2.1. CSCur07303 ISE GUI 1.x (except ISE 1.3) does not allow to import more than 100 custom portals. CSCur09231 In ISE 1.2.1, if a sponsor account is configured to use Account Start Date, the sponsor creates an account even after that date. CSCur09439 SCEP EAP-TLS flow on OS X 10.9.5 fails to install the profile or provision certificate. CSCur11055 When running ISE 1.2.1, MNT Livelog does not display logs. CSCur11083 MNT Livelog displays incorrect user details. CSCur12480 In ISE 1.2.1 guest flow, redirection to the guest portal via PlayStation 3 browser fails. CSCur19320 Sponsor users who are not granted privileges are able to view and edit guest accounts using the search criteria. CSCur36291 Delay in BYOD Success Message In Mac OS X 10.10, there is a delay in the CoA after SPW and hence when the users click the Exit button, they do not get access. Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 12 Table 10 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 12. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Starting from Release 1.2.0 patch 12, Cisco ISE supports MAC OSX Yosemite release 10.10. Patch 12 will not work with older versions of SPW and users need to upgrade their SPW. Release Notes for Cisco Identity Services Engine, Release 1.2.x 48 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2. for instructions on how to apply the patch to your system. Table 10 Cisco ISE Patch Version 1.2.0.899-Patch 12 Resolved Caveats Caveat Description CSCul43926 Difficulty in reading the catalina.log. This fix addresses an issue in the Operations > Troubleshoot > Download Logs > Appliance node list page. When the Debug Logs tab was selected for the required node, the catalina.log file displayed the “work_pending_i: Interrupted system call” message. CSCum05562 Change of authorization (CoA) failed with Policy Sets. This fix addresses an issue in the Administration > System > Settings > Policy Sets page. The CoA associated with an endpoint profiling policy was not enabled when using policy sets. Workaround Disable policy sets or enable change of authorization (CoA) from monitoring node using fast reauthentication on switch. CSCum94858 Guest Sponsor Mapping report truncates the username. This fix addresses an issue in the Operations > Authentications > Reports > Endpoints and Users page. The Guest Sponsor Mapping report displayed the domain name but truncated the user name that appears after the ‘\’ character. CSCun04863 ISE sent alarms for expired advanced evaluation licenses. This fix addresses an issue where ISE sent alarms for expired advanced evaluation licenses, although, no advanced features were used. Workaround Disable license alarms. CSCun49379 Error in the custom Device Registration page redirects to the Login page. This fix addresses an issue in the Device Registration page. Instead of the ERROR_PAGE, guest users were redirected or mapped to the CUSTOM_LOGIN_PAGE when a wrong MAC address was encountered. CSCun66269 Data access permissions for role-based access control (RBAC) does not work for Locations selection. This fix addresses an issue when you create a custom group of users with a set of Data and Menu access RBAC permissions. The data access criteria selected for the Location access does not work with multiple rules set in the same hierarchy of network device groups. Workaround Create rules only for the low-level network device groups. CSCuo23637 ISE Role-Based Access Control (RBAC) policy failed to control the defined access policies. This fix addresses an issue in the Administration > Identifies Management > Identities > Users page. The access policies that were defined for a particular admin group were displayed for all User Identity Groups. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 49 Cisco ISE, Release 1.2.0.899 Patch Updates Table 10 Cisco ISE Patch Version 1.2.0.899-Patch 12 Resolved Caveats Caveat Description CSCup20586 Mix-up in the Extensible Authentication Protocol (EAP) and MAC Authentication Bypass (MAB) attributes for the same endpoint. This fix addresses an issue when there is simultaneous EAP and MAB authentication requests for the same endpoint with the same audit session ID. The two authentications share the same entry in the session cache and create a mix-up of attributes. CSCup62622 Default Sponsor Portal Fully Qualified Domain Name (FQDN) setting is changed to the FQDN of the Policy Service Node (PSN). This fix addresses an issue in the Administration > Web Portal Management > Settings > General > Ports > Portal FQDNs page. If the user changed the “Default Sponsor Portal FQDN” setting on the admin GUI, services were restarted on the PSN. On accessing the admin GUI of the PSN via an URL, the user was redirected to the sponsor portal. Workaround Contact the Cisco Technical Assistance Center (TAC). CSCup74180 Conditions defined for a Sponsor Group failed. This fix addresses an issue in the Administration > Web Portal Management > Sponsor Groups page. The Authorization Levels, Guest Roles, and Time Profiles set for a particular sponsor group failed. CSCup80994 ISE Policy Service Node (PSN) crashes due to network access device (NAD) missing shared secret. This fix addresses an issue when ISE app-svr crashed and Java core dump reported failure while trying to obtain the NAD IP address with missing shared secret configuration in ISE. Specifically, this occurred during dynamic authorization. Although, the wireless LAN controller (WLC) was configured in ISE without a shared secret, it continued to send the accounting information to ISE. Workaround Remove NAD from ISE or reconfigure shared secret. CSCup82816 Certificate is not issued for MAC OS X with wired and wireless in Native Supplicant Provisioning (NSP). CSCup96791 ISE 1.2 patch 9 breaks dashboard with Internet Explorer 9. This fix addresses an issue with security enhancements to Internet Explorer 9 browser cache, which results in an empty ISE Dashboard. Workaround • Use an alternative browser. • In Internet Explorer, navigate to Tools > Internet Options > Advanced. Scroll down and select the Do not save encrypted pages to disk option under Security and click Apply and OK. • Under the General tab, select Delete browsing history on exit option and click Apply and OK. Release Notes for Cisco Identity Services Engine, Release 1.2.x 50 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Table 10 Cisco ISE Patch Version 1.2.0.899-Patch 12 Resolved Caveats Caveat Description CSCup97085 Data unavailable for authentication details. This fix addresses an issue in the Operations >Authentications page. When the ISE admin user clicks the Details column for any event, an error stating “No Data Available for this record. Either the data is purged or authentication for this session record happened a week ago” was encountered. CSCup97097 Export Results report for total endpoints is inaccurate. This fix addresses an issue in the Home > Total Endpoints > Export Results page. The report failed to export all endpoints that were authenticated or profiled by ISE. Instead, the report displayed empty rows with the exception of the ENDPOINTPOLICY field. CSCup97125 ISE GUI crashes with HTTPS certificates without Enhanced Key Usage (EKU). This fix addresses an issue when HTTPS was enabled by operations such as, binding, importing, or editing certificates. If the certificates did not support Enhanced Key Usage (EKU) of ClientAuth, an error was reported. An error was also encountered by the Policy Administration Node (PAP). CSCuq05237 Change in the Network Access Users status failed to reflect in the Reports. This fix addresses an issue in the Operations > Reports > Deployment Status > Change Configuration Audit page. When the status of a network access user was either enabled or disabled, in the Administration > Identity Management > Identities > Users page, it failed to reflect the change in the Change Configuration Audit page. CSCuq07723 The Bring Your Own Device (BYOD) success page and Retry button do not display. This fix addresses an issue with MAC OS X and Windows OS when it failed to display the BYOD success page for a successful authentication. Also, it failed to display the Retry button when a user’s authentication failed. CSCuq19789 ISE fails to match Radius:service-type EQUALS authorize-only. This fix addresses an issue in an Inline Posture Node (IPN/IPEP) deployment. VPN users were not permitted to pass traffic after a successful VPN connection. This was encountered when the authorization policy of an IPEP node included a RADIUS server attribute. Workaround Use the same authorization policy for IPEP and the standard authorization profile. CSCuq29015 MAC agent does not support MAC OS X Yosemite version 10.10. This fix addresses an issue where the MAC Agent failed to support MAC OS X Yosemite version 10.10. CSCuq59006 Unable to install MAC SPW 1.0.0.26 in Wired MAC OS X version 10.7/8/9. This fix addresses an issue when the Network Setup Assistant failed to install MAC SPW 1.0.0.26 in Wired MAC OS X and displayed the Secure access configuration failed message. CSCuq74929 ISE 1.2 External Groups does not validate input properly. This fix addresses an issue in the Policy > Policy Elements > Conditions > Authorization > Compound Conditions page. An attribute that was selected from the Dictionaries list was truncated and appended with an ellipsis. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 51 Cisco ISE, Release 1.2.0.899 Patch Updates Table 10 Cisco ISE Patch Version 1.2.0.899-Patch 12 Resolved Caveats Caveat Description CSCuq75823 MAC Agent fails to validate server certificates in MAC 10.10. This fix addresses an issue when a MAC endpoint device on the network was denied access and an SSL certificate error was displayed. Workaround Created an intermediate MAC agent build 4.9.5.2 to bypass the ISE server certificate validation for MAC 10.10 users. CSCuq81835 ISE base/advanced license counts remains at the default value zero. This fix addresses an issue where the base and advanced licenses count did not match the number of active endpoints that were displayed in the dashboard and monitoring reports. Workaround Contact the Cisco Technical Assistance Center (TAC). CSCuq87920 MAC Agent provisioning is not supported in MAC 10.10. This fix addresses an issue when the MAC Agent 4.9.5.2 did not get installed in MAC 10.10 using Safari. CSCur00532 ISE evaluation for CVE-2014-6271 and CVE-2014-7169 (AKA ShellShock). This fix addresses an issue in ISE nodes that are SSH enabled. If SSH is enabled, a remote user with ISE CLI credentials will be able to exploit the vulnerability and run generic Linux commands. PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.5/7.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:U/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html Workaround Disable SSH and reload ISE node as follows: ise1/admin# configure terminal ise1/admin(config)# no service sshd enable ise1/admin(config)# end ise1/admin# reload Save the current ADE-OS running configuration? (yes/no) [yes] ? yes Continue with reboot? [y/n] y Release Notes for Cisco Identity Services Engine, Release 1.2.x 52 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Table 10 Cisco ISE Patch Version 1.2.0.899-Patch 12 Resolved Caveats Caveat Description CSCur09439 ISE OS X 10.9.5 Simple Certificate Enrollment Protocol (SCEP) Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) flow fails. This fix addresses an issue where SCEP EAP-TLS flow fails to install the profile or provision certificate. CSCur17597 Users of some Identity Groups are not displayed. This fix addresses an issue in the Operations > Authentications page. Users belonging to Identity Groups containing an underscore character were not displayed. Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 11 Table 11 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 11. Patch 11 will not work with older versions of SPW and users need to upgrade their SPW. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2. for instructions on how to apply the patch to your system. Table 11 Cisco ISE Patch Version 1.2.0.899-Patch 11 Resolved Caveats Caveat Description CSCuq01548 ISE posture dropped during Change of Authorization (CoA) due to invalid HTTP User-Agent [Trident 7.0]. This fix addresses an issue where a third-party User-Agent does not allow the download of the NAC agent. CSCuq02222 The Simple Network Management Protocol (SNMP) Query probe failed to discover endpoints using periodic polling. This fix addresses an issue where the ARP table failed to discover the MAC addresses of endpoints that were connected to a Catalyst switch using the SNMP Query probe. CSCup88315 Apple iOS 8 beta failing External Web Authentication (WebAuth) with ISE. This fix addresses an issue where Apple devices running iOS 8 beta software failed to complete external web authentication. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 53 Cisco ISE, Release 1.2.0.899 Patch Updates Table 11 Cisco ISE Patch Version 1.2.0.899-Patch 11 Resolved Caveats Caveat Description CSCul28451 RADIUS Accounting Report “Account Session Time” blank. This fix addresses an issue in the Operations > Reports > Auth Services Status > Radius Accounting page. In the click here for Accounting detail report option for the Stop Account Status Type, the Account Session field did not display the difference between a session’ start and stop time. CSCum41138 NAS IP Address showing MnT address in ISE live logs after CoA REST API. This fix addresses an issue in the Operations > Authentications > Show Live Authentications page. The NAS IP Address field failed to display the IP address of the network device, when Change of Authorization (CoA) was triggered via the Rest API. CSCun74636 OSX Mavericks is profiled as Apple device based on incorrect User-Agent. This fix addresses an issue where Cisco ISE failed to identify OSX Mavericks device based on the endpoint profiling policies. CSCun00427 ISE 1.2 match operator returns true when LHS is NULL and RHS is constant. This fix addresses an issue that occurred when there was a MATCHES operator in a rule/policy: if the LeftHandSide of the rule/policy was returning NULL value and the RightHandSide was CONSTANT, the operator was getting evaluated as TRUE. The operator is now evaluated as FALSE. CSCui08084 Guest user is not terminated on the switch when suspended via Edit Account. This fix addresses an issue with the Guest Account created using the Sponsor Portal. When suspending the Guest Account, the Account was suspended but the wired session on the switch was not terminated. CSCup79399 Cisco ISE-related reports return blank page while launching from PI. This fix addresses an issue where all Cisco ISE reports opened from Cisco Prime Infrastructure resulted in a “Web page not available” error. CSCuq26320 EAP-FAST authenticated provisioning with Android doesn't work This fix addresses an issue where EAP-FAST authentication for specific Android versions was not working. Open Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 10 Table 12 lists the open issues in Cisco ISE 1.2.0 Patch 10 that may be resolved in other releases. Release Notes for Cisco Identity Services Engine, Release 1.2.x 54 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Table 12 Cisco ISE Patch Version 1.2.0.899-Patch 10 Open Caveats Caveat Description CSCup99724 Log displaying active endpoints does not get updated with the latest authenticated user. In the Operations > Authentications page, a user is authenticated and the username is updated in the Endpoints page. When a new user logs in from the same system, the new username is not updated in the Endpoints page. CSCuq11506 Deletion of repositories containing special characters in their passwords fail. In the System > Maintenance > Repository page, deleting a Repository Name that uses special characters, such as %, in the password encounters an error. Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 10 Table 13 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 10. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2. for instructions on how to apply the patch to your system. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 55 Cisco ISE, Release 1.2.0.899 Patch Updates Table 13 Cisco ISE Patch Version 1.2.0.899-Patch 10 Resolved Caveats Caveat Description CSCul21337 The Posture Troubleshooting tool was vulnerable to blind SQL injection. This fix addresses an issue where a vulnerability in the web framework of Cisco ISE may allow an attacker to impact the integrity by executing arbitrary SQL queries. PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.5/5.4: https://intellishield.cisco.com/security/alertmanager/ cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:P/I:P/A:P/ E:F/RL:OF/RC:C CVE ID CVE-2014-3275 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/ CVE-2014-3275 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html CSCul39011 The Mobile Device Management (MDM) client failed to reject queries when MDM server was not responding. This fix addresses an issue where timeouts were caused when the MDM server was not reachable during authorization policy evaluation. CSCul58758 Redirected to null page in the browser after Local Web Authentication (LWA) flow with WLC-5500 series. This fix addresses an issue where a guest user enters the username and password in the Guest Login page, but is not redirected to the specified URL. CSCul86970 GUI does not display the Allow only listed IP addresses option to connect. This fix addresses an issue in the Admin Access settings page, where the following option was not displayed in the UI: Allow only listed IP addresses to connect. CSCum37237 Insufficient permission error with bulk import of guest account. This fix addresses an issue where an error message was encountered when sponsors imported and printed guest usernames, formed from the guests email addresses. CSCum57372 NAS identifier does not appear the authentication details in the web UI. This fix addresses an issue where the Network Access Server (NAS) Identifier information did not appear in the Authentication Details page. CSCun28502 Sponsor, My Devices, and Guest portals does not have a defined character limit. This fix addresses an issue in the Administration > Web Portal Management > Settings page. The Sponsor, My Devices, and Guest portals contain the Language Template option. The Language Template option contains a list of configurations. The text fields in each configuration allow any one of the following character count: 128,512, 256, or 4000. An error message was displayed for specific fields, such as AUP and Notifications, when the character limit was above 4000 characters. Release Notes for Cisco Identity Services Engine, Release 1.2.x 56 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Table 13 Cisco ISE Patch Version 1.2.0.899-Patch 10 Resolved Caveats Caveat Description CSCun74285 ISE safe mode did not bypass admin portal certificate authentication. This fix addresses an issue where ISE safe mode did not bypass user certificate authentication and did not enable local admin credentials. CSCun74460 Incorrect Daylight Saving Time (DST) time zone offset in ISE affects remote syslog targets. This fix addresses an issue where the DST time zone offset was incorrect in the prrt log. CSCun84251 Error after application ise reset-config on 1.2.0.899 Patch 6. This fix addresses an issue where an error was found when the application reset-config ise command was run. CSCun94304 ISE RSA server configuration may fail to replicate to PSNs. This fix addresses an issue where the RSA configuration (sdconf.rec) did not load properly and data did not replicate from the PAP node to other nodes. CSCuo13099 ISE Sponsor, email ID used as username with space in it, throws an error. This fix addresses an issue where the guest user email IDs with spaces encountered an error when used in usernames. CSCuo39442 ISE 1.2 does not validate remote log target names. This fix addresses an issue where the Remote Logging Target names displayed in the Administration > System > Logging > Remote Logging Targets page reported the following error message: Name should not contain space(s) or any of the following characters: ! % ^ : ; , [ { | } ] \ ` " = ?. The above error message was displayed even though hyphen or period was used. CSCuo58919 Endpoint static group assignment toggles between true or false option every 55 seconds. This fix addresses an issue where the Static Group Assignment check box in the Administration > Identity Management > Identities > Endpoints page toggled between true or false value every 55 seconds. CSCuo63448 Modifying the ISE parent profile disables child profile. This fix addresses an issue where in the Profiling Policies page, on modifying a parent profile, endpoints failed to reach the correct profile policy. CSCuo75506 ISE authorization profile with Central WebAuth (CWA) and custom guest portal does not redirect to default settings. This fix addresses an issue where a CWA authorization profile was configured and if the CWA authorization profile was edited again, the changes were displayed only in the UI, but failed to reflect in the attributes. CSCuo88571 The IP release renew operation was not performed on Mac OSX devices. This fix addresses an issue where a user logged into the guest portal was unable to renew the IP address after clicking Accept in the Acceptable Use Policy (AUP) page. CSCup33018 Apple iOS 8 beta fails Native Supplicant Provisioning flow. This fix addresses an issue where with single or dual SSIDs, Apple devices running iOS 8 beta software failed to complete provisioning. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 57 Cisco ISE, Release 1.2.0.899 Patch Updates Table 13 Cisco ISE Patch Version 1.2.0.899-Patch 10 Resolved Caveats Caveat Description CSCup50216 ISE 1.2+ API update was overwritten by the profiler. This fix addresses an issue where the ERS API failed to update existing endpoints in static groups. CSCup51902 Exporting active endpoints does not work from the admin node. This fix addresses an issue where exporting active endpoints from a Cisco ISE server Administration node did not work. CSCup63424 Downloading software to effect release or renew of guest virtual LAN (VLAN) was not accomplished. This fix addresses an issue where the IP address release or renew operation in the VLAN release or renew page, was nonfunctional when it was not the latest version of the Java Applet. CSCup99806 Custom data access permissions were not working as expected. This fix addresses an issue where Custom data access permission did not work according to the mapped RBAC policy in the Network Device page. Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 9 Table 14 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 9. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2. for instructions on how to apply the patch to your system. Table 14 Cisco ISE Patch Version 1.2.0.899-Patch 9 Resolved Caveats Caveat Description CSCty01787 Error in Generating XML Output for EndPointIPAddress API This fix addresses an issue where an internal error was displayed in the XML when calling the EndPointByIPAddress API for a given IP address appearing in the AuthSessionList. CSCui57100 EAP-TLS authentication fails with two sets of CRLs because CRL signature decrypt failed When Certificate Authority certificates are about to expire, an old and new version of the certificate can coexist on ISE to make sure there is no downtime for users. Both versions have their dedicated CRLs. This fix addresses an issue where ISE was not able to match the CRLs with the appropriate Certificate Authority certificate, which resulted in failed authentication with the message “CRL signature decrypt failure.” Release Notes for Cisco Identity Services Engine, Release 1.2.x 58 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Table 14 Cisco ISE Patch Version 1.2.0.899-Patch 9 Resolved Caveats Caveat Description CSCuj36104 ISE does not allow CRL when the name is the same on two Certificate Authorities This fix addresses an issue where an handshake error occurred because there were two issuing Certificate Authorities with the same exact name and ISE did not allow CRL checking on both certificates. CSCul25066 ISE Wireless Upgrade License Type Doesn't include Profiler Feed Service This fix addresses an issue where customers upgrading to ISE 1.2 who had the Wireless Upgrade license to add advanced license functionality to their deployment received the following alert: “Feed Service error : The Advance License installed on the ISE nodes have been expired.” CSCul29344 ISE 1.2 HTML Custom Pages for Different Portals Not Working This fix addresses an issue where the sample HTML for custom Guest Portal pages provided in the user guide did not work correctly. CSCum29186 With Account Creation Time Zone Change Not Reflecting New Updated Allowed Time This fix addresses an issue where changing the time zone during Guest account creation was not reflected with the newly updated allowed time to login. CSCum54099 ISE Does Not Send Sponsor-related syslog Message to External syslog Server This fix addresses an issue where ISE did not send messages like 86008 or 86006 to the external syslog server. It only sent the 86028 messages. CSCum69410 ISE 1.2 CWA with DRW Included Doesn't Register Endpoint This fix addresses an issue where the endpoint DB didn’t indicate that an endpoint was registered after a CWA user entered their MAC address on the Guest Device Registration screen. CSCum85930 ISE 1.2 Custom Guest Portal Images and CSS Broken on Final Redirect This fix addresses an issue where custom CWA portal may not have loaded images or CSS as expected. CSCum88817 ISE 1.2 Logs Filled with Unnecessary License Validity Info This fix addresses an issue where ISE was logging license checks in INFO mode, which caused massive output in the log files. CSCum96035 This fix addresses an issue that occurred when a user typed in a password that violated the password policy on the default custom portal password-change page and the page refreshes instead of displaying an error message. CSCun15601 Invalid Text Message Template Error Shown if Sponsor is CC'ed in Guest Mail This fix addresses an issue where the message “This is an invalid text message template. Contact your system administrator for assistance.” was shown while sending Guest account through Mail/SMS if the sponsor is CC’ed. CSCun36594 ISE 1.2 Endpoint Identity Group is Lost When Importing From CSV This fix addresses an issue that occurred after importing endpoints from a CSV file where the “Endpoint Identity Group” was changed from the one specified in the file to Profiled. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 59 Cisco ISE, Release 1.2.0.899 Patch Updates Table 14 Cisco ISE Patch Version 1.2.0.899-Patch 9 Resolved Caveats Caveat Description CSCun41732 Cisco ISE Certificate Trusted List is Not Fully Read When a Corrupted Certificate is Present This fix addresses an issue where Cisco ISE could not load the complete Trusted certificate list when a corrupted certificate was present in the list. CSCun51094 Bulk Import of Guests by Sponsor Falls in Wrong Guest Role This fix addresses an issue where imported guest users always get the role of default Guest during a bulk import from the Sponsor portal. CSCun67719 Guest Portal: Error Message When Password Expired Confusing The Cisco ISE Guest portal provides a generic error for events such as guest user account expired and gives no information on the cause of the issue. CSCun68637 SNMP Query Fails to Complete during NMAP-triggered Probe This fix addresses an issue where an SNMP query failed to execute when it was triggered by an NMAP probe. CSCun93673 ISE 1.2 Endpoint Export Results in Empty File if Using Lower Case Letter This fix addresses an issue where exporting endpoints results in an empty file if you search using lower case letters. CSCun97606 ISE Roaming Authentication Failing This fix addresses an issue that occurred when attributes about endpoints differed from one PSN to another when using multiple PSNs for profiling or authentication. CSCuo32987 Endpoint Register Broken This fix addresses an issue where attempts at ERS API endpoint register end in HTTP 500 Internal Server Error. CSCuo34449 ISE Posture Dropped via CoA Terminate Due to Invalid HTTP User-Agent This fix addresses an issue where a client application that initiated HTTP using User-Agent was not recognized by ISE, and triggered ISE to clear that session and send a Radius CoA Terminate command to NAD. Release Notes for Cisco Identity Services Engine, Release 1.2.x 60 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Table 14 Cisco ISE Patch Version 1.2.0.899-Patch 9 Resolved Caveats Caveat Description CSCuo56780 ISE RADIUS Service Denial of Service Vulnerability This fix addresses an issue where the RADIUS service may become unresponsive when receiving accounting packets from two different Network Access Servers (NASs). PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:U/RC:C CVE ID CVE-2014-3276 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-327 6 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html CSCuo63892 CIAM: ISE-commons-fileupload-1-0 This fix addresses third-party software vulnerabilities. PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 7.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-0050 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html CSCuo73070 ISE 1.2 GUI Elements Missing Due to No Advanced License CSCuo76078 This fix addresses an issue where the error “No valid system license exists” appeared for the sponsor portal and guest portal after the installation of a Cisco ISE 1.2 Patch. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 61 Cisco ISE, Release 1.2.0.899 Patch Updates Enhancements in Cisco ISE Version 1.2.0.899—Cumulative Patch 8 New Plus License Cisco ISE, Release 1.2 Patch 8, includes the new Plus license. The Plus license provides the following services: • Bring Your Own Device (BYOD) • Profiling • Endpoint Protection Service (EPS) • TrustSec SGT The Advanced license provides access to the same features, as well as additional services. The Plus license does not include Base services. For more information, refer to the “Cisco ISE Licenses” chapter in the Cisco Identity Services Engine User Guide, Release 1.2. New Customize ISE 1.2 Web Portals HowTo Guide Learn how to customize Cisco ISE 1.2.x portals using this new HowTo guide: http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-42-Customize_ISE12_Web_Po rtals.pdf New Sample HTML Files for Custom ISE 1.2.x Web Portals You can download the ISE12CustomPortalPackage-v#.zip file, which contains sample HTML files for customizing Cisco ISE 1.2 Web portals, at http://software.cisco.com/download/release.html?mdfid=283801620&flowid=26081&softwareid=2838 02505&release=1.2 Updated Cisco ISE 1.2.x User Guide The sample HTML code has been removed from Appendix D. Use the downloadable sample files and the new Customize Web Portals HowTo guide for information on creating custom Cisco ISE 1.2.x Web portals. You can find the updated user guide at http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide.html Open Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 8 The following table lists the open issues in Cisco ISE 1.2.0 Patch 8 that may be resolved in other releases. Release Notes for Cisco Identity Services Engine, Release 1.2.x 62 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Table 15 Cisco ISE Patch Version 1.2.0.899-Patch 8 Open Caveats Caveat Description CSCun49379 If you enter an invalid MAC address on the default custom device registration page, the default login page is returned with an error message instead of the custom login page. CSCuo20069 Device Registration done through a custom portal does not allow user to continue after adding MAC addresses because it is missing the Continue button. Workaround Use the default portal. CSCuo27093 CSCup34046 The default custom portal is not in sync with some of the functionality of the default portal, including: 1. The Decline button on the custom AUP page is disabled. 2. Sessions are expired in less than 2 minutes. 3. Input validation is not working on the Login, Password Change, Self-Registration, and Device Registration Pages. 4. If you idle for a while after creating a guest on the Self Registration page, you are taken to the default portal login page. 5. The default custom portal’s Self Registration page does not show the optional fields set in Cisco ISE. It also does not apply the mandatory fields set in Cisco ISE. Example custom AUP and Guest_Success pages are not in sync for DRW flow. Workaround Validation cases. Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 8 Table 16 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 8. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2. for instructions on how to apply the patch to your system. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 63 Cisco ISE, Release 1.2.0.899 Patch Updates Table 16 Cisco ISE Patch Version 1.2.0.899-Patch 8 Resolved Caveats Caveat Description CSCud89273 Passed Numbers Not Appearing on Authentications Dashlet This fix addresses an issue where the passed numbers were not appearing on the Authentications Dashlet when there were a large number of passed authentications. CSCuh79596 Freshly Installed Standalone ISE Server Not Logging MDM Events This fix addresses an issue where MDM events were not being recorded by monitoring components in freshly installed ISE 1.2 standalone deployments. CSCuj97669 DNS Resolution Failed for CNAME:"hostname" from the ISE node "hostname" This fix addresses an issue where the DNS name resolution failure alarm had the wrong description or context. CSCul10677 ISE 1.2 CWA Failure Reason 86017 This fix addresses an issue where a guest user was redirected back to guest login page after accepting the Acceptable Use Policy. The live log showed the failed attempt as 86017 error. CSCul55934 ISE 1.2 Cannot Delete Guest Users Created Using Unavailable Timezone Setting This fix addresses an issue where you could not delete guest user accounts that were created using the old timezone settings in 1.1.x after upgrading to 1.2. CSCum10047 Invalid Account Date When Changing Account Duration This fix addresses an issue where you couldn’t edit the Start/End duration for accounts on the sponsor portal. CSCum13453 ISE SYSLOG Parsing Failure when Forwarding to Third-Party SYSLOG This fix addresses a parsing error that occurred when trying to forward SYSLOG messages to a 3rd party SYSLOG server. CSCum40721 Optional Data Field Not Matching in Authorization Rules This fix addresses an issue where the client authentication for a guest user failed to match data in the “Optional Data Field” to the authorization rules. CSCum62918 ISE 1.2 Sample guest portal HTML files should be improved This fix addresses the issues with the sample Web portal examples using "static" examples instead of variables to populate the fields. CSCum82815 Acceptable Use Policy Page Shouldn't Be Presented if ISE Knows Session is Expired on Login This fix addresses an error where a user was presented with the Acceptable Use Policy page after their session had expired, only to be told that their session expired after accepting the AUP. CSCum82829 Cisco-branded Expiration Page Presented on Custom Portal This fix addresses an error where a user was redirected to the Cisco default guest portal expiration page after thier session expired instead of a custom expiration page. CSCun60443 No Dashboard or Live Logs for Long Time After Primary MnT Failure This fix addresses an issue where no dashboard or live logs were available for long time after the primary MnT failed in an ISE distributed deployment. Release Notes for Cisco Identity Services Engine, Release 1.2.x 64 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Table 16 Cisco ISE Patch Version 1.2.0.899-Patch 8 Resolved Caveats Caveat Description CSCun61928 Not All Authorization Profiles are Recognized by Runtime This fix addresses an issue where an error message was displayed stating that ISE could not find selected Authorization Profiles because ISE was unable to load all of the selected profiles from the database. CSCuo02708 ERS Port Should Not Request Client Certificate This fix addresses an issue where ISE requested a client certificate when a HTTP request was sent to the ERS port (9060). CSCuo04860 Raise Alarms for EAP Session and Context Limits This fix adds an MnT alarm when ISE reaches EAP session and context limits. CSCuo16503 ISE 1.2 Patch 7 AD Sponsor Created Guest Users Cannot Log In This fix addresses an issue where guest users created with a Sponsor holding their credentials on Active Directory could not log in. Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 7 Table 17 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 7. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 17 Cisco ISE Patch Version 1.2.0.899-Patch 7 Resolved Caveats Caveat Description CSCtx94533 The Endpoint DeviceRegistrationStatus Attribute Always Shows “Pending” This fix addresses an issue where devices stayed in “Pending” status when client provisioning policy was not available and the endpoint already existed in the database. CSCty87291 Admin Web Portal Requests ID certification When It’s Password authentication-only This fix addresses an issue where web browsers prompted for an ID certificate when navigating to ISE admin web portals, although no certification authentication was configured for admin users. CSCuh41450 IP Columns Sort on Char on Network Devices Page This fix addresses an issue where the IP columns on the Network Devices page sorted on char, not varchar, which lead to incorrect sorting. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 65 Cisco ISE, Release 1.2.0.899 Patch Updates Table 17 Cisco ISE Patch Version 1.2.0.899-Patch 7 Resolved Caveats Caveat Description CSCui15038 ISE HTTP control interface for NAC Web Agent XSS Vulnerability This fix addresses an issue where, due to insufficient input validation, a cross-site scripting (XSS) vulnerability was present in the naccontrol web application of Cisco Identity Services Engine (ISE). PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:C CVE ID CVE-2014-0680 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-068 0 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html CSCui15064 Certain ISE Reports Vulnerable to XSS Injection This fix addresses an issue where certain report pages within the Cisco Identity Services Engine (ISE) administration interface were subject to a cross-site scripting (XSS) vulnerability. PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C CVE ID CVE-2014-0681 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-068 1 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html CSCui21839 “Export Endpoints” Creates Empty File When Quick Filter is On This fix addresses an issue where the Export Endpoints function created empty files when the quick or advanced filter was on and used a non alphanumeric character (i.e. :,.). CSCui78135 On Alpha Alarms Still Show Up When We Select All and Acknowledge This fix addresses an issue where Alpha Alarms still showed up even though the user selected all the alarms and acknowledged them. Release Notes for Cisco Identity Services Engine, Release 1.2.x 66 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Table 17 Cisco ISE Patch Version 1.2.0.899-Patch 7 Resolved Caveats Caveat Description CSCui82998 Custom Guest Portal Loops after AUP Due to Loss of Session ID This fix addresses an issue where, due to the custom guest portal, a user received a 404 message or was looped back to the portal’s login page after accepting the AUP. CSCui96322 Default Guest Portal Email Address Limited to 24 Characters This fix addresses an issue where the default guest portal limited email addresses to 24 characters. CSCuj07535 IP Address Change is Not Recorded in Endpoint Profile on ISE 1.2 This fix addresses an issue where a change in the IP address was not recorded in an endpoint profile. CSCuj11040 ISE Should Not Degrade a Profile Based on Problematic User-Agent CSCum97337 This fix addresses an issue where iPads were not profiled as iPads, but as Apple-device only, due to an application sending a HTTP packet with a user-agent field of “MobileAsset/1.0” which downgrades the profile in ISE to “Apple-device.” CSCuj25038 ERS Service Disabled After Reboot This fix addresses an issue where the ERS API was disabled after reboot, even though it was enabled before the reboot and the configuration was saved using “write mem.” CSCuj36310 “@” Character Not Accepted in Wireless SSIDs Fields This fix addresses an issue where ISE did not allow the use of the @ character in wireless SSID fields. CSCuj66093 86017 Error page sessionExpired.jsp images links are invalid This fix addresses an issue where the sessionExpired.jsp page (the page that is displayed after error 86017, where a guest user tried to authenticate using an expired sessionID) image links were broken. CSCul03597 LDAP User Authorization Doesn't Work with EAP-FAST Chaining This fix addresses an issue where LDAP user authorization didn’t work with EAP-FAST chaining. CSCul35820 ISE Guest Registration Breaks with Apple IOS7 User Name as Emil Address This fix addresses an issue where the ISE Guest registration process had issues with Apple iOS 7 using an Emil address for the username instead of the first and last name. CSCul66272 Terminate Change of Authorization during Posture for Unknown User-agent DynGate This fix addresses an issue where the NAC Agent got stuck in a posture loop due to the TeamViewer application by DynGate. CSCul77793 Scheduled Reports Not Exported When Using Illegal Character as a Report Name This fix addresses an issue where you couldn’t export a schedule report if an illegal character (i.e., ~%<>) was used as the report name. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 67 Cisco ISE, Release 1.2.0.899 Patch Updates Table 17 Cisco ISE Patch Version 1.2.0.899-Patch 7 Resolved Caveats Caveat Description CSCul84544 Retrieval of Active Directory Groups or Attributes from GUI is Failing This fix addresses an issue where the user was unable to fetch Groups and/or attributes from Active Directory on the ISE GUI. CSCul87300 Special Character in LDAP password is not read correctly by ISE This fix addresses an issue where LDAP authentication and/or group fetch failed when the admin/service account password had special characters, especially double quotation marks. CSCum26362 Authentications Details are Missing All the Required Data This fix addresses an issue where the Authentication details page was missing data, such as Authentication Protocol, Authentication method, Network device and service type data. CSCum60627 Client EAP Sessions Never Get Cleared This fix addresses an issue where an EAP session would leak when ISE retransmitted the last RADIUS message in response to duplicate packet from NAS, and then the client (NAS or supplicant) dropped the conversation. CSCum77223 Increase Maximum Login Failures for Guest This patch allows you to increase the number of maximum login failures for guest users. You can select the maximum number of login failures from a range between 1 and 999. Guest users are also redirected to the Custom Portal login page after exceeding maximum login failures if the Custom portal is in use. CSCum86347 ISE Guest Start and Expiration Dates Don't Reflect Sponsor Portal Time Zone This fix addresses an issue where the guest start and expiration dates did not reflect the time zone configured in the sponsor portal settings. CSCum93050 Patch info not shown in CLI and GUI after installing from CLI This fix addresses and issue where the patch information was not shown in the Cisco ISE CLI and GUI after installing the Cisco ISE, Release 1.2 patch from the CLI. CSCum92155 ISE REST API (ERS) - PUT Update Request Removes identityGroups Value This fix addresses an issue where the identityGroups value was removed when you updated any value using a PUT method via the ISE REST API (ERS). CSCun00215 ISE RSA Agent Exhausted Under Heavy Load This fix addresses an issue where the RSA agent became unresponsive due to a very large number of simultaneous PAP requests. CSCun08410 Guest Account’s Start and End Time Validated Against System Time Zone This fix addresses an issue where an error message is displayed if the start and end time for a guest user’s account uses a time zone that’s earlier than the system’s time zone. Release Notes for Cisco Identity Services Engine, Release 1.2.x 68 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Table 17 Cisco ISE Patch Version 1.2.0.899-Patch 7 Resolved Caveats Caveat Description CSCun11240 Guest Sponsor Mapping Report Incorrectly Changes Sponsor This fix addresses an issue where a Guest Sponsor Mapping Report showed the Sponsor as GuestAction instead of the sponsor who created the account. CSCun25178 Fetching Group Information Takes a Long Time Because of SIDHistory This fix addresses an issue where Cisco ISE failed to resolve SIDHistory to group names if the SIDHistory belonged to a trusted domain/forest. The large number of SIDHistory values in the user's token used to cause long delay (2-5 minutes) during user authentication. Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 6 Table 18 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 6. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 18 Cisco ISE Patch Version 1.2.0.899-Patch 6 Resolved Caveats Caveat Description CSCud38634 Guest sponsor details shows wrong sponsor name This fix addresses an issue where the username shown as the Sponsor was the username of the Guest when viewing Guest Sponsor Details from a report. CSCud70219 Log.xml files are not cleaned out regularly This fix addresses an issue where /opt/oracle/base/diag/rdbms/cpm10/cpm10/alert folder filled up with log XML files and caused the hard drive to fill up. CSCuf76821 .trc and .trm files are not cleaned out regularly This fix addresses an issue where the /opt/oracle/base/diag/rdbms/cpm10/cpm10/trace folder filled up with *.trc and *.trm files and caused the hard drive to fill up. CSCug96069 Replication status update fails for all nodes if the network is restored on PAP This fix addresses an issue in large scale deployments where the status of one or more PSN nodes was shown as 'Replication Stopped' and the data was not published or replicated to other PSN nodes from the PAN node. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 69 Cisco ISE, Release 1.2.0.899 Patch Updates Table 18 Cisco ISE Patch Version 1.2.0.899-Patch 6 Resolved Caveats Caveat Description CSCui40950 Guest login takes long time and times out This fix addresses an issue where a guest login could take a long time and then times out after 5 minutes. CSCui57882 Some expired guest accounts cannot be deleted from PDP This fix addresses an issue where some expired guests accounts could not be deleted from the sponsor portal. CSCui57933 Purge expired guest accounts does not work This fix addresses an issue where some accounts were in a state where they could not be deleted due to incorrect attributes. CSCui57961 When editing an expired guest account that cannot be deleted, logs out This fix addresses an issue where the UI logged you out with error “You do not have sufficient permission to access this page” when editing an expired guest account that cannot be deleted. CSCui72658 Guest Portal cookies not set as Secure or HTTP Only This fix addresses an issue where the JSESSIONID cookie used in the Guest Portal is not set to Secure or set as HTTP Only. CSCuj01781 ISE uses SAN of user certificate for machine lookup in Active Directory This fix addresses an issue where machine lookup in Active Directory failed during EAP-chaining authentication if both machine and user were authenticated with EAP-TLS and principal Username X509 Attribute is configured to SAN. CSCuj13804 IE8 gives error on ISE1.2 when accessing the provisioning portal This fix addresses an issue where Internet Explorer 8 on Windows XP displayed an error when you tried to open the client provisioning portal. CSCuj26086 ISE Client Provisioning - NSP does not launch on Safari 7 (Mac OS X 10.9) CSCuj80131 Java Applet fails to install SPW/Agent from Client Provisioning page on Safari browser version 7 available with Mac OSX 10.9. Patch 6 addresses this issue by displaying a message on the login page with instructions on how to configure Safari to allow the Java applet to install. Before clicking Click to Install Agent, go to: Safari->Preferences->Security->Manage Website Settings->Java->Click on your ISE URL->Run in unsafe mode. Release Notes for Cisco Identity Services Engine, Release 1.2.x 70 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Table 18 Cisco ISE Patch Version 1.2.0.899-Patch 6 Resolved Caveats Caveat Description CSCuj34004 User name change detected for the session removes all session attributes When using Machine authentication followed by user authentication, changing the username will remove attributes for the session from the cache, including the attributes in the whitelist category. This would result in authorization evaluation failure where the first user authentication falls into the wrong authorization profile. if there is a username change on the session, this cleans up all the session attributes including the ones that are in whitelist category (attrsToKeep).This can result in authz evaluation failure where the first user authentication falls into the wrong authz profile. This fix addresses this issue by re-initializing the default attributes with their default values. CSCuj38204 ISE does not allow access for guest with no webagent if posture is configured This fix addresses an issue where Cisco ISE did not allow access for guest with no NAC web agent if posture is configured. CSCuj47806 ISE redirects to default guest pages when it’s configured to redirect to custom pages This fix addresses an issue where the browser renders the initial login page when the user enters the wrong username/password instead of the custom error.html page. CSCuj49903 Downloading / viewing large log files from PDP causes out of memory error This fix addresses an issue where downloading or viewing large log files from PDP caused out of memory error. CSCuj84427 ISE 1.2 Admin password alerts not functioning properly This fix addresses an issue where admin password alerts were being sent earlier than the Password Policy setting specified. CSCul02821 MDM attributes doesn't update to Endpoint objective This fix addresses an issue in Cisco ISE where the MDM can't update into endpoint objective at ISE GUI. CSCul48352 Right-Click - Copy to MAC and Username in Live Log This fix addresses an issue where items in the Live Log grid are not selectable enabled by default. Therefore, the user could not select and copy out live log grid cell content. The MAC address and Username columns in the Live Log grid can now be selected and copied using a right-click. CSCul50495 Device Registration failed with Cisco Catalyst 3850 Switch This fix addresses an issue where the Device Registration page displayed an error message when working with the Cisco Catalyst 3850 Switch. CSCul50720 Samsung Galaxy S4 cannot be on-boarded in dual SSID flow This fix addresses an issue where Android devices, including the Samsung Galaxy S4, that did not contain “Linux” in their user-agent string were not on-boarded in dual SSID flow. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 71 Cisco ISE, Release 1.2.0.899 Patch Updates Table 18 Cisco ISE Patch Version 1.2.0.899-Patch 6 Resolved Caveats Caveat Description CSCul58895 ISE 1.2 Patch 3 StartEnd time profiles do not work for guest import This fix addresses an issue where importing guests using the Import Accounts Option on the Sponsor Portal using a csv file failed on ISE 1.2 patch 3 to an invalid format for the date. CSCul62175 ISE BYOD enhancement troubleshooting for SCEP Cisco ISE 1.2 Patch 6 adds logging for Certificate provisioning. This includes interaction messages with the SCEP server. CSCul65045 Cannot create/edit network device if advanced license expired This fix addresses an issue where ISE refused to accept new changes to existing network devices or add new ones if the advanced evaluation license expired, even if you did not use any of the advanced feature set. CSCul66218 Posture delays due to HTTP thread exhaustion This fix addresses an issue where the NAC Agent took a few minutes to load into the system tray after logging into Windows and then took up to 10 minutes to pop and complete posture assessment. CSCul71176 Endpoints manually assigned to identity groups might change groups randomly This fix addresses an issue where endpoints that were manually assigned to an identity group would sometimes randomly show up belonging to another identity group if profiling is enabled. CSCul71532 XML external entity injection found under ERS This fix addresses an issue where ERS was vulnerable to XML injection attacks using the DOCTYPE and ENTITY meta data tags in the XML sent in ERS request. CSCul77732 Warning message while creating Guest user with hyphen in Self Registration This fix addresses an issue where the Self Registration page displayed an error message if the guest’s first name or last name included a hyphen. CSCul82658 “Strip prefixes listed below” for Active Directory in GUI is a typo This fix addresses an issue where the Advanced Settings page for Active Directory in the GUI has a typo that says “Strip prefixes listed below” when it should be “suffixes” instead of “prefixes.” This has been corrected. CSCum01290 MDM Integration Not Working With ISE 1.2 Patch 3 and Patch 4 This fix addresses an issue where MDM enrollment failed while running ISE 1.2 patch 3 or patch 4. Upon redirect to the ISE MDM portal, clients were immediately presented with an error related to "The MDM system is not reachable at this time" even when the MDM server was reachable. MDM logging to ise-psc.log was missing key server response and connection failed syslog info when running the patch. Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 5 Table 19 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 5. Release Notes for Cisco Identity Services Engine, Release 1.2.x 72 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2. for instructions on how to apply the patch to your system. Note Please be aware that applying patch 5 to Cisco ISE 1.2 will reboot the nodes on which it is installed. Please make sure you carry out this activity in a maintenance window with a downtime. Cisco ISE 1.2 will also reboot if you revert from patch 5 to an earlier version. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 19 Cisco ISE Patch Version 1.2.0.899-Patch 5 Resolved Caveats Caveat Description CSCub18575 Problem with sponsor accounts starting with a "0" This patch fixes an issue where you could not log into the Sponsor Portal with an account that started with the number 0. CSCuf24898 ISE repository max password length 16 characters This fix addresses an issue where FTP / SFTP repository access failed when the user password was larger than 16 characters. CSCug20065 Unable to enforce RBAC as desired to a custom administrator This fix addresses an issue where a user, who only has permissions to a custom endpoint identity group, is unable to add, modify, or delete identities unless the entire identities are visible to him. CSCuh25506 Cisco ISE CSRF Vulnerability This fix addresses an issue where CSRF protection did not work for some of the web pages and an attacker could exploit this issue to perform CSRF attack against the users of the web interface. PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:U/RC:C CVE ID CVE-2013-3420 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-342 0 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 73 Cisco ISE, Release 1.2.0.899 Patch Updates Table 19 Cisco ISE Patch Version 1.2.0.899-Patch 5 Resolved Caveats Caveat Description CSCui30266 ISE MDM Portal Cross-Site Scripting Vulnerability This fix addresses an issue where the Mobile Device Management (MDM) portal of Cisco Identity Services Engine (ISE) was vulnerable to a cross-site scripting (XSS) attack. PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:C CVE ID has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-550 4 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html CSCui46739 Guest applet fails after update to Java 7 update 25 This patch addresses an issue where both Guest Authentication and Supplicant Provisioning failed due to Java 7 update 25’s CRL check feature. To disable the CRL check feature: 1. Allow the CRL check through the Redirect ACL, Port ACL and any Firewall in place. 2. Clear the checkbox for the CRL check in the Java Control Panel: • OS X: System Preferences > Java Advanced > Perform certificate revocation using1: Change to 'Do not check (not recommended)' • Windows: Control Panel > Java Advanced > Perform certificate revocation using: Change to 'Do not check (not recommended)' Release Notes for Cisco Identity Services Engine, Release 1.2.x 74 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Table 19 Cisco ISE Patch Version 1.2.0.899-Patch 5 Resolved Caveats Caveat Description CSCui67495 Uploaded Filenames/Content Not Properly Sanitized This fix addresses an issue where filenames and content uploaded to Cisco Identity Services Engine (ISE) was not filtered/sanitized effectively. This could have resulted in a file of incorrect type being uploaded to ISE or the filename leading to a potential cross-site scripting (XSS) issue. PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:L/Au:S/C:N/I:P/A:N/E:H/RL:U/RC:C CVE ID CVE-2013-5541 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-554 1 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html CSCui67511 Certain File Types are not Filtered and are Executable This fix addresses an issue where, due to insufficient filtering and access control, potentially malicious file types could have been uploaded to, and executed within, the Cisco Identity Services Engine (ISE) web interface. PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:H/RL:U/RC:C CVE ID CVE-2013-5539 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-553 9 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html CSCui72269 ISE unable to understand SNMP attribute coming from Switch This fix addresses an issue where Cisco ISE was unable to handle a bad attribute in an SNMPT query coming from a switch, which caused high CPU cycles on PAP node. CSCuj48111 Hyphen and minus sign can't be entered as first or last name This fix addresses an issue where a guest sponsor was unable to enter a hyphen or minus as part of a first or last name while entering a guest’s account information. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 75 Cisco ISE, Release 1.2.0.899 Patch Updates Table 19 Cisco ISE Patch Version 1.2.0.899-Patch 5 Resolved Caveats Caveat Description CSCuj61976 Admin UI fails to display certain UI pages when using Firefox 25 This fix addresses an issue where ISE admin UI pages with a tree view were not displayed correctly in Firefox 25. CSCuj84194 ISE sometimes does not send DACL in authorization profile This fix addresses an issue where ISE sometimes did not send DACL in an authorization profile. CSCuj98726 iOS devices bypass account suspension/lock by starting new EAP session This fix addresses an issue where an iOS device can bypass account suspension/lock even it is enabled, due to it being reported as '5440 Endpoint abandoned EAP session and started new' instead of using a wrong password. CSCul02860 Struts Action Mapper Vulnerability Previous versions of ISE Cisco ISE included a version of Apache Struts that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-4310 Cisco has analyzed these vulnerabilities and concluded that the product is not impacted, however the affected component has been updated as harden measure. PSIRT Evaluation The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact [email protected] for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Release Notes for Cisco Identity Services Engine, Release 1.2.x 76 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Table 19 Cisco ISE Patch Version 1.2.0.899-Patch 5 Resolved Caveats Caveat Description CSCul03127 Struts 2 Dynamic Method Invocation Vulnerability Previous versions of Cisco ISE included a version of Apache Struts2 that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-4316 PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C CVE ID CVE-2013-4316 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html CSCul03621 Endpoint Profiling Information is not being replicated correctly This fix addresses an issue where Endpoint Profiling Information was not replicated on the PSN that was not doing the profiling. CSCul06431 Active Directory attribute value in ATZ profile is not sent This fix addresses an issue where an Active Directory attribute was not sent to the client as part of an ATZ profile. CSCul13757 Audit records MUST log to External Syslog Servers: CLI log level This fix addresses an issue where any configured External Syslog servers failed to receive audit records after using the command line interface (CLI) commands to change the log level to any of the following levels: 2, 3, 4, 5, 6 or 7. CSCul13805 Audit records MUST log to External Syslog Servers: HTTPS idle timeout This fix addresses an issue where External Syslog Servers failed to receive an audit record in the case of HTTPS Admin GUI idle session timeout occurs and auditable events could only be seen locally by setting the Debug Log Configuration for admin-infra and infrastructure to DEBUG level. CSCul13812 Audit records MUST log to External Syslog servers: SSH publickey This fix addresses an issue where SSH server authentication using the publickey authentication method fails to record an audit log and failed connecting to External Syslog Servers. CSCul13883 Audit records MUST log to External Syslog servers: SSH KEX Group14 This fix addresses an issue where Configured External Secure Syslog servers failed to receive audit events for the administration configuration of SSH server enforcement requiring diffie-hellman-group14-sha1 key exchange algorithm in order to successfully connect. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 77 Cisco ISE, Release 1.2.0.899 Patch Updates Table 19 Cisco ISE Patch Version 1.2.0.899-Patch 5 Resolved Caveats Caveat Description CSCul13905 Audit records MUST log to External Syslog Servers: CLI clock set This fix addresses an issue where no audit logs were recorded for changing the system clock via the CLI. CSCul13946 Audit records MUST log to External Syslog servers: Purge M&T Data This fix addresses an issue where no audit logs were recorded after purging M&T operational data using the CLI command. CSCul15967 ISE 1.2 Patch 3 Windows 8.1 CPP OS Detection Failure in Distributed Setup This fix addresses an issue in the ISE 1.2 patch 3 where Windows 8.1 clients received an error on secondary PSNs after a CPP redirect. CSCul16300 Audit records MUST log to External Syslog servers: CLI idle timeout This fix addresses an issue where External Syslog Servers fail to receive the audit syslog event when command line interface (CLI) connections are closed due to idle session timeout. CSCul18169 Blocking ISE admin UI access for Chrome browser This fix addresses some issues that blocked Chrome browsers from using the ISE admin UI. CSCul18521 Audit records MUST log to External Syslog servers: VGA CLI AUTHC This fix addresses an issue where External Syslog Servers fail to receive audit syslog events for administrative CLI logins on a VGA console. CSCul18555 Audit records MUST log to External Syslog servers: SSH conn fail This fix addresses an issue where External Syslog Servers fail to receive audit syslog events for common SSH connection failures. CSCul23070 Audit records MUST log to External Syslog Servers: SSH exit forceout CSCul23252 This fix addresses an issue where External Syslog Servers fail to receive audit syslog events for CLI exit and forceout commands. CSCul42646 Failed to create Posture Condition with "NOT ENDS WITH" Operator This fix addresses an issue where creating a Posture condition with an NOT ENDS WITH operator resulted in an error. CSCul46893 URL preservation not working with self service guest user in MAB flow This fix addresses an issue where, after connecting to a wired MAB and creating a guest account, the user’s browser did not redirect to the URL that they originally attempted to access. CSCul58758 Redirecting to 'null' page in the browser after LWA flow with WLC-5500 This fix addresses an issue where connecting to the Guest Wireless LWA flow using a Windows client machine resulted in a guest account getting redirected to a "null" page in the browser window instead of original URL. Release Notes for Cisco Identity Services Engine, Release 1.2.x 78 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Enhancements in Cisco ISE Version 1.2.0.899—Cumulative Patch 4 Automatic Update of Compliance Module on Mac OS X Clients Starting from Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 4, the Cisco NAC Agent supports automatic update of the Compliance Module on Mac OS X clients. Ensure that you have installed the Mac OS X Agent version 4.9.4.1 or later so that the Compliance Module gets updated automatically. Refer to Cisco ISE Installation Files, Updates, and Client Resources, page 24 for more information on automatic updates. See Also CSCui83009, page 80. Domain Stripping for Active Directory Starting from Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 4, you can strip prefixes or suffixes from user names when Active Directory is used as External Identity Source. You can configure the prefixes or suffixes to be stripped from the user names by navigating to Administration > Identity Management > External Identity Sources > Active Directory > Advanced Settings. Refer to the “Configuring Active Directory as an External Identity Source” section in the Cisco Identity Services Engine User Guide, Release 1.2 for more information. See Also CSCuj95908, page 81. Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 4 Table 20 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 4. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 79 Cisco ISE, Release 1.2.0.899 Patch Updates Table 20 Cisco ISE Patch Version 1.2.0.899-Patch 4 Resolved Caveats Caveat Description CSCug90502 ISE Blind SQL Injection Vulnerability This fix addresses an issue where the Cisco Identity Services Engine (ISE) was vulnerable to blind SQL injection. This could allow a remote, authenticated user to modify information in the database. PSIRT Evaluation The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6/5.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:U/RC:C CVE ID CVE-2013-5525 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-552 5 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html CSCuh84099 ISE should verify non-printable characters in x.509 certificates This fix addresses an issue where ISE was unable to add any endpoints and threw exceptions due to the import of x.509 certificates with non-printable characters. CSCui22884 ISE presents wrong HTTPS certificate This fix addresses an issue where ISE presented an old HTTPS certificate when user accesses the admin or sponsor GUI even though it has been configured to use a new imported certificate for HTTPS. CSCui83009 Unable to push compliance module to NAC agent on Macs Fixed an issue where ISE did not push the latest compliance modules to the NAC agent for Macs on the fly like it does with the Windows version. CSCui94488 MyDevice Portal allows endpoints with static endpoint ID group other than RegisteredDevices This fix addresses an issue where ISE MyDevice Portal is allowed employees to register existing endpoints with a static group assignment other than RegisteredDevices, unless the endpoints already associated with another PortalUser. CSCuj03131 Lower "Request Rejection Interval" minimum to 5 minutes The minimum length of time for the “Request Rejection Interval” for RADIUS has been lowered to 5 minutes. CSCuj28968 Guest Activity Report is not working This fix addresses an issue where the Guest Activity report was blank. CSCuj39926 Kaspersky remediation does not appear anymore in the AV remediation This fix addresses an issue where Kaspersky remediation did not appear for AV remediation (Posture Results). Release Notes for Cisco Identity Services Engine, Release 1.2.x 80 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Table 20 Cisco ISE Patch Version 1.2.0.899-Patch 4 Resolved Caveats Caveat Description CSCuj62435 ISE 1.2 TrendMicro not listed for AV Remediation This fix addresses an issue where Trend Micro was not seen in the AV vendor list when creating an AV Remediation. CSCuj63046 Text fields impose 24 character limit during guest self-registration This fix addresses an issue where guest users could not enter information into the boxes on the Self Registration page in excess of 24 characters. CSCuj72022 Cannot use "Ends With" operator in a Posture condition on ISE This fix addresses an error that occurred when the user attempted to create a Posture rule using the ENDS WITH logical operator. CSCuj90823 Guest Portal: IP Refresh Failing in IE 11 This fix addresses an issue where IP Refresh was not working properly in the Guest Portal due to ActiveX in Internet Explorer 11 for Windows 8. CSCuj91050 Creating Guest users shows incorrect timezone 'GMT+2 ECT' This fix addresses an issue where Guest user would fail to login with the following error due to an incorrect time zone being assigned to the account: "An internal error occurred. Contact your system administrator for assistance. Contact your system administrator." CSCuj95908 ISE does not do domain stripping for Active Directory external store This fix addresses an issue where ISE did not allow the modification of the domain name before authentication when the external identity store used is Active Directory. CSCul62723 Mobile Guest Portal: Success page redirects to http://10.86.149.92 This fix addresses an issue where the success page on the Mobile Guest Portal redirected the guest to http://10.86.149.92. CSCuh94133 NAC agent with ISE slowly leaking memory after posture This fix addresses the issue where there was a memory leakage in the client machine when NAC Agent was connected to Cisco ISE after posture. Support for Windows 8.1 and Mac OS X 10.9 in Cisco ISE Version 1.2.0.899—Cumulative Patch 3 ISE 1.2 Patch 3 supports clients using the Windows 8.1 and Mac OS X 10.9 operating systems. Please see Open Caveats, page 91 for a workaround for client provisioning using Safari 7 in Mac OS X 10.9. Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 3 Table 21 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 3. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 81 Cisco ISE, Release 1.2.0.899 Patch Updates To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 21 Cisco ISE Patch Version 1.2.0.899-Patch 3 Resolved Caveats Caveat Description CSCue14864 Endpoint statically assigned to ID group may appear in different group This fix addresses an issue where endpoints that are statically assigned to an Endpoint ID group unexpectedly appear in another group. The issue was that, where authorization profiles are based on ID group, these endpoints may wind up getting assigned the wrong authorization result. This issue had been observed where the administrator creates endpoint identity groups and manually add endpoints to the Cisco ISE database, making them static. CSCuf47491 Timestamp of core files not preserved in support bundle This fix addresses an issue where core-dump were timestamps not always from when the core dump was created. CSCug59579 Windows 8 and 8.1 not included in Client Provisioning This fix addresses an issue where Windows 8 is not included in the OS options for Client Provisioning Policies. CSCuh14228 Internal administrator summary report export not working This fix addresses an issue where the export feature for the Internal administrator summary report was not working. CSCuh20322 Need ISE application server restart reason and timestamp This fix addresses reformats the timestamp for the show application status ise command in order for the user to determine the uptime of the application. CSCuh23536 RADIUS drop should have last event timestamp This fix adds a new time stamp column for the radius drops, misconfigured supplicants, and misconfigured network devices log counters CSCuh30587 Backup fails due to ISE restart This fix addresses an issue where the ISE application server restarts in the middle of a backup because of a local certificate change, which causes the backup to fail. Now, ISE prevents you from restarting the application server if a backup or restore is in progress. CSCuh36333 Successful DACL download authentication is counted under authentication dashlet This fix addresses an issue where the authentication dashlet incorrectly included DACL download authentications. Release Notes for Cisco Identity Services Engine, Release 1.2.x 82 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Table 21 Cisco ISE Patch Version 1.2.0.899-Patch 3 Resolved Caveats Caveat Description CSCuh45239 Node Status Patch page does not refresh automatically This fix addresses an issue where the Node Status page would not automatically refresh when installing an patch. This fix adds a Refresh button to the page. CSCui21439 Message code texts are blank or incorrect This fix addresses an issue where the texts for message codes 86009, 86010, 86017, and 86019 were blank and the text for message code 5411 was incorrect. This fix also addresses an issue where the failure reason text for the RADIUS Authentications report did not display properly. CSCui30275 Fixed an issue where a component of the administration page of the Cisco Identity Services Engine (ISE) was vulnerable to a cross-site scripting (XSS) attack. For additional information on cross-site scripting attacks and the methods used to exploit these vulnerabilities, please refer to the Cisco Applied Mitigation Bulletin ''Understanding Cross-Site Scripting (XSS) Threat Vectors'', which is available at the following link: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisc o-amb-20060922-understanding-xss PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1 &version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:C CVE ID has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-550 5 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html CSCui35514 'show tech' script in support bundle needs fixing This fix addresses errors in the output of the “show tech” script in the support bundle. These errors included: CSCui36643 • incorrectly displaying "grep: writing output: Broken pipe" errors • the order not being the same as the 'show tech' output on the ADE OS CLI • the certificate output having a bad new line character (^M), rendering the PEM output unusable unless manually modified ISE Editing schedule report complains of existing report name in use This fix addresses an issue where editing a scheduled report returned the error "This schedule name has been used. Please specify a different one.” Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 83 Cisco ISE, Release 1.2.0.899 Patch Updates Table 21 Cisco ISE Patch Version 1.2.0.899-Patch 3 Resolved Caveats Caveat Description CSCui71484 ISE SEC PAP has write access via ERS API This fix addresses an issue where a provisioning request (add/delete/modify) could be done on SEC PAP via ERS API, although it should have only allowed using a GET method. CSCui77336 Customized URL ISE self registration not working This fix addresses an issue where ISE Customized web portal self-registration was not working for guest users when using a custom portal with the guestUser.timezone input tag specified in the self-registration html page. CSCui89741 ISE ERS API creates endpoint with invalid format MAC address This fix addresses an issue where an invalid MAC address format could be added to ISE database by the External RESTful Services API using the CURL command. CSCui96960 MNT Livelog/Dashboard performance This fix addresses an issue where the Livelog and Dashboard performance in ISE 1.2 suffered when the underlying query ran for a specific MAC address and when there was a large volume of data in the newly-created partition without stats. CSCuj03071 EndPoint update not being saved to PAP due to high latency This fix addresses an issue where systems with high latency might skip endpoint updates when endpoints are created on PSNs over the WAN from the PAP. For example, Cisco-IP-Phone may appear as Cisco-Device even if the information was collected and endpoint was profiled as Cisco-IP-Phone. This occurred when there was a very high latency (low bandwidth) between PSN to PAP. Around 0.5 seconds time to create an endpoint. CSCuj03697 Allow Tunnel* attributes in policies This fix addresses an issue where tunnel attributes in the Radius IETF dictionary could not be seen in the pull down when configuring a condition. CSCuj05295 ISE Application server crashed and stuck in initialized state with “null” in collection filter This fix addresses an issue where ISE crashes and the Application server gets stuck in an initialized state if a Collection Filter is created with value “null.” CSCuj09430 Guest account is not working according to its Time Zone This fix addresses an issue where a guest account worked only on the time zone of the server, not the user, which affected when a guest could log into the guest portal and when the guest account expired. CSCuj14382 Cannot statically assign IP address as FramedAddress This fix addresses an issue where assigning a string IP value to an IPV4 attribute resulted in a validation error. CSCuj15372 Authentications fail with MDM authentication rules enabled This fix addresses an issue where, with MDM authentication rules enabled, all RADIUS authentications fail after several successful runs with the following error message: 5436 RADIUS packet already in the process. Release Notes for Cisco Identity Services Engine, Release 1.2.x 84 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Table 21 Cisco ISE Patch Version 1.2.0.899-Patch 3 Resolved Caveats Caveat Description CSCuj16049 HA Licensing This fix addresses an issue where in the deployment process, once the secondary is promoted as primary, the HA licensing file could not be installed on the promoted secondary. CSCuj19882 Unable to edit the existing Guest accounts after restoring old backup This fix addresses an issue where you could not edit a guest account from the sponsor portal if the account was created before ISE 1.2 patch 2 was applied. CSCuj28447 Endpoint statically assigned to ID group may appear in different group This fix addresses an issue where an endpoint statically assigned to an Endpoint ID group may have been seen in another group for no apparent reason. Authorization profiles based on ID group led to the endpoint being assigned the wrong authorization result. CSCuj45431 ISE Support for Mac OS X 10.9 NAC Agent ISE 1.2 patch 3 supports a NAC Agent for Mac OS X 10.9. CSCuj45766 Add/Remove MDM server never got replicated to PSNs in distributed deployment This fix addresses an issue where ISE would still use a previously configured MDM server when another MDM server is created as an active MDM or updated as an Active MDM. CSCuj51094 Captured TCPDump file is not working This fix addresses the issue where you are unable to open the captured TCPDump.pcap file in a program like Wireshark. CSCuj54630 ISE 1.2 patch 2 is rejecting https cookies from the Mobile Iron Server This fix addresses an issue between ISE 1.2 (899) patch 2 and Mobile Iron Stand Alone (VSP 5.7.1 Build 74). When ISE used the API to check on the status of an endpoint, ISE rejected cookies issued from MI, thus preventing the server from properly identifying what devices are compliant or not. This resulted in the status of "unknown," which prevented access for endpoints that are compliant (via AuthZ rule set). CSCuj57335 Egress Matrix: require default SGACL that includes log option This fix adds new log functionality to the default Egress rule. CSCuj60796 ISE Support for IE 11 ISE 1.2 patch 3 supports Internet Explorer 11. CSCuj70022 EAP-FAST authenticated provisioning with Android doesn't work This fix addresses an issue where ISE TLV failed when parsing a TLV sequence that some versions of Android sent during authenticated provisioning. CSCuj82378 Downloaded captured TCP dump file for remote node is not of proper size This fix addresses issues with TCP dump files. Previously, the Download button would not respond after running the TCP dump for more than five minutes. Also, an error occurred after downloading the TCP dump file because the file size was incorrect. These issues have been resolved. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 85 Cisco ISE, Release 1.2.0.899 Patch Updates New Features in Cisco ISE Version 1.2.0.899—Cumulative Patch 2 Support for Guest Self-Registration Based on Email Domain Whitelist You can allow guests to create their own accounts by enabling the self-service feature by choosing: Administration > Web Portal Management > Settings > Guest > Multi-Portal Configurations > Operations > Guest users should be allowed to do self service. When you enable this feature, the account credentials display on the screen, and they are also emailed to the email address used to create the account. You can restrict this feature by limiting guests’ ability to create their own accounts based on their email domain. By creating an email domain whitelist, you can ensure that only guest users with email accounts on those domains can create guest accounts. To prevent the account credentials from displaying on the screen, you must create a custom portal when using an email domain whitelist. These steps provide an overview: 1. Create a custom portal, following these guidelines: – Add a required email field and an acceptable use policy (AUP) page to the Self-Registration html file. See New Sample HTML Files for Custom ISE 1.2.x Web Portals, page 62 for information on downloading a sample file. – Add text to refer users to their email for their login credentials on the Self-Registration Results html file. See New Sample HTML Files for Custom ISE 1.2.x Web Portals, page 62 for information on downloading a sample file. – Map the Login file to the Self-Registration page. See the “Mapping HTML Files to Guest Portal Pages” section in the Cisco Identity Services Engine User Guide, Release 1.2 for detailed instructions. 2. Configure the SMTP server to support notifications (Administration > System > Settings > SMTP Server). 3. Specify the default e-mail address from which to send all guest notifications. (Administration > System > Settings > SMTP Server and choose Use Default email address). 4. Create the email domain whitelist. See the “Restricting Self-Registration Based on Email Domain” section on page 86. 5. Customize the self-registration credentials email message. See the “Customizing the Self-Registration Credentials Email” section on page 87. 6. Customize the self-registration failure message. See the “Customizing the Self-Registration Failure Message” section on page 87 Restricting Self-Registration Based on Email Domain Before You Begin Step 1 • Configure the SMTP server to support notifications (Administration > System > Settings > SMTP Server). • Specify the default e-mail address from which to send all guest notifications. (Administration > System > Settings > SMTP Server and choose Use Default email address). Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configurations. Release Notes for Cisco Identity Services Engine, Release 1.2.x 86 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Step 2 Add or edit a guest portal and click Operations. Step 3 Check these options: Step 4 Step 5 • Guest users should be allowed to do self service. • Send self-registration credentials to whitelisted email domains Enter the allowable domains in the Whitelisted email domains field, following these criteria: • Enter the exact domain name; wildcard characters are not supported. • Use commas to separate multiple domain names • The field supports a maximum of 4000 bytes so the total number of supported domains varies, depending on multibyte or unicode requirements. Click Save. Customizing the Self-Registration Credentials Email You can customize the email message sent to users containing their self-registration login credentials. When customizing this message, be sure to configure it for the languages supported for your guest users. This email is sent to the guest and sponsor using the guest notification language (specified in this setting: Sponsor portal > Edit guest account > Notification language). Step 1 Choose Administration > Web Portal Management > Settings > Sponsor > Language Template > English (or other language) > Configure Email Notifications > Self-Registration Credentials. Step 2 Customize the message and click Save. Customizing the Self-Registration Failure Message You can customize the error message that displays when users attempt to register using an email account from an unsupported domain. Step 1 Choose Administration > Web Portal Management > Settings > Guest > Language Template > English (or other language) > Configure Error Messages > Self Service Failed Message. Step 2 Customize the message and click Save. Guest Account Expiration Notifications You can notify guests and sponsors in advance that guests’ accounts are close to expiring. Sponsors can then proactively extend the account duration. These restrictions apply when sending account expiration notifications: • Notifications are sent only to active accounts. Pending, suspended, and expired accounts will not receive a notification. • Accounts using the FromFirstLogin time profile will not receive a notification until they have become activated and are in the expiration notification window. • The timezone of the guest account is used to determine the account expiration. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 87 Cisco ISE, Release 1.2.0.899 Patch Updates Configuring Guest Account Expiration Notifications Step 1 Choose Administration > Web Portal Management > Settings > Guest > Time Profiles. Step 2 Add or edit a time profile. Step 3 Check these options: Step 4 • Send account expiration notification • Notification time—enter a value between 0 and 336 hours. You must enter a time allowed by the time profile. (For example, if the time profile limits guest access to one week, you might enter 24 to send the expiration notification a day in advance.) • Send email to guest or Send email to sponsor—you must choose at least one of these options. Click Save. Customizing the Guest Account Expiration Notification You can customize the messages sent to guests and sponsors to warn them that the guest account is expiring soon. When customizing these messages, be sure to configure it for the languages supported for your guest and sponsor users. This email is sent to sponsors and guests in the language indicated by these settings: Step 1 Step 2 • Sponsors—Sponsor Portal > My Settings > Language template • Guests—Sponsor portal > Edit guest account > Notification language Choose one of these options: • Guests—Administration > Web Portal Management > Settings > Guest > Language Template > English (or other language) > Configure Email Notifications > Account Expiration Notification Message. • Sponsors—Administration > Web Portal Management > Settings > Sponsor > Language Template > English (or other language) > Configure Email Notifications > Account Expiration Notification Message. Customize the message to send to sponsors and guests, using these supported variables: • $guest$—first name of the account or the username if first name is empty • $username$—login of the guest account • $firstname$—first name on guest account • $lastname$—last name on guest account • $sponsor$—the sponsors login username • $time$—the time remaining on the account before expiration. Displays as: HH:MM • $remaininghours$—the remaining number of hours before expiration • $remainingminutes$—the remaining number of minutes before expiration • $starttime$—the start date and time of the account. Displays as: EEE dd, MMM yyyy HH:mm. For example: Fri 30, Aug 2013 10:30. • $endtime$—the end date and time of the account. Displays as: EEE dd, MMM yyyy HH:mm. For example: Fri 30, Aug 2013 10:30. Release Notes for Cisco Identity Services Engine, Release 1.2.x 88 OL-27043-01 Cisco ISE, Release 1.2.0.899 Patch Updates Step 3 Click Save. Support for Apple iOS 7 in Cisco ISE Version 1.2.0.899—Cumulative Patch 2 ISE 1.2 Patch 2 supports iOS 7 Endpoints for Guest users (Local Web Authentication and Central Web Authentication), as well as BYOD on-boarding. Please note that to ensure iOS 7 endpoint support with ISE 1.2 Patch 2, the WLC needs to be updated to version 7.4.115.0. The WLC 7.4.115.0 update for these devices: • Cisco 2504 Wireless Controller • Cisco 5508 Wireless Controller • Cisco 8510 Wireless Controller • Cisco Flex 7510 Wireless Controller • Cisco Virtual Wireless Controller can be downloaded by registered users of Cisco.com from this location: http://software.cisco.com/download/special/release.html?config=fe18b0e824ca3427253bf74fdf50dab9 The WLC 7.4.115.0 update for the Cisco Wireless Services Module 2 (WiSM2) can be downloaded by registered users of Cisco.com from this location: http://software.cisco.com/download/special/release.html?config=dc3ed2770a7e6d66be495ac1d8cf0cc5 Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 2 Table 22 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 2. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 89 Cisco ISE, Release 1.2.0.899 Patch Updates Table 22 Cisco ISE Patch Version 1.2.0.899-Patch 2 Resolved Caveats Caveat Description CSCuh25868 Authorization policy condition’s re-editable text/string limited to 16 characters. This fix addresses an issue where editing an authorization policy’s conditions resulted the text box only showing the first 16 characters in a string condition. The remaining characters were replaced by "..." CSCuh56278 Local Web Authentication (LWA) Guest access by iOS 6 devices on ISE 1.2 fails. This fix ensures that iOS 6 devices are authenticated correctly and gain access to the network appropriately. CSCui34389 RADIUS accounting drop is not suppressed, flooding live log This fix addresses an issue where message codes for RADIUS accounting drops were not suppressed, resulting with live logs being flooded. CSCui36160 Whitelist and expiration notification. The new Guest Self-Service feature provides administrators and sponsors the ability to have a customized notification email sent to guest users or sponsors X days before the guest account expires, allowing the sponsor (or guest user in SPP) to update the time profile and extend the account expiration. Self Service Guest accounts have password credentials sent via email, with an additional Email Whitelist feature for validation. Note CSCui42788 See Support for Guest Self-Registration Based on Email Domain Whitelist, page 86 for more information. Exporting of imported profile policy results a garbled description. This fix addresses an issue where exporting an imported policy with a description field resulted in a garbled description field. CSCui44324 Backup task can't be configured in ISE 1.2 UI. This fix addresses an issue where a scheduled backup couldn’t be configured on ISE 1.2 in UI under "Administration -> System -> Backup and restore". After filling all data and clicking on "Save" button, nothing happened. (e.i., neither is a task created nor an error generated). CSCui56071 ISE: Ignore 0.0.0.0 in Framed-IP-Address Profiler Updates This fix filters incoming Framed-IP-Address that contains zero IP address (0.0.0.0) to reduce replication. CSCui58390 Multiple names in SAN Field and ISE choose value randomly This fix addresses an issue where the ISE chose the wrong Subject Alternative Name if there are multiple names in the SAN field values in the certificate. CSCui75335 ISE 1.2 NAC agent fails posture due to 'NAC Server not available' This fix addresses an issue where a NAC agent fails a posture assessment attempt and displayed a “NAC Server not available” error. CSCuj23727 A change in iOS 7 to the user-agent string for an iPod Touch breaks its BYOD workflow. This fix ensures that an iPod Touch device is recognized as such in a BYOD workflow. Release Notes for Cisco Identity Services Engine, Release 1.2.x 90 OL-27043-01 Cisco ISE, Release 1.2.x, Open Caveats Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 1 Table 23 lists the issues that are resolved in Cisco Identity Services Engine, Release 1.2.0.899 cumulative patch 1. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 1.2, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the “Installing a Software Patch” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine User Guide, Release 1.2. for instructions on how to apply the patch to your system. If you experience problems installing the patch, contact Cisco Technical Assistance Center. Table 23 Cisco ISE Patch Version 1.2.0.899-Patch 1 Resolved Caveats Caveat Description CSCui16528 Wrong service selection for NDAC Policy This fix addresses the issue in a Cisco ISE deployment with SGA functionality implemented, where the authentication request was rejected by the Cisco ISE PSN server and the request from the client timed out. Cisco ISE, Release 1.2.x, Open Caveats • Open Caveats, page 91 • Open Agent Caveats, page 114 Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats Caveat Description CSCua97013 Apple iOS devices are prompted to accept “Not Verified” certificates Apple iOS devices (iPhone & iPad) are asked to accept the certificate, appearing to them as “Not Verified,” when connecting to WLAN (802.1X). By design, Apple iOS devices are prompted to accept a proprietary certificate, but Apple OS X and Android devices work without being prompted to accept a certificate. This happens even when the certificate is signed by a known CA, as there is an intermediate certificate in the server certificate chain. Workaround Click Accept to acknowledge the certificate. While browsing any URL, the user is redirected to provision the device. After provisioning, the intermediate certificate is installed on the iDevice. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 91 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCub17522 IP Phone IEEE 802.1X authentication reverts to PAC-based authentication when the “Accept client on authenticated provisioning” option is not enabled. When the “Accept client on authenticated provisioning” option is off, Cisco IP Phone EAP-FAST authentication sessions always end with an Access-Reject event. This requires the IP phone to perform PAC-based authentication to pass authentication. Since Cisco IP Phones perform authentication via authenticated provisioning and not via PAC-based authentication, it is not possible for the phone to authenticate when this option is off. Workaround Try one of the following: CSCuc60349 • Turn on the Cisco IP Phone “Accept client on authenticated provisioning” option. • Switch from EAP-FAST protocol to PAC-less mode. • Authenticate Cisco IP Phones via EAP-TLS rather than EAP-FAST. False alarms on patch install/rollback as failure on secondary node ISE sometimes generates critical false alarms for install or rollback failure alarms on secondary node even though the install or rollback operations were successful. Workaround Use PAP (Administration > Maintenance > Patch > Show Node Status) to verify patch installation status. CSCuc92246 Disk input/output operation while importing users slows down the appliance If you enabled the Profiler service in your deployment, you have a Cisco ISE 3315 appliance as your primary Administration node, and you import users, accessing the user interface becomes very slow. Workaround None CSCud00407 Microsoft Active Directory 2012 user authentication with Alternative User Principal Name suffix fails. This issue occurs when the Alternative User Principal Name (UPN) is the same as the name of the parent or ancestral domain to which Cisco ISE is joined. For example, if Cisco ISE is joined to a domain named “sales.country.region.global.com,” and you have an Alternative UPN named “global.com,” then user authentication fails. Workaround Use an Alternative UPN that is not the same as the parent or an ancestor. Release Notes for Cisco Identity Services Engine, Release 1.2.x 92 OL-27043-01 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCud18190 Unable to reregister a device (via EAP-TLS) that was provisioned earlier. If you delete an endpoint that was provisioned, you have to force the deleted or missing endpoint to re register with Cisco ISE so that the endpoint is created again. Workaround Create an authorization rule similar to the following: Re-register-Policy NetworkAccess.AuthenticationMethod == x509_PKI CWA-Policy This rule redirects to the CWA policy and authenticates the user (you must add the identity store to the guest authentication store sequence), and re-provisions the endpoint. CSCue08385 After changing the domain name could not access node in 3 node setup. After changing the domain name in PAP node, it is not possible to access the PAP node through GUI and HTTP error is thrown. CSCue17018 MNT node gets messages even after it is out of deployment and is disconnected. CSCue46758 Session expired error occurs during guest authentication. Cisco ISE displays the following error message: ISE: 86107- Session cache entry missing For Central Web Authentication, when you configure an authorization profile, and modify the cisco-av-pair (cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway? sessionId=SessionIdValue&action=cwa), the user is redirected to the Web Authentication page, but the session expires after the user logs in. Workaround Do any one of the following: CSCue51298 • Do not replace “ip” in the cisco-av-pair with a value. • Do not modify cisco-av-pair. Instead, configure the Web Authentication option under Common Tasks. Guest users who are assigned the ActivatedGuest role and First Login time profile have to change their password at first login or after password expiration. This issue occurs when you assign the ActivatedGuest guest role and the From First Login time profile to a guest user. This time profile requires the guest users to first access the Guest portal to change their password. The typical flow for these activated guest users does not require them to access the Guest portal because they sign in using IEEE 802.1X (dot1x) authentication or VPN. Workaround For activated guest users, use the From Creation time profile instead of the From First Login time profile. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 93 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCuf77949 After upgrade, two instances of the same alarm appear on your dashboard. After you upgrade, you might see two instances of the same alarm being generated. This issue exists for about 15 minutes after the upgrade is complete. Workaround None. CSCug60740 While using Chrome as browser on Nexus 7 tablet, if the Javascript is disabled, users logging in to the Guest portal for the first time will not be able to continue with the site security certificate page. Workaround Enable Javascript for the browser or install trusted certificate on ISE to avoid the site security certificate page. CSCuh07358 Holistic solution is required to resolve Java/SPW issue on Mac OS X/Windows provisioning. While onboarding Mac OS X devices, if Java is not installed, an error message is displayed. This requires the user to install Java and rerun the flow again to onboard the device. CSCuh75971 Issue running applet in Windows or Macintosh OS with latest Java 7 update 25. If Java 7 update 25 or above is installed, launching of the Agents or Network Setup Assistant during client provisioning or the onboarding process on a Windows or Mac OS X clients would take about 3 minutes as this Java update has Perform revocation checks enabled by default. This causes the applets signed certificates to be verified against the issuers CA server, which is currently blocked. This issue affects only Java applet and does not affect ActiveX, so there is less impact on Internet Explorer that uses ActiveX by default. Workaround Cisco ISE administrator should allow access to crl.thawte.com and oscp.verisign.net for restricted network during provisioning. If the administrator is not able open access to these sites, then the end user should turn off Perform certificate revocation checks in Java as follows: Open the Java Control Panel, click the Advanced tab, go to Perform certificate revocation checks on and select Do not check. CSCuh78210 Agent does not turn TLS1.0 in IE if FIPS ciphers are disabled by default When redirected from Internet Explorer, if the FIPS cryptographic cyphers from local security policies on client machines are enabled or disabled, then the NAC Agent does not pop up for posture assessment. Workaround Exit and launch the NAC Agent again to get the latest FIPS settings. CSCuh07275 Roaming of iPad breaks onboarding process. If a device roams to a different Access point or WLC that connects to a different PSN, then the CoA is sent to WLC that is not expecting it and the onboarding goes into a loop. Workaround Disconnect from the wireless and try to connect again. Release Notes for Cisco Identity Services Engine, Release 1.2.x 94 OL-27043-01 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCuh12619 BYOD: Device registration is successful even after canceling the profile installation. CSCuh21153 IP Address does not refresh in Windows 7 client when using Internet Explorer for authentication in DRW flow. CSCuh22013 Some endpoint devices like iPAD and iPhone have issues with wildcard certificates when CN is blank. CSCuh43300 Node group cluster information is deleted if a node is made primary and included in a node group at a time. When a node group is created in a standalone node and then the node is made as primary, the failover information is not notified to the primary node. CSCuh60829 While upgrading from ISE 1.1.1 to ISE 1.2, the Time and Date condition configured as 'All Day' changes to specific hours and it fails for all authentication and authorization policies that use the time based condition. CSCuh64576 Language Template description and browser Locale Map are not carried over After upgrading to ISE 1.2, the 'Description' and 'Browser Locale Mapping' in the template definition are not carried over for Sponsor, My Devices, and Guest Language template. Workaround After the upgrade, set the flags manually. CSCuh77967 Error message when same rule name appears under local and Global exception When global and local exception rules are created with same names, they get saved successfully. While trying to edit and save the policy, an error message is displayed that the exception rule already exists. CSCuh78514 Config Restore including ADE-OS could cause nodes go out of sync In a deployment, nodes are not in sync after ADE-OS restore. Workaround After the restore is successful, the nodes need to be syncronized manually using ISE Administration web UI. CSCuh88557 User password policy attribute migration issue In ACS UI, the Password may not contain the username or its characters in reversed order checkbox is enabled and exported to ISE. After importing the policies, the checkbox appears disabled. CSCuh90273 BYOD flow does not work when ISE acts as RADIUS proxy. Once AD user is authenticated successfully against remote RADIUS server, the user is redirected to NSP portal. In the NSP portal, it is not possible to obtain the user information. An error is thrown and instead of the 'Register' option, 'Try Again' option is displayed. CSCuh94096 IE9: Register button greyed out when ActiveX is disabled In a Windows 7 client using Internet Explorer 9 with ActiveX disabled, while trying to perform the BYOD flow the browser redirects the user to ‘Device Registration’ page, where the ‘Register’ option is greyed out. Workaround Enable the ActiveX to get the Register option properly. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 95 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCui00865 After creating guest accounts using Mozilla Firefox, the 'Manage Guest Accounts' page does not contain the newly created guests and has missing objects. Workaround Clear the cache and restart the browser. CSCui01605 Saving Duplicate policy set which has user defined simple condition fails It is not possible to duplicate and save a policy set that contains user defined simple condition. Workaround • Create a new policy set with same user defined simple conditions and save it. OR • CSCui03041 Duplicate a policy set with authorization simple condition and delete the user defined simple conditions in the policy set. Create the same condition in the duplicated policy set and save it. Device ID does not go to RegisteredDevices group When a laptop with Mac OS X is connected to a network through BYOD flow, both the wired and wireless MAC addresses are listed in 'RegisteredDevices' group. When the same laptop is connected again after cleaning up the profiles and user credentials, only the wireless MAC address is listed in the 'RegisteredDevices' group. CSCui05265 Guest Role configuration in the Administration UI using IE does not work properly Configuring Guest Role at Administration > Web Portal Management > Settings > Guest > Guest Roles Configuration, using Internet Explorer does not display the ID groups properly. Workaround Use other browsers like Firefox. CSCui07457 WLC ACL issue with Android device during BYOD In a BYOD flow, when the ACLs are created through the Setup Assistant, Android devices fail to download the Network Setup Assistant application. Workaround Do any one of the following to enable the Android devices to download the profile and connect to the network successfully. • Update the ACL in the WLC GUI by deleting one of the ACLs and creating it again with same values. OR • CSCui10632 In the Edit page of the WLC, click Save without changing the values. This will update the ACL. NSP profile deleted and replaced by another after downloading the resources After creating an NSP profile for EAP-TLS and using it in a client provisioning policy, when the agents and resources are downloaded through the update feed URL, the NSP profile gets deleted. It is replaced with one of the downloaded NSP profiles. Release Notes for Cisco Identity Services Engine, Release 1.2.x 96 OL-27043-01 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCui12947 After upgrading, replication fails on deployment when secondary PAP is promoted. Workaround Delete the local certificates and restart the PAP. CSCui16373 Upgrading any secondary node from Limited Availability Release to Release 1.2 Fails. This issue occurs only when you upgrade from the Limited Availability release to Cisco ISE, Release 1.2. This issue is seen when you have backup schedules configured in Cisco ISE. Workaround Disable or cancel the backup schedules before you upgrade to Release 1.2. CSCui16876 Default authentication policy matching instead of default dot1x rule When the default policy is modified to 'deny access' and dot1x authentication is performed against PDP with internal user, authentication fails. The authentication matches with 'AllowedProtocolMatchedRule'. Workaround Instead of deny access, select identity source/sequence to get authenticated. CSCui18956 Not able to update the custom RBAC policies after upgrading to Cisco ISE 1.2 After upgrading from Cisco ISE 1.1.x to 1.2, it is not possible to update the RBAC policies, custom menu access and data access permissions that were created in Cisco ISE 1.1.x. Workaround CSCui19072 1. Create new menu access permission after upgrading to 1.2 2. Update the RBAC policy created in 1.1.x with the newly created menu access permission and save the policy. 3. Log in with the RBAC user and the updated menus will be displayed. After creating RBAC menu access permission, navigate to the Home page and click the Show button. This throws the following error: 'TypeError: selectedItem is undefined'. Workaround This happens only for the first time. Edit the menu access, go to the Home page, and click Show. CSCui28492 Registered Endpoints report takes a few minutes. Workaround Gather the statistics in CEPM schema and the reports are generated without delay. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 97 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCui87386 Default Guest Portal displays Self Service Results on screen with the White Listing Feature enabled. Workaround Use Custom Guest Portal, with the Self Service Results Page customized not to display the Results on screen. Additionally disable the Self Service option in Default Guest Portal Settings, as there is risk of accessing the Default Guest Portal tweaking the redirected URL CSCuj10678 The iPEP Node is unable to correctly handle tagged VLANs. Workaround Make the native VLAN on the switch the same as the management VLAN. CSCuj22597 When using the notification feature, emails are delivered even when notifications disabled for the sponsor in admin. Workaround Disable the notification on the time profile setting instead. CSCuj40148 During the BYOD flow the end user will be continuously redirected to the device registration page after installing Java. This occurs when: • the endpoint does not have Java installed and after the installation is completed on the Firefox browser, or • Java is uninstalled and the Firefox browser was not quit before starting the BYOD flow Workaround Quit and relaunch the Firefox browser after installing the Java package from www.java.com/en/download and then continue with the BYOD onboarding. CSCuj62777 After uninstalling 1.2 Patch 3, the PAP node goes down and doesn’t come up, showing HTTP 404 Error in GUI. CSCul27693 If you do a CSV bulk import from the sponsor portal, you are asked to which role to tie the imported guests. If you use the "Guest" group as suggested by default and then try to authenticate with one of those guests, they never hit the authorization rule where you configured "identity group=guest" as condition because ISE sees the guest account as part of the “Any” identity group. Workaround As the sponsor, edit the guest account but change nothing and save the account without having changed anything. The user will correctly show as belonging to Guest group when logging in. CSCul69609 The same session ID is being used by multiple guest users, so some guest users see login page even after accepting AUP. Release Notes for Cisco Identity Services Engine, Release 1.2.x 98 OL-27043-01 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCul39011 For installations of ISE 1.2 with MDM server integrated, ISE tries to query the MDM server during EAP sessions. If the server does not respond, it continuously retries and this causes the session to hang in runtime. The ISE live authentication logs may report 5436, 5405/5411, and 5441 errors making it appear as if the supplicant is misbehaving while the ISE alarms report “External MDM Server Connection Failure.” Workaround Make sure the MDM server is constantly able to respond to queries. If profiling is used, configure and assign logical profiles to the MDM rules to reduce the scope to mobile devices only. Add the MDMServerReachable condition to the configured MDM authorization rule to allow ISE to use MDM reachability as a condition match. CSCul92356 While using Guest Portal along with “Guest users should be allowed to do Device Registration,” when the Guest user registers the device, the device falls into the UNKNOWN Group whereas it should go in either the GuestEndpoints group or in the RegisteredDevices group. Workaround We can force the endpoint to fall into a different group by manually creating a profiler policy. • Create a Profiling condition where the “IP_EndPointSource” EQUALS “GUEST Portal.” Allow it to Create a matching Identity group. • We can see that the endpoints will now fall into the new Endpoint Identity group under Endpoint groups > Profiled and can be used in an authorization Policy. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 99 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCul94611 Issue with the Live dashboard in ISE 1.1.4 not displaying information and only showing “No Data Available.” Workaround Enter the following commands below: ms-ise-mgm01/admin# app config ise Selection ISE configuration option [1]Reset Active Directory settings to defaults [2]Display Active Directory settings [3]Configure Active Directory settings [4]Restart/Apply Active Directory settings [5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings [6]Enable/Disable ERS API [7]Reset M&T Session Database [8]Rebuild M&T Unusable Indexes [9]Purge M&T Operational Data [10]Reset M&T Database [11]Refresh M&T Database Statistics [12]Display Profiler Statistics [13]Exit Select the following options: 7 to reset the session db 10 to reset the M&T database 11 to refresh the statistics (Possibly do not need. Was only needed in 1 case.) Once you have run these commands the DashBoard should begin to display information. This process can take up to 12 hours to complete all three steps. Roughly 1 to 3 hours per option selected. CSCum05066 When rolling back a patch update using the GUI, it is uninstalled successfully on primary node but it does not happen in secondary nodes. On the Primary node, the GUI shows patch is no longer installed in Primary but shows the patch as installed on the secondary node. This issue is fixed in ISE 1.2 patch 5. However, it will occur if you rollback a fresh install of ISE 1.2 patch 6 or 7, or if you rollback ISE 1.2 patch 5. Workaround The user needs to run the rollback again from the Primary GUI. CSCum05562 An endpoint might not matching the right authorization profile because the change of authorization was not sent. Workaround Don't use policy sets or use fast reAuths on switch as doing a CoA from MnT works as well. Release Notes for Cisco Identity Services Engine, Release 1.2.x 100 OL-27043-01 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCum21201 Windows workstation devices that have a MAC address starting with "3C:97:0E" are profiled as a "Nortel-Device." Workaround Remove Nortel condition matching on "OUI CONTAINS Wistron" and increase the Certainty Factor of Windows workstation device so that it prefers Windows profile policy over Nortel policy. CSCum41138 After CoA REST API is issued successfully, ISE live logs shows the “NAS IP Address” to be the MnT address, instead of the switch address. CSCum73765 While using profiling with SNMP v3 Query and Trap probes, the correct profiling information is not fetched. The SNMP v3 queries triggered by the SNMP traps generated by linkup/linkdown or mac-notification from the switch fails SNMP v3 authorization and leads to closing of the SNMP session. The same is seen when the SNMP v3 query is triggered by a Radius Accounting probe. In the profiler.log, we can clearly see that the SNMP v3 authorization fails and the SNMP session is closed. Workaround There is no workaround. The only options available currently are: 1. Use SNMP v2c instead of SNMP v3. 2. Reduce the polling interval to 600 seconds on the network device configuration. Now, when the device is connected, it will be profiled wrongly at first but 10 minutes later (600 seconds), when the independent query takes place, it will get correctly profiled. This delay will be seen only the first time the device is bought in the network. From the next time onwards, it will connect and get the correct policy immediately since it is already saved with the right profiling information. CSCum85832 On the Fresh installation setup of 1.2.1 and restoring the Operational (MNT) data of 1.2. Operational restore will be completed successfully. CSCun23340 Randomly created guest users are not shown for exporting and printing the user information in Firefox. Workaround Use Internet Explorer 11. CSCun23357 Uploaded guest users are not shown in Firefox. Workaround Use Internet Explorer 11. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 101 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCun53951 ISE presents self-signed cert instead of CA-signed cert even though the GUI shows the CA-signed cert marked for HTTPS use. The standalone ISE node has 2 certificates in its local certificate store: a self signed one and a CA signed one. The CA signed certificate is marked to be used for HTTPS and EAP. This node presents the CA signed certificate when the GUI is accessed. Once the above ISE node is registered to the primary, it starts presenting the self signed cert. Workaround After registration, choose the self-signed cert in the GUI, so that the node presents the CA signed cert. CSCun65239 The desktop device does not display sessionExpired page when the “change password” and “device registration” options are enabled. The mobile portal does not display sessionExpired page when session is terminated. This occurs when the following options are enabled: • Guest users should agree to an acceptable use policy - Every Login • Enable Mobile Portal • Allow guest users to change password • Guest users should be allowed to do self service Workaround If the login page loops after the session has expired, disconnect and reconnect SSID/network. Then have the client redirect to the guest portal by entering an external URL in the address bar so they get a new session ID. 1. Disable mobile portal option. 2. Disable the following options: – Require guest users to change password at expiration and first login – Guest users should be allowed to do device registration CSCun75689 ISE is unable to save a Scheduled Report using UTF-8 characters in the report name. You will receive the following message: “Schedule name should only contain alphanumeric and _ - . characters.” Workaround Rename the Schedule Report with non-UTF-8 characters. CSCuo40057 EAP-Chaining authorization is stuck with out successful certificate renewal. Workaround In order to identify EAP-Chaining with expired cert functionality, you can have a rule which reads: if Network Access.UseCase EQUALS EAP-Chaining AND CertRenewalRequired then DenyAccess. CSCuo54649 An endpoint consuming advanced features will show against both Advanced and Plus license if both licenses are available in the system. Workaround Refer to Current Licenses page instead of details of licenses installed. Release Notes for Cisco Identity Services Engine, Release 1.2.x 102 OL-27043-01 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCuo56327 Since Plus license support was introduced in Cisco ISE 1.2 patch 8, the Plus license will be removed if admin removes Cisco ISE 1.2 patch 8 or Cisco ISE 1.2.1. CSCuo62507 Once the disk space is been reached to more than 80 % aggressive purging will be triggered automatically from the back-end. If admin tried to perform the CLI purging while backend purge is in progress. Data will be partially purged. Workaround Once Both process is completed. Again triggered the CLI PURGE. All the data will be purged successfully as per the threshold which we set. CSCuo88056 Guest Action word is displayed instead of sponsor name in the Reports after Guest Password is changed. Workaround Guest user can change his password after login to the Guest portal, so that Sponsor name will be displayed properly in the reports. CSCuo88459 Apple iOS device, after certificate Renewal gets stuck and will always be redirected to CWA URL or wi-fi interface is down. Workaround Click on the Wi-fi, and select the option forget this network and try reconnecting to the same network, Please do the steps in the below mentioned order Device will ask user to select the authentication Method select EAP-TLS and select the user certificate. Enter the user name with the user name and click connect. CSCuo89783 When we trigger a backup to invalid repository, the backup fails and no alarm is generated. Workaround Can check the backup status in Administration > System > Backup & Restore Page. CSCup00209 Guest user name is not displayed for Guest attribute value, instead “Self Registration” word / Internal Sponsor name is shown under Guest Sponsor mapping and Guest Sponsor Detail reports respectively. Workaround Guest user can be created by Sponsor via Sponsor Portal. CSCup08066 Performing a backup preserves alarm notifications. In Cisco ISE 1.2.1, this causes alarms to trigger in the dashboard. CSCup10918 Consistency issue in French localization. “Vous devez renouveler l'inscription de votre périphérique pour continuer à utiliser le réseau sécurisé” should be “Vous devez renouveler l'enregistrement de votre périphérique pour continuer à utiliser le réseau sécurisé.” CSCup23595 Exporting endpoints results in an empty file if filtering by IP address. Workaround Export endpoints using the “Export Selected” option. CSCup39916 Exporting endpoints with the _ special character in the profile name results in an empty file. Workaround Export endpoints using the “Export Selected” option. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 103 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCup44205 CoA session quarantine doesn't do any action but gives successfully applied message. Workaround Disable EPS services for ASA COA users. Quarantine option will not be displayed in MnT. CSCup52657 Error messages occur when the servers are placed in the following deployment and APIs are executed for the Secondary MnT IP address: PAP(P)+MnT(S)+PDP- Node 1 PAP(S)+MnT(P)- Node 2 Workaround Change the deployment as follows: PAP(P)+MnT(P)+PDP PAP(S)+MnT(S) CSCup68428 CoA session re-authentication is successful the first time, but the session is terminated for second re-authentication if Posture isn’t completed. Workaround Issue the ASA CaA re-authentication once Posture is completed. CSCup94688 When trying to add or delete IP addresses for admin access, the Save and Reset buttons functionalities are not properly implemented. Workaround No functional/Flow impact. Just Add and Delete will do it. CSCty46687 The Cisco Identity Services Engine (ISE) is affected by a cross-site scripting (XSS) vulnerability. CSCty46691 The Cisco Identity Services Engine (ISE) is vulnerable to SQL injection. CSCty60811 Clients are not redirected to the Posture Remediation page to download the NAC agent. CSCtz29311 SecPAP promotion is slow with FCS 1.1(alpha data) to 1.1.1.183 upgrades. CSCtz99443 Node replication status in the deployment page always shows 'IN-PROGRESS' message to the Secondary nodes that are deployed over WAN. CSCua10173 Changing or disabling alert rules or criteria triggers HTTP Status 400 - Request not processed message. CSCub19047 Characters such as Hyphen (-) and dot (.) are not supported as part of the VLAN ID\Name. CSCub35768 ISE Upgrade from 1.0 to 1.1 failed because data access permission to the user is denied. CSCub64247 Cisco Application Deployment Engine (ADE) OS does not accept users with passwords containing front slash. CSCub87687 Language templates in the guest portal sets a limit of 4000 characters. CSCub99130 Corruption of database results in the loss of ISE certificates and keys. CSCuc26772 Network devices are not displayed in the navigation pane when the Network Device Group is selected. Release Notes for Cisco Identity Services Engine, Release 1.2.x 104 OL-27043-01 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCud20339 Onboarding a device using single/dual SSID with Transport Layer Security (TLS) profiles fails. CSCud46215 Detailed authentication failure message is not displayed for sponsor user group. CSCud52161 Active Directory (AD) operation failure because of an unspecified error in ISE. CSCud79538 ISE fails with two active certificates. CSCud86135 During initialization failure ISE sends wrong alarms. CSCud92384 Incorrect error messages displayed when ISE application server is down. CSCue14481 “Internal error” message displayed when the number of guest user accounts created is 100,000. CSCue23875 The monitoring database stops adding new entries for operating system strings that exceed the maximum value of 100 characters. CSCue27949 The reset-passwd command does not allow the usage of special characters. CSCue30432 Launch program remediation does not allow the usage of double quotes. CSCue33447 Editing authorization profile by adding static Internal Protocol (IP) address or host name changes the redirect back to 'Default' and the 'Value' is empty. CSCue46758 Identity Services Engine (ISE): 86107-Session cache entry missing during guest authentication. CSCuf33854 Nessus 53491 - Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) renegotiation DoS OpenSSL reported medium vulnerabilities. CSCuf60933 Slow GUI with large Cisco Telepresence System (CTS) Egress Matrix. CSCuf84159 Identity Services Engine (ISE) admin access does not work with External RSA authentication. CSCug20348 Machine authentication with Active Directory (AD) fail with MNT error “24485 Machine authentication against Active Directory has failed because of wrong password” and does not reflect the issue. CSCug27409 Import of comma-separated value (CSV) file for Network Devices failed in ISE 1.1.3. CSCug34679 Identity Services Engine (ISE) drops keep alive authentications coming from wireless LAN controller (WLC) marking ISE as dead. CSCug51137 User authentication over 3 days failed with Uncaught exception. CSCug51530 Failed to send message: Socket closed, MsgType: 901. CSCug90087 Database lock not removed after execution of reset monitoring database command. CSCuh23877 “Identity Store Unavailable” alarm not getting triggered after authentication failed. CSCuh41473 Active Directory (AD) group not saved as external admin group if containing a "!" character. CSCuh47459 Connection error on Backup and Restore page after successful restore and backup. CSCuh50486 Identity Services Engine (ISE) validates only if Domain Name Server (DNS) entry for the host exists, but not for Internet Protocol (IP) address. CSCuh54734 Acknowledgment of alarms does not work when the instances are over 1000 occurrences. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 105 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCuh57033 Error message not displayed to mobile users in Central WebAuth (cwa) with invalid credentials. CSCuh79430 Machine Access Restriction (MAR) Cache on Access Control Server (ACS) not corrected when Machine removed from Active Directory (AD). CSCuh79607 Identity Services Engine (ISE) Active Directory (AD) group matching fails due to forward slash in AD group name. CSCuh86591 Identity Services Engine (ISE) Simple Network Management Protocol (SNMP) profiling failed when connected to 48 ports stacked under 24 ports switch master. CSCuh87451 Browser redirected to the guest portal when declining acceptable use policy (AUP) through a Device Registration Web Authentication (DRW). CSCuh89530 404 Error on MnT GUI and wrong persona in deployment page after customer database restore. CSCuh96440 Could not determine prior Cisco Agent Installation on Windows or MAC OS X machines in pre-posture state. CSCui01605 Admin cannot duplicate and save policy-set if existing policy set has user defined simple condition. CSCui09203 Identity Services Engine (ISE) fails When accounting message with long class string. CSCui15711 Internal error encountered while creating guest user with a time profile that was deleted and recreated with the same name. CSCui16843 Operational backup or restore failed when primary monitoring node is not reachable due to power down or inner shut down. CSCui25164 Identity Services Engine (ISE) sponsors cannot view accounts that it created after change of group. CSCui48401 Spaces in email when creating user in sponsor portal caused error in Identity Services Engine (ISE). CSCui53920 Identity Services Engine (ISE) 1.2 dashboard metric % posture compliance is wrongly calculated for posture status other than “Complaint” or “Not Applicable”. CSCui63474 Dynamic Host Configuration Protocol (DHCP) Switched Port Analyzer (SPAN) not starting unless Internet Protocol (IP) is assigned to the interface. CSCui65057 Current iso-to-usb.sh script does not set the proper path for syslinux when used on CentOS 6.4. CSCui65835 Devices in the network device list is not visible when customer logs in with Active Directory (AD) credentials in to Web GUI. CSCui72087 Default access restrictions not securely enforced on several pages existing within the Inbox, Alarms, and Schedule pages. CSCui82602 Guest Cache Issues for Identity Groups. CSCui82615 Guest account cache issues for time profiles set by the sponsor. CSCuj19173 MemberOf attribute fails with regular expression if group belong to an Organizational Unit (OU) in Active Directory (AD). CSCuj20969 Network Device Session status report fails for a switch with message “SNMP information is not configured for this device in ISE.” Release Notes for Cisco Identity Services Engine, Release 1.2.x 106 OL-27043-01 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCuj30442 ISE Application Deployment Engine (ADE) does not allow the deletion of certain files from local repository. CSCuj30585 ISE Client Provisioning Portal (CPP) allows MAC configuration for WebAgent. CSCuj42566 ISE guest reporting does not identify the sponsor who effects changes to a guest account. CSCuj58037 iPEP ISE 1.2 in routed mode does not use service Internet Protocol (IP) for RADIUS packets. CSCuj61976 Admin Graphical User Interface (GUI) fails to display certain GUI pages when using Firefox 25. CSCuj63421 Creating ISE shared reports via interactive viewer is broken. CSCuj64008 Profiler feed service policy for Amazon Kindle Fire tablet to be devised. CSCuj68540 Monitoring (MnT) schema upgrade script is logging INFO messages as ERROR and WARNING. CSCuj71399 Performing backup through the GUI or CLI throws “A backup or restore is already in progress” error. CSCuj71819 Accented characters in guest username displayed in HEX format in ISE GUI. CSCuj76383 Admin user receives two email notifications for password expiry. CSCuj88351 Loading a corrupted Certificate Authority (CA) certificate on startup causes config rollback with related problems. CSCuj99801 External RESTful Services (ERS) error codes are not consistent for the same action pertaining to different categories. CSCuj99912 ISE 1.2 External RESTful Services (ERS) filter by name for Security Group Tag (SGT) category fails. CSCul00148 Start and end time profiles display according to ISE timezone instead of Guest timezone. CSCul00743 The Operation > Authentication page is blank for invalid characters in username. CSCul00985 Ubuntu laptop users without posture checks are redirected to the Client Provisioning Portal (CPP) page after Centralized Web Authentication (CWA). CSCul02830 Active Directory (AD) test connection fails for domain\user-ID. CSCul05429 Authorization rule does not match CVPN3000/ASA/PIX7x-Tunnel-Group-Name. CSCul05764 Incorrect references when Certificate Authority (CA) ID Store Name is changed. CSCul08673 Export of custom report for a date range failed. CSCul30358 Active Base license count exceeds the allowed license count. CSCul37463 Scheduled backup does not work on upgrading from previous version to 1.2. CSCul45573 Network Access Device (NAD) config does not accept % in RADIUS shared secret/SNMP community string. CSCul47387 Character limit should be increased for policy rule name. CSCul53156 Device Registration page is blank when used with AddTrust certificates. CSCul56940 Endpoint profiling is incorrect when two Cisco or Linksys routers are connected to a Multi-Domain Authentication (MDA) port. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 107 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCul65329 ADclient cache is not cleared via the application configure ise command. CSCul82600 Unable to delete custom attribute even after deleting the linked authentication policy. CSCul86934 On executing the reset-config command, ISE Secure Shell (SSH) sessions are allowed only from allowed Internet Protocol (IP) access subnets. CSCul88799 Cisco Integrated Management Controller (CIMC) KVM console displays “Out of Range” against a green background, on entering the “terminal length X” command. CSCul92356 Devices registered by Guest users fall into the Unknown group. CSCul94611 ISE Dashboard fails to display live consolidated and correlated statistical data. CSCul94858 Certificate Revocation List (CRL) retrieval does not use globally configured proxy server. CSCul95195 Custom Supplicant Provisioning Wizard (SPW) for Telstra RADIUS proxy with differentUserName and nonBroadCast options unchecked. CSCul96935 An hour difference between Graphical User Interface (GUI) and Command Line Interface (CLI) during daylight savings time. CSCum05014 ISE does not display endpoint profiling policies in the Graphical User Interface (GUI) CSCum41336 ISE reports fail on Network Control System (NCS) platform cross launch. CSCum41378 Static profile assignments to an endpoint Identity group for some devices are removed resulting in device reprofiling. CSCum46269 Active endpoints count on the dashboard does not match the actual active endpoints, when there is a surge of endpoints. CSCum48676 ISE 1.2 does not display information in the System Summary Applet on the dashboard if the Logging Category is set to a severity level other than INFO. CSCum49249 External RESTful Services (ERS) Application Programming Interface (API) does not list all endpoints as specified in the Software Development Kit (SDK) guide. CSCum53319 Diagnostics for failure to download the Certificate Revocation List (CRL) should be precise. CSCum58581 MAC OSX 10.9 device is not redirected to the Bring Your Own Device (BYOD) flow when using the guest device registration page. CSCum60924 Extensible Authentication Protocol (EAP) chaining mode does not allow more than one value for the EapAuthentication attribute. CSCum68149 The Live Authentication Report page does not display the accurate currenttime and currentdate attributes. CSCum69229 Create Random Accounts setting using Google Chrome does not display the desired results. CSCum70441 Incorrect value is displayed for the GET request sent to find the total internal users in ISE External RESTful Services (ERS) Application Programming Interface (API). CSCum72386 Endpoints delete all confirmation messages when “No” button is deactivated. CSCum73765 Profiling with SNMP v3 Query fails when triggered by SNMP trap/RADIUS Accounting probe. Release Notes for Cisco Identity Services Engine, Release 1.2.x 108 OL-27043-01 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCum86183 Notifications for license expiry alarm are received from deregistered nodes. CSCum86331 ISE does not allow comma in Organizational unit name (OU) or Organization name (O) fields when creating a Certificate Signing Request (CSR). CSCum95069 Inline Posture Node (IPN) sends only username for authorization when Extensible Authentication Protocol (EAP) chaining is configured. CSCun00882 ISE does not create logs of erroneous usernames in the sponsored guest portal. CSCun21197 In a simple authentication condition, if the operator “Ends with” or “Not ends with” is used, it is not saved properly. CSCun23340 Randomly created guest users are not displayed in Firefox. CSCun23357 Uploaded guest users are not displayed in Firefox. CSCun25832 Unable to activate expired guest accounts. CSCun28218 ISE: Java Memory Leak outside of Heap space. CSCun31175 Registered endpoint report does not include manually added devices. CSCun33755 Unable to create the required number of Guest accounts from the sponsor portal. CSCun33774 The status of a new guest user account that is created in the sponsor portal is Active instead of Awaiting Initial Login. CSCun42967 ISE 1.2: The SNMP process stops randomly. CSCun45607 ISE incorrectly authenticates users based on the authorization PAC file. CSCun46242 Deletion of the Thawte Primary Root CA from ISE results in failure of provisioning and posture updates. CSCun48940 ISE Radius authentication over Gig1 stops if Gig0 down. CSCun53951 ISE presents self-signed certificate instead of CA-signed certificate. CSCun57304 The KRON command is not working for backup logs. CSCun59740 ISE 1.2: Only 5000 entries are displayed when viewing Guest Live reports. CSCun81620 Editing a guest condition in PAN applies the same changes to the previously condition. CSCun89615 ISE duplicate attributes cause failure to locate network devices. CSCun89771 Running ISE reports for 30 days generates only up to 100 pages. CSCun92193 In Certificate Authentication Profile (CAP), ISE selects incorrect information from the SAN field for multiple entries. CSCun94882 ISE 1.2: Change of Network Device Group name does not reflect in CSV export. CSCun95554 The monitoring node stops logging for email notification configured on ISE. CSCun96746 ISE self registering guest users do not inherit specified time profile. CSCun97251 ISE 1.1.4: Cannot find machine with DNS suffix which does not exist on the Domain Controller Group List. CSCun98217 Cross-Domain referer leakage in Admin portal. CSCuo00404 ISE 1.2: ACL syntax checker is incorrect. CSCuo05180 Cannot authorize external certificate authenticated users by using the device's identity group as an “other condition”. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 109 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCuo05345 Cannot match an Authorization policy rule configured with an “other condition” of IdentityGroup:Name. CSCuo14398 ISE 1.2: ISE disregards the current password policy when editing an internal user. CSCuo14953 ISE: MobileIron MDM test connection passes but Save fails. CSCuo16506 Internal users cannot change their password in the guest portal. CSCuo19521 Repository in the WebGUI with special characters fails. CSCuo24274 SNMP should run in all interfaces not only in Gig0. CSCuo24384 ISE: Guest:Mobile Portal in Custom portals does not follow browser local language. CSCuo39832 ISE takes IP address from same subnet and has incorrect ARP entries. CSCuo41482 GUI admin Active Directory (AD) login fails with HTTP error 500. CSCuo41713 Identity Services Engine (ISE) 1.2: Installation of patch 5 in distributed deployment caused first time login users to go active. CSCuo54987 Identity Services Engine (ISE) does not drop Radius packet if value is too large for database. CSCuo58786 Authentication, authorization, and accounting (AAA) services not available during purging of guest users. CSCuo60767 Identity Services Engine (ISE) UTF-8 character encoding displayed garbage characters on screen for profiler attribute. CSCuo62245 Failed to purge data from the operations database. CSCuo63358 Incorrect success message being displayed, when provisioning Apple iOS Device through supplicant portal in Bring Your Own Device (BYOD) SSID. CSCuo64251 Unable to manage ISE AD user device as it does not show up in “My Devices” portal. CSCuo66847 When a user edits a saved scheduled report, it ceases to exist. CSCuo67423 Reconfiguring the IP address of an iPEP node with the service IP that was previously used results in missing tabs in high availability configuration. CSCuo68012 ISE services fail to start when time zone is set to Asia/Riyadh89. CSCuo78051 A custom portal setting is saved but the configured setting fails to reflect in the GUI. CSCuo78457 An SNMP probe that is configured to match a profile using the “CONTAINS” operator fails. CSCuo78949 Changing the password policy in the GUI of Primary PAP server does not change the password policy in the iPEP server. CSCuo79012 Unable to support SNMP triggered queries with NAD using iOS version with deprecated STACK-MIB. CSCuo80929 An “value too large” error message is displayed for guest usernames with special characters. CSCuo93398 Unable to integrate the Active Directory (AD) with ISE using the admin GUI. CSCuo94313 Unable to pull Lightweight Directory Access Protocol (LDAP) groups for admin/service accounts containing the “+” sign in the password. Release Notes for Cisco Identity Services Engine, Release 1.2.x 110 OL-27043-01 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCuo95635 Change of Endpoint Device Group name appears correctly in the Identity Group Assignment option but fails in the Identity Group. CSCuo95660 Endpoints exported to comma-separated values (CSV) file displays an incorrect endpoint device group name. CSCuo97007 Failed to start database during initial setup for Identity Services Engine (ISE). CSCuo99160 Identity Services Engine (ISE) 1.2: Failed registration and GUI error thrown when Policy Service Node (PSN) failed to ping Primary Administration Node (PAN) during registration. CSCup03116 Identity Services Engine (ISE) 1.2: Editing NDG does not update AuthC/AuthZ conditions. CSCup05013 Identity Services Engine (ISE) 1.2: p8 IOS-XE switch profiled as unknown endpoint. CSCup08017 Accidental Ctrl + C should not break Restore/Upgrade during important operations. CSCup15453 Identity Services Engine (ISE) Guest Sponsor Mapping Report causes CPU on primary MnT node to increase dramatically. CSCup16700 Reset password does not check for valid user before asking for new password. CSCup17245 “Value our of range” error displayed when editing a guest account. CSCup20844 Identity Services Engine (ISE) NAC agent does not popup if machine and user authentication is connected to switch sw: 15.2(1)E. CSCup22534 Multiple vulnerabilities in OpenSSL/CiscoSSL released during June 2014. CSCup27305 Identity Services Engine (ISE) 1.2: DACL Validator does not enforce source must be “any”. CSCup32455 Identity Services Engine (ISE) 1.2: Password for admin user detected in clear text in the file support\dbexport\ise-dbimport.sh. CSCup38457 Importing guest account using comma-separated value (CSV) failed through sponsor portal. CSCup42129 Swiss/posture INFO logs filling ise-psc.log and not moving to DEBUG level. CSCup45530 Identity Services Engine (ISE) External RESTful Services (ERS): Cannot modify staticProfileAssignment field without specifying the endpoint's current profileId. CSCup45594 Identity Services Engine (ISE): External RADIUS server is not persistent after failover. CSCup47501 Identity Services Engine (ISE) 1.2.1: Inline Posture Enforcement (iPEP) node interface driver booting out of order with no response when cable remains plugged into interface Gig Etho. CSCup47873 Identity Services Engine (ISE) upgrade failed due to LOB corruption. (Please check on this LOB term) CSCup55211 Identity Services Engine (ISE) 1.2: Mobile Device Management (MDM) input Validation with % in password cannot login. CSCup57288 Bring Your Own Device (BYOD) DUAL SSID with native supplicant provisioning results in a second entry in the live authentication log. CSCup57871 ERS cannot filter by username, if it is a number. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 111 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCup60155 Guest users are deleted when upgrading or restoring a backup from ISE 1.1.x to ISE 1.2.1. CSCup64698 On IPN ISE 1.2, latency is caused by HDPARM process for every 10 minutes. CSCup67195 While upgrading from ISE 1.2 to ISE 1.2.1, upgrade failure occurs in Step 3 due to invalid certificate. CSCup69753 After deleting a profile in Simple Certificate Enrollment Protocol (SCEP), an error message is displayed when the associated Registration Authority (RA) certificate is removed. CSCup69985 ISE VM on which DB is restored is not accessible via SSH and GUI. Only ping and console are available. CSCup72664 In ISE 1.2, the guest account time profile is reset to one day. CSCup80194 ISE deletes VLAN to SGT mappings while deploying IP-to-SGT mapping. CSCup88564 Use a different name for a newly created time profile. When the old time profile is deleted, you cannot reuse the same time profile name for a newly created time profile. CSCup89812 Upgrade from ISE 1.1.2 to ISE 1.2 fails because of posture rules. CSCuq11966 Multi-nested custom profiles cannot be created. CSCuq14441 Replication fails on deployment when custom portal is deleted. CSCuq17787 ISE crashes when the value of Type Field Length is set to 2. CSCuq22514 In ISE 1.2, when the authorization and authentication policies are set to Monitor Only mode, the details of the policy names are not displayed. CSCuq22636 ISE does not ask for LLDP attributes for triggered RADIUS or SNMP traps. CSCuq24719 When upgrading to ISE 1.2 Patch 9, account start time is not updated in Sponsor portal. CSCuq32696 ISE Policy Service Node (PSN) removes proxy-state attributes from Inline Posture Node (IPN/IPEP). CSCuq35206 In ISE 1.2, the shutdown command is present in the running configuration of the interface while the interface is operational. CSCuq35663 Attribute retrieval for a user fails when AD sends back photo thumbnail. CSCuq39743 Import guest users on ISE using sponsor bypass mandatory fields. CSCuq40153 Quick filter option does not work when it is used to search endpoint profiles using a MAC address. CSCuq43889 IP address learned from SNMP query should trigger DNS probe. CSCuq45219 Renewing Ticket Granting Ticket (TGT) fails if there are Read Only (RO) domain controllers. CSCuq48588 Replace cross-signed thawte Primary Root CA with its normal version. CSCuq52277 Error occurs when there are too many node entries in Subject Alternative Name (SAN) field in CA certificate. CSCuq53846 A user logging in with an expired guest account is redirected to the default Cisco branded portal without displaying an error message. Release Notes for Cisco Identity Services Engine, Release 1.2.x 112 OL-27043-01 Cisco ISE, Release 1.2.x, Open Caveats Table 24 Cisco ISE, Release 1.2.x, Open Caveats (continued) Caveat Description CSCuq64817 DB import fails in ISE 1.2. CSCuq83249 After upgrade from ISE 1.2 Patch 8 to ISE 1.2.1 Patch 1, guest user authentication fails if they login after the time profile validity time. CSCuq85679 Change of Authorization (CoA) is not sent from ISE to Wireless LAN Controller (WLC) for guest users. CSCuq85955 For an LWA deployment, ISE sends CoA disconnect with empty session ID. CSCuq86420 Triggered SNMP Query via Radius traps not working. CSCuq90710 Posture policies are not listed after creation. CSCuq92558 PSNs move to Replication Stopped state when the application server does not start normally. CSCuq92574 In ISE 1.2.1, Bring Your Own Device (BYOD) profile installation fails. CSCuq93969 Authorization profile using CWA returns to default when static host is used. CSCuq95245 ISE 1.2, CoA fails when guest credentials are suspended in the Sponsor portal. CSCuq96971 In ISE 1.2.1, Framed-Pool attribute is not available in the authorization profile. CSCuq97996 MyDevices portal does not display MAC addresses added by the AD user. CSCur00110 Sponsor login fails when child user group is added as a guest in the sponsor group. CSCur03113 Local Web Authentication (LWA) language template is corrupted after upgrading to ISE 1.2.1. CSCur07303 ISE GUI 1.x (except ISE 1.3) does not allow to import more than 100 custom portals. CSCur09231 In ISE 1.2.1, if a sponsor account is configured to use Account Start Date, the sponsor creates an account even after that date. CSCur09439 SCEP EAP-TLS flow on OS X 10.9.5 fails to install the profile or provision certificate. CSCur11055 When running ISE 1.2.1, MNT Livelog does not display logs. CSCur11083 MNT Livelog displays incorrect user details. CSCur12480 In ISE 1.2.1 guest flow, redirection to the guest portal via PlayStation 3 browser fails. CSCur19320 Sponsor users who are not granted privileges are able to view and edit guest accounts using the search criteria. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 113 Cisco ISE, Release 1.2.x, Open Caveats Open Agent Caveats Table 25 Cisco ISE, Release 1.2, Open Agent Caveats Caveat Description CSCti60114 The Mac OS X Agent 4.9.0.x install is allowing downgrade The Mac OS X Agent is allowing downgrades without warnings. Note CSCti71658 Mac OS X Agent builds differ in minor version updates only. For example, 4.9.0.638 and 4.9.0.637. The Mac OS X Agent shows user as “logged-in” during remediation The menu item icon for Mac OS X Agent might appear logged-in before getting full network accesses The client endpoints are connecting to an ISE 1.0 network or NAC using device-filter/check with Mac OS X Agent 4.9.0.x. Workaround Please ignore the icon changes after detecting the server and before remediation is done. CSCtj22050 Certificate dialog seen multiple times when certificate is not valid When the certificate used by the agent to communicate with the server is not trusted, the error message can be seen multiple times. Workaround Make sure you have a valid certificate installed on the server and that it has also been accepted and installed on the client. Note CSCtj31552 The additional certificate error message is primarily informational in nature and can be closed without affecting designed behavior. Pop-up Login windows option not used with 4.9 Agent and Cisco ISE When right clicking on the Windows taskbar tray icon, the Login option is still present, but is not used for Cisco ISE. The login option should be removed or greyed out. Workaround There is no known workaround for this issue. CSCtk34851 XML parameters passed down from server are not using the mode capability The Cisco ISE Agent Profile editor can set parameter modes to merge or overwrite. Mac OS X agent is not processing the mode correctly. Instead, the complete file is overwritten each time. Workaround To use a unique entry, the administrator must set up a different user group for test purposes, or set the file to read only on the client machine and manually make the necessary changes to the local file. CSCtl53966 Agent icon stuck on Windows taskbar The taskbar icon should appear when the user is already logged in. Workaround Right-click on the icon in the taskbar tray and choose Properties or About. After you close the resulting Cisco NAC Agent dialog, the taskbar icon goes away. Release Notes for Cisco Identity Services Engine, Release 1.2.x 114 OL-27043-01 Cisco ISE, Release 1.2.x, Open Caveats Table 25 Cisco ISE, Release 1.2, Open Agent Caveats (continued) Caveat Description CSCto33933 Login Success display does not disappear when user clicks OK This can occur if the network has not yet settled following a network change. Workaround Wait a few seconds for the display to close. CSCto45199 “Failed to obtain a valid network IP” message does not go away after the user clicks OK This issue has been observed in a wired NAC network with IP address change that is taking longer then normal. (So far, this issue has only been only seen on Windows XP machines.) Workaround None. The user needs to wait for the IP address refresh process to complete and for the network to stabilize in the background. CSCto48555 Mac OS X agent does not rediscover the network after switch from one SSID to another in the same subnet Agent does not rediscover until the temporary role (remediation timer) expires. Workaround The user needs to click Complete or Cancel in the agent login dialog to get the agent to appear again on the new network. CSCto63069 The nacagentui.exe application memory usage doubles when using “ad-aware” This issue has been observed where the nacagentui.exe memory usage changes from 54 to 101MB and stays there. Workaround Disable the Ad-Watch Live Real-time Protection function. CSCto84932 The Cisco NAC Agent takes too long to complete IP refresh following VLAN change The Cisco NAC agent is taking longer than normal to refresh IP address due to double IP refresh by supplicant and NAC agent. Workaround Disable the Cisco NAC Agent IP address change function if there is a supplicant present capable of doing the same task. CSCto97486 The Mac OS X VLAN detect function runs between discovery, causing a delay VLAN detect should refresh the client IP address after a VLAN detect interval (5) X retry detect (3) which is ~ 30 sec, however it is taking an additional 30 sec. This issue has been observed in both a wired and wireless deployment where the Cisco NAC agent changes the client IP address in compliant or non-compliant state since Mac OS X supplicant cannot. An example scenario involves the user getting a “non-compliant” posture state where the Cisco ISE authorization profile is set to Radius Reauthentication (default) and session timer of 10 min (600 sec). After 10 min the session terminates and a new session is created in the pre-posture VLAN. The result is that the client machine still has post-posture VLAN IP assignment and requires VLAN detect to move user back to the pre-posture IP address. Workaround Disconnect and then reconnect the client machine to the network. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 115 Cisco ISE, Release 1.2.x, Open Caveats Table 25 Cisco ISE, Release 1.2, Open Agent Caveats (continued) Caveat Description CSCtq02332 Windows agent does not display IP refresh during non-compliant posture status The IP refresh is happening on the client machine as designed, but the Agent interface does not display the change appropriately (for example, following a move from preposture (non-compliant) to postposture (compliant) status). Workaround There is no known workaround for this issue. CSCtq02533 The Cisco NAC Agent takes too long to complete IP refresh following VLAN change The Cisco NAC agent is taking longer than normal to refresh IP address due to double IP refresh by supplicant and Cisco NAC agent. Workaround Disable the Cisco NAC Agent IP address change function if there is a supplicant present capable of doing the same task. CSCts80116 OPSWAT SDK 3.4.27.1 causes memory leak on some PCs Client machines that have version 8.2.0 of Avira AntiVir Premium or Personal may experience excessive memory usage. Note This has only been observed with version 8.2.0 of Avira AntiVir Premium or Personal. Later versions of the application do not have this issue. Workaround Install later version of Avira AntiVir Premium or Personal. CSCty02167 IP refresh fails intermittently for Mac OS 10.7 guest users This problem stems from the way Mac OS 10.7 handles certificates. Marking the certificate as “trusted” in the CWA flow is not good enough to download the java applet required to perform the DHCP refresh function. Workaround The Cisco ISE certificate must be marked as “Always Trust” in the Mac OS 10.7 Keychain. CSCub62836 In Live Authentication page, certain UTF-8 characters do not display correctly This only happens for a very limited set of characters. Workaround Use RADIUS Authentications report instead, to view the same information correctly. CSCul10891 Upgrade from earlier version of NAC Agent to version 4.9.0.1013 fails to launch Agent popup After upgrading to NAC Agent version 4.9.0.1013 on Windows 8 or Windows 8.1 64-bit clients, the upgraded Agent might not launch automatically. Workaround If the Agent does not launch automatically, then manually double-click the NAC Agent UI shortcut on the desktop to launch the Agent. Release Notes for Cisco Identity Services Engine, Release 1.2.x 116 OL-27043-01 Cisco ISE, Release 1.2.1, Resolved Caveats Table 25 Cisco ISE, Release 1.2, Open Agent Caveats (continued) Caveat Description CSCum88173 Minimum compliance module version required for configuring SEP 12.1.x definition check on Mac OS is 3.6.8616.2 and not 3.6.8501.2. The minimum Compliance Module version required for configuring AV check in NAC support charts for Symantec Endpoint Protection (SEP) 12.1 for Mac OS is displayed as 3.5.8501.2. However, the version 3.5.8501.2 has issues in detecting the definition date/version for SEP 12.1.x on Mac OS. As this issue is addressed in Compliance Module 3.6.8616.2, administrators need to use 3.6.8616.2 as the minimum Compliance Module needed for detecting SEP 12.1 definitions on Mac OS. CSCun60071 UI not visible for application launched by NAC agent during remediation When Cisco ISE is configured to launch an application as a remediation, the application gets launched and is available in the task manager, but the UI is not visible to the user, irrespective of whether the user is logged in as admin or not. Since Launch program remediation feature is modified from user privilege to system privilege, NAC Agent allows UAC Elevation for all Launch program remediation actions. For more details, refer to CSCun60071. CSCtw50782 Agent hangs awaiting posture report response from server Workaround The issue occurs with Mac OS X 10.7.2 clients. Kill the CCAAgent Process and then start CCAAgent.app. Perform the following: CSCty51216 1. Go to Keychain Access. 2. Inspect the login Keychain for corrupted certificates, like certificates with the name “Unknown” or without any data 3. Delete any corrupted Certificates 4. From the pull-down menu, select Preferences and click the Certificates tab 5. Set OCSP and CRL to off. Upgrading Mac OS X Agent version 4.9.0.638 to later versions fails. Workaround 1. Remove the “CCAAgent” folder from temporary directory 2. Reboot the client 3. Connect to Web login page and install the Agent from there Cisco ISE, Release 1.2.1, Resolved Caveats The following table lists the resolved caveats in Cisco ISE, Release 1.2.1. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 117 Cisco ISE, Release 1.2.1, Resolved Caveats Table 26 Cisco ISE, Release 1.2.1, Resolved Caveats Caveat Description CSCtx94533 The Endpoint DeviceRegistrationStatus Attribute Always Shows “Pending” CSCty01787 Error in Generating XML Output for EndPointIPAddress API CSCty87291 Admin Web Portal Requests ID certification When It’s Password authentication-only CSCua69331 IE 8 + ChromeFrame BHO - CWA authorization profiles not displaying correctly. CSCub18575 Problem with sponsor accounts starting with a "0" CSCud38634 Guest sponsor details shows wrong sponsor name. CSCud70219 Log.xml files are not cleaned out regularly. CSCud70397 Need support SCSI controller (VMware Paravirtual) for VMware install. CSCud89273 Passed Numbers Not Appearing on Authentications Dashlet CSCue14864 Endpoint statically assigned to ID group may appear in different group CSCue98728 No indication of character limit for 'Configure Email Notification' box CSCuf24898 ISE repository max password length 16 characters. CSCuf47491 Timestamp of core files not preserved in support bundle. CSCuf76821 .trc and .trm files are not cleaned out regularly. CSCug20065 Unable to enforce RBAC as desired to a custom administrator. CSCug59579 Windows 8 not included in Client Provisioning CSCug90502 ISE Blind SQL Injection Vulnerability. CSCug96069 Replication status update fails for all nodes if the network is restored on PAP. CSCuh01760 Misconfigured NAS criteria needs to be changed CSCuh14228 Internal administrator summary report export not working CSCuh15572 Invalid license file, possibly license file has expired or is corrupt. CSCuh20322 Need ISE application server restart reason and timestamp CSCuh23536 RADIUS drop should have last event timestamp CSCuh25506 Cisco ISE CSRF Vulnerability CSCuh25868 Authorization: re-editable text/string condition limited to 16 characters CSCuh30587 Backup fails due to ISE restart CSCuh36333 Successful DACL download authentication is counted under authentication dashlet CSCuh38253 IP columns sorts on char instead on num on. CSCuh41450 IP Columns Sort on Char on Network Devices Page CSCuh44972 DenyUsers oracle statement removed during upgrade. CSCuh45239 Node Status Patch page does not refresh automatically CSCuh56170 MCPSS Mnt DB Sanity Check failed during upgrade from 1.1.2.145 to 1.2. CSCuh56278 Local Web Authentication (LWA) Guest access by iOS 6 devices on ISE 1.2 fails CSCuh65084 Scroll issue for small screens on Live Log page CSCuh79596 Freshly Installed Standalone ISE Server Not Logging MDM Events CSCuh81511 ISE remote command execution Release Notes for Cisco Identity Services Engine, Release 1.2.x 118 OL-27043-01 Cisco ISE, Release 1.2.1, Resolved Caveats Table 26 Cisco ISE, Release 1.2.1, Resolved Caveats (continued) Caveat Description CSCuh84099 ISE should verify non-printable characters in x.509 certs CSCuh88637 Method “getAlarmsOccuredAfter” throws exception CSCuh95845 After internal password change policies using NA conditions match default Policy. CSCui02984 Sponsor authentication failed for Active Directory user with Sponsor_Portal_Sequence. CSCui14093 Oracle Critical Patch Update CSCui15038 ISE HTTP control interface for NAC Web Agent XSS Vulnerability CSCui15042 BYOD Stress causes MNT to stop reporting current Authentication Sessions CSCui15064 Certain ISE Reports Vulnerable to XSS Injection CSCui15354 ISE should remove ENDSW operators CSCui15633 Sponsor portal login fails for some users CSCui16528 Wrong service selection for NDAC Policy CSCui21439 Message code texts are blank or incorrect CSCui22884 ISE presents wrong HTTPS certificate CSCui23231 Certain custom ISE reports cannot be exported CSCui26708 ISE node to node HTTP Basic Authentication username and password logged CSCui30266 ISE MDM Portal Cross-Site Scripting Vulnerability CSCui30275 Component of the administration page of the Cisco Identity Services Engine (ISE) was vulnerable to a cross-site scripting (XSS) attack CSCui34389 RADIUS accounting drop is not suppressed, flooding live log. CSCui36160 Whitelist and expiration notification. CSCui36643 ISE Editing schedule report complains of existing report name in use. CSCui38818 ISE 1.2 NFS repository configuration has extra colon after upgrade CSCui40950 Guest login takes long time and times out. CSCui42788 Exporting of imported profile policy results a garbled description. CSCui44324 Backup task can't be configured in ISE 1.2 UI. CSCui45891 Upgrade logs are missing in ADE.log after upgrade failed CSCui46739 Guest applet fails after update to Java 7 update 25. CSCui48779 Clicking ‘Undo Latest’ on Feed Service page does not clean up rules in some conditions. CSCui48781 NSF Rule with complex condition - names are not unique per service CSCui56071 ISE: Ignore 0.0.0.0 in Framed-IP-Address Profiler Updates CSCui57100 EAP-TLS auth fails with two sets of CRLs because CRL signature decrypt failed CSCui57152 Endpoint Policy not updated for endpoints added using ERS API CSCui57374 ISE iPEP Invalid RADIUS Authenticator error during high load CSCui57882 Some expired guest accounts cannot be deleted from PDP CSCui57933 Purge expired guest accounts does not work Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 119 Cisco ISE, Release 1.2.1, Resolved Caveats Table 26 Cisco ISE, Release 1.2.1, Resolved Caveats (continued) Caveat Description CSCui57961 When editing an expired guest account that cannot be deleted, logs out. CSCui58123 Upgrading to 1.2 with \"Select Condition\" in Posture Requirements CSCui58390 Multiple names in SAN Field and ISE choose value randomly. CSCui59370 Upgrade fails on Guest update sponsor user: email is null CSCui62290 Develop REST APIs for ISE MnT alarms CSCui65530 Upgrade failed with DuplicateEntityException for TimeProfile CSCui67495 Uploaded Filenames/Content Not Properly Sanitized CSCui67511 Certain File Types are not Filtered and are Executable CSCui71484 ISE SEC PAP has write access via ERS API CSCui72269 ISE unable to understand SNMP attribute coming from Switch. CSCui72330 HTML comments disclose potentially sensitive information CSCui72658 Guest Portal cookies not set as Secure or HTTP Only. CSCui74478 Self Service Flow checking for email address CSCui74496 Domain Names should be validated before saving the Portal settings CSCui74678 Getting Account Expiration Notification too early for the Guest accounts CSCui75335 ISE 1.2 NAC agent fails posture due to ‘NAC Server not available.’ CSCui75669 Endpoint update calls from guest-portal causing replication issues CSCui76932 Unable to Save Notification details while creation of Time Profile CSCui77336 Customized URL ISE self registration not working. CSCui78135 On Alpha Alarms Still Show Up When We Select All and Acknowledge CSCui78802 Usability issues while validating security defect CSCui78849 Warning message should be more meaning full while creating Time Profile CSCui80340 Partner MDM performance improvements CSCui81442 Domain Validation should be Case Insensitive CSCui81825 Unable to Save Notification details while editing Sponsor Lang template. CSCui82674 Unable to save and modified edited endpoint with Base license ONLY CSCui82998 Custom Guest Portal Loops after AUP Due to Loss of Session ID CSCui83009 Unable to push compliance module to NAC agent on Macs. CSCui89741 ISE ERS API creates endpoint with invalid format MAC address. CSCui90286 Able to create TimeProfile eventhough Notification time > duration CSCui94488 MyDevice Portal allows endpoints with static endpoint ID group other than RegisteredDevices. CSCui96322 Default Guest Portal Email Address Limited to 24 Characters CSCui96960 MNT Livelog/Dashboard performance. CSCuj01781 ISE uses SAN of user certificate for machine lookup in Active Directory CSCuj03071 EndPoint update not being saved to PAP due to high latency Release Notes for Cisco Identity Services Engine, Release 1.2.x 120 OL-27043-01 Cisco ISE, Release 1.2.1, Resolved Caveats Table 26 Cisco ISE, Release 1.2.1, Resolved Caveats (continued) Caveat Description CSCuj03131 Lower "Request Rejection Interval" minimum to 5 minutes CSCuj03697 Allow Tunnel attributes in policies CSCuj03811 No suppression for misconfigured NAS when errors are alternating CSCuj04748 Original URL preservation for BYOD provisioning and Guest flows CSCuj05295 ISE App server crashed and stuck in initialized state with "null" in collection filter CSCuj07535 IP Address Change is Not Recorded in Endpoint Profile on ISE 1.2 CSCuj09430 Guest account is not working according to its Time Zone CSCuj11040 ISE Should Not Degrade a Profile Based on Problematic User-Agent CSCum97337 CSCuj11855 ISE gives little debugs when SCEP fails for Windows-related reasons CSCuj13804 IE8 gives error on ISE1.2 when accessing the provisioning portal CSCuj14382 Cannot statically assign IP address as FramedAddress CSCuj15372 Authentications fail with MDM authentication rules enabled CSCuj16049 HA Licensing CSCuj17272 Upgrade from 1.1.3 to 1.2 breaks identity source sequence instances CSCuj19602 Sponsor portal banners do not work on upgraded ISE CSCuj19882 Unable to edit the existing Guest accounts after restoring old backup CSCuj23727 Change in iOS 7 user-agent string for an iPod Touch breaks its BYOD flow CSCuj25038 ERS Service Disabled After Reboot CSCuj26086 ISE Client Provisioning - NSP does not launch on Safari 7 (Mac OS X 10.9) CSCuj80131 CSCuj26495 Restricted Characters in Policy Names carried forward after upgrade. CSCuj28447 Endpoint statically assigned to ID group may appear in different group CSCuj28968 Guest Activity Report is not working CSCuj34004 User name change detected for the session removes all session attributes CSCuj36104 ISE does not allow CRL when the name is the same on two Certificate Authorities CSCuj36310 “@” Character Not Accepted in Wireless SSIDs Fields CSCuj38204 ISE does not allow access for guest with no webagent if posture is configured CSCuj39926 Kaspersky remediation does not appear anymore in the AV remediation CSCuj45431 ISE Support for Mac OS X 10.9 NAC Agent CSCuj45766 Add/Remove MDM server never got replicated to PSNs in distributed deployment CSCuj47806 ISE redirects to default guest pages when it’s configured to redirect to custom pages CSCuj48111 Hyphen and minus sign can't be entered as first or last name CSCuj49903 Downloading / viewing large logfiles from PDP causes out of memory error CSCuj51094 Captured TCPDump file is not working CSCuj52520 Unable to login to CLI after ISE upgrade Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 121 Cisco ISE, Release 1.2.1, Resolved Caveats Table 26 Cisco ISE, Release 1.2.1, Resolved Caveats (continued) Caveat Description CSCuj54630 ISE 1.2 patch 2 is rejecting https cookies from the Mobile Iron Server CSCuj57335 Egress Matrix: require default SGACL that includes log option CSCuj60796 ISE Support for IE 11 CSCuj61976 Admin UI fails to display certain UI pages when using Firefox 25 CSCuj62239 Rollback in case of upgrade failure is not cleaning temp tables, indexes CSCuj63046 Text fields impose 24 character limit during guest self-registration CSCuj63053 Cfg.xml,CM download doesn't happen if CP rule is Win8.1 Specific CSCuj63516 Denial of Service Vulnerability exists in OpenSSH version CSCuj65306 Cisco ISE 1.2 upgrade fails due to shared memory allocation failure CSCuj65586 Need to optimize the way records are displayed in RADIUS Drop counters CSCuj66093 86017 Error page sessionExpired.jsp images links are invalid CSCuj70022 EAP-FAST authenticated provisioning with Android doesn't work CSCuj71439 Cisco ISE REST API - changing username returns password error CSCuj72022 Cannot use "Ends With" operator in a Posture condition on ISE CSCuj82378 Downloaded captured TCP dump file for remote node is not of proper size CSCuj82836 Manual CoA - Re-authorization is not working CSCuj84194 Cisco ISE sometimes does not send DACL in authorization profile CSCuj84427 Cisco ISE 1.2 Admin password alerts not functioning properly CSCuj86717 Dot1x endpoint fails authentication with Reject Requests After Detection CSCuj88222 Upgrade should check for CA certificates corruption CSCuj88888 ISE 1.1.4 patches fail machine authentications in disjointed ActiveDirectory namespaces CSCuj90823 Guest Portal: IP Refresh Failing in IE 11 CSCuj91050 Creating Guest users shows incorrect timezone 'GMT+2 ECT' CSCuj91461 ISE 1.2 backup on host A, restore on same version on host B breaks database listener CSCuj91764 Pre-upgrade checks CSCuj95588 Reach context limit when multiple conversations use Tunnel attributes CSCuj95908 Cisco ISE does not do domain stripping for Active Directory external store CSCuj97669 DNS Resolution Failed for CNAME: "hostname" from the ISE node "hostname" CSCuj97832 Cisco ISE hard disk filling up CSCuj98726 iOS devices bypass account suspension/lock by starting new EAP session CSCuj99951 Avaya Phones profiled as unknown CSCul02821 MDM attributes doesn't update to Endpoint objective CSCul02860 Struts Action Mapper Vulnerability CSCul03127 Struts 2 Dynamic Method Invocation Vulnerability CSCul03597 LDAP User Authorization Doesn't Work with EAP-FAST Chaining Release Notes for Cisco Identity Services Engine, Release 1.2.x 122 OL-27043-01 Cisco ISE, Release 1.2.1, Resolved Caveats Table 26 Cisco ISE, Release 1.2.1, Resolved Caveats (continued) Caveat Description CSCul03621 Endpoint Profiling Information is not being replicated correctly CSCul06431 Active Directory attribute value in ATZ profile is not sent CSCul06937 Do Sync check before upgrade of secondary PAP CSCul09815 Upgrade should not proceed if node role type cannot be detected CSCul10677 ISE 1.2 CWA Failure Reason 86017 CSCul13757 Audit records MUST log to External Syslog Servers: CLI log level CSCul13805 Audit records MUST log to External Syslog Servers: HTTPS idle timeout CSCul13812 Audit records MUST log to External Syslog servers: SSH publickey CSCul13883 Audit records MUST log to External Syslog servers: SSH KEX Group14 CSCul13905 Audit records MUST log to External Syslog Servers: CLI clock set CSCul13946 Audit records MUST log to External Syslog servers: Purge M&T Data CSCul15967 ISE 1.2 Patch 3 Windows 8.1 CPP OS Detection Failure in Distributed Setup CSCul16300 Audit records MUST log to External Syslog servers: CLI idle timeout CSCul18169 Blocking ISE admin UI access for Chrome browser CSCul18521 Audit records MUST log to External Syslog servers: VGA CLI AUTHC CSCul18555 Audit records MUST log to External Syslog servers: SSH conn fail CSCul20850 Port Patch 5 Guest changes to Patch 4 CSCul21337 The Posture Troubleshooting tool was vulnerable to blind SQL injection. CSCul23070 Audit records MUST log to External Syslog Servers: SSH exit forceout CSCul23252 CSCul25066 ISE Wireless Upgrade License Type Doesn't include Profiler Feed Service CSCul25956 Upgrade from 1.2 to 1.2.1 timeout and fail when previous upgrade fails CSCul29344 ISE 1.2 HTML Custom Pages for Different Portals Not Working CSCul29647 Cisco ISE 1.2 upgrade disables Cisco Root certs if they were installed before Cisco ISE 1.2 CSCul35820 ISE Guest Registration Breaks with Apple IOS7 User Name as Emil Address CSCul39011 The Mobile Device Management (MDM) client failed to reject queries when MDM server was not responding. CSCul42307 Upgrade fails when local disk fills up due to core dumps CSCul42646 Failed to create Posture Condition with "NOT ENDS WITH" Operator CSCul46893 URL preservation not working with self service guest user in MAB flow CSCul48352 Right-Click - Copy to MAC and Username in Live Log CSCul50495 Device Registration failed with Cisco Catalyst 3850 Switch CSCul50720 Samsung Galaxy S4 cannot be on-boarded in dual SSID flow CSCul55934 Cisco ISE 1.2 Cannot Delete Guest Users Created Using Unavailable Timezone Setting CSCul57506 Restore process breaks Report functionality and UI Purge Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 123 Cisco ISE, Release 1.2.1, Resolved Caveats Table 26 Cisco ISE, Release 1.2.1, Resolved Caveats (continued) Caveat Description CSCul58758 Redirected to null page in the browser after Local Web Authentication (LWA) flow with WLC-5500 series. CSCul58895 Cisco ISE 1.2 Patch 3 StartEnd time profiles do not work for guest import CSCul62175 ISE BYOD enhancement troubleshooting for SCEP CSCul62723 Mobile Guest Portal: Success page redirects to http://10.86.149.92 CSCul65045 Cannot create/edit network device if advanced license expired CSCul66218 Posture delays due to HTTP thread exhaustion CSCul66272 Terminate Change of Authorization during Posture for Unknown User-agent DynGate CSCul69350 Cisco ISE 1.2.0 CFG database restore in Cisco ISE 1.2.1 fails CSCul71176 Endpoints manually assigned to identity groups might change groups randomly CSCul71245 ISE Authorization with certificate serial number broken in 1.2 patch 2 CSCul71532 XML external entity injection found under ERS CSCul77732 Warning message while creating Guest user with hyphen in Self Registration CSCul77793 Scheduled Reports Not Exported When Using Illegal Character as a Report Name CSCul80050 Upgrade failed from Cisco ISE 1.1.3 to Cisco ISE 1.2.1 CSCul82658 “Strip prefixes listed below” for Active Directory in GUI is a typo CSCul84544 Retrieval of Active Directory Groups or Attributes from GUI is Failing CSCul86970 GUI does not display the Allow only listed IP addresses option to connect. CSCul87279 ISE 1.2 Patch 5 through GUI not pushed to secondary nodes in the deployment CSCul87300 Special Character in LDAP password is not read correctly by ISE CSCul96698 Observed NullPExc intermittently while accessing create Guest Rest API CSCul96763 Guest users are getting created with special characters through Rest API CSCul97050 Issue with input validation for language Notification tag - Guest REST API CSCum01290 MDM Integration Not Working With ISE 1.2 Patch 3 and Patch 4 CSCum10047 Invalid Account Date When Changing Account Duration CSCum13453 ISE SYSLOG Parsing Failure when Forwarding to Third-Party SYSLOG CSCum26362 Authentications Details are Missing All the Required Data CSCum29186 With Account Creation Time Zone Change Not Reflecting New Updated Allowed Time CSCum37237 Insufficient permission error with bulk import of guest account. CSCum37742 Randomly generated guest users allowed to log in after getting expired CSCum40721 Optional Data Field Not Matching in Authorization Rules CSCum54099 ISE Does Not Send Sponsor-related syslog Message to External syslog Server CSCum57372 NAS identifier does not appear the authentication details in the web UI. CSCum60054 Unable to download catalina.out logs from GUI CSCum60501 Undefined is displaying in GUI instead of Log file name Release Notes for Cisco Identity Services Engine, Release 1.2.x 124 OL-27043-01 Cisco ISE, Release 1.2.1, Resolved Caveats Table 26 Cisco ISE, Release 1.2.1, Resolved Caveats (continued) Caveat Description CSCum60627 Client EAP Sessions Never Get Cleared CSCum69410 ISE 1.2 CWA with DRW Included Doesn't Register Endpoint CSCum77223 Increase Maximum Login Failures for Guest CSCum79002 Upgrade Validation check to PKIX path building failed CSCum82400 ISE 1.2 Posture upgrade failure CSCum82815 Acceptable Use Policy Page Shouldn't Be Presented if ISE Knows Session is Expired on Login CSCum82829 Cisco-branded Expiration Page Presented on Custom Portal CSCum85487 Data Purging audit report is not exporting CSCum85930 ISE 1.2 Custom Guest Portal Images and CSS Broken on Final Redirect CSCum86347 ISE Guest Start and Expiration Dates Don't Reflect Sponsor Portal Time Zone CSCum88817 ISE 1.2 Logs Filled with Unnecessary License Validity Info CSCum92155 ISE REST API (ERS) - PUT Update Request Removes identityGroups Value CSCum96035 Guest custom portal password change does not have error handling CSCun00215 ISE RSA Agent Exhausted Under Heavy Load CSCun00427 ISE 1.2 match operator return true when LHS is NULL and RHS is constant CSCun02007 iPEP exhibits slow data transfer rate and packet loss with traffic bursts when using iPEP routed mode. CSCun08410 Guest Account’s Start and End Time Validated Against System Time Zone CSCun11240 Guest Sponsor Mapping Report Incorrectly Changes Sponsor CSCun15601 Invalid Text Message Template Error Shown if Sponsor is CC'ed in Guest Mail CSCun25178 Fetching Group Information Takes a Long Time Because of SIDHistory CSCun25815 ISE 1.2 marks DCs as 'Dead' while doing a 'CAPILdapFetch' CSCun28502 Sponsor, My Devices, and Guest portals does not have a defined character limit. CSCun36350 Patch info is shown after Cisco ISE Patch 7 CLI Rollback in standalone and deployment CSCun36594 ISE 1.2 Endpoint Identity Group is Lost When Importing From CSV CSCun38402 Exception in CLI after enabling ERS CSCun41732 Cisco ISE Certificate Trusted List is Not Fully Read When a Corrupted Certificate is Present CSCun46032 Renew expired certificate CSCun51094 Bulk Import of Guests by Sponsor Falls in Wrong Guest Role CSCun60443 No Dashboard or Live Logs for Long Time After Primary MnT Failure CSCun61928 Not All Authorization Profiles are Recognized by Runtime CSCun67719 Guest Portal: Error Message When Password Expired Confusing CSCun68637 SNMP Query Fails to Complete during NMAP-triggered Probe CSCun70626 Locking issue after reset session database Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 125 Cisco ISE, Release 1.2.1, Resolved Caveats Table 26 Cisco ISE, Release 1.2.1, Resolved Caveats (continued) Caveat Description CSCun74285 ISE safe mode did not bypass admin portal certificate authentication. CSCun74460 Incorrect Daylight Saving Time (DST) time zone offset in ISE affects remote syslog targets. CSCun84251 Error after application ise reset-config on 1.2.0.899 Patch 6. CSCun93673 ISE 1.2 Endpoint Export Results in Empty File if Using Lower Case Letter CSCun94304 ISE RSA server configuration may fail to replicate to PSNs. CSCun94693 ISE upgrade to 1.2 fails with boot loader error CSCun97606 ISE Roaming Authentication Failing CSCuo02708 ERS Port Should Not Request Client Certificate CSCuo04860 Raise Alarms for EAP Session and Context Limits CSCuo13099 ISE Sponsor, email ID used as username with space in it, throws an error. CSCuo16503 ISE 1.2 Patch 7 AD Sponsor Created Guest Users Cannot Log In CSCuo31160 Support Plus licenses in ISE 1.2.x CSCuo32987 Endpoint Register Broken CSCuo34449 ISE Posture Dropped via CoA Terminate Due to Invalid HTTP User-Agent CSCuo38618 ISE 1.2 cannot join the unit to Distributed Deployment CSCuo39442 ISE 1.2 does not validate remote log target names. CSCuo56780 ISE RADIUS Service Denial of Service Vulnerability CSCuo58919 Endpoint static group assignment toggles between true or false option every 55 seconds. CSCuo63448 Modifying the ISE parent profile disables child profile. CSCuo63892 CIAM: ISE-commons-fileupload-1-0 This fix addresses third-party software vulnerabilities. CSCuo73070 ISE 1.2 GUI Elements Missing Due to No Advanced License CSCuo76078 CSCuo75506 ISE authorization profile with Central WebAuth (CWA) and custom guest portal does not redirect to default settings. CSCuo88571 The IP release renew operation was not performed on Mac OSX devices. CSCup33018 Apple iOS 8 beta fails Native Supplicant Provisioning flow. CSCup50216 ISE 1.2+ API update was overwritten by the profiler. CSCup51902 Exporting active endpoints does not work from the admin node. CSCup63424 Downloading software to effect release or renew of guest virtual LAN (VLAN) was not accomplished. CSCup99806 Custom data access permissions were not working as expected. Release Notes for Cisco Identity Services Engine, Release 1.2.x 126 OL-27043-01 Cisco ISE, Release 1.2.0, Resolved Caveats Cisco ISE, Release 1.2.0, Resolved Caveats This section lists the caveats that have been resolved in this release. • Resolved Caveats, page 127 • Resolved Agent Caveats, page 137 • Resolved SPW Caveats, page 137 Resolved Caveats Table 27 Cisco ISE, Release 1.2, Resolved Caveats Caveat Description CSCtj81255 Two MAC addresses detected on neighboring switch of ACS 1121 Appliance. CSCtn76441 Custom conditions are not updated under Rules in profiling policies. CSCtn92594 Quickpicker filters are not working correctly during Client Provisioning policy configuration. CSCto32002 The Cisco ISE MAC address authentication summary report displays IP addresses instead of MAC addresses. CSCto87799 Guest authentication fails. CSCtq06832 Time and Date conditions need to be updated correctly when changing time zones. CSCtq09004 Windows 7 guest access not successful from IE8 and Chrome 10. CSCtq53690 Scheduled Monitoring and Troubleshooting incremental backup switches off following failed backup attempt. CSCtr58811 Need to log out and log back in to get Advanced License functionality. CSCtr66929 Selected month and year while configuring file “Date” condition. CSCtr88091 You may experience slow response times for some user interface elements when using Internet Explorer 8. CSCts45441 Weird behavior with creating guest account using start-end time profile. CSCtt17378 Failed to send notification from UTF-8 Email address. CSCtu05540 Monitoring and Troubleshooting node does not show Active Directory External Groups following authentication failure. CSCtv17606 Monitoring and Troubleshooting requires an appropriate error message if backup/restore process fails. CSCtw79431 Exiting the Cisco Mac Agent while in “pending” state displays the wrong user message. CSCtw98454 Guest accounting report filter not working. CSCtx01136 Cisco NAC Agent is not performing posture assessment. CSCtx03427 Create Alarm Schedule returning XSS error messages. CSCtx07670 Profiler conditions that are edited wind up corrupting Profiler policies. CSCtx25213 IP table entry needs cleanup after deregistering a secondary node. CSCtx31601 Cannot add Network Access user, but able to import users. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 127 Cisco ISE, Release 1.2.0, Resolved Caveats Table 27 Cisco ISE, Release 1.2, Resolved Caveats (continued) Caveat Description CSCtx33747 RBAC admin cannot access deployment page and perform deployment-related functions. CSCtx51454 Unable to retrieve administrator users list. CSCtx59957 A warning/pop-up appears while creating a Guest Time profile. CSCtx74574 Device Configure Deployment option selected after upgrade from software Release 1.0 to Release 1.1. CSCtx77149 Disk space issue. CSCtx81905 Cisco ISE returns an error message while registering one node to another. CSCtx90696 Cisco ISE does not work after updating the IP address. CSCtx94533 The Endpoint DeviceRegistrationStatus Attribute Always Shows “Pending” CSCtx94839 Clicking on logout link on the AUP page of Device Registration Webauth flow appears to do nothing. CSCtx95251 Deployment page load exceeds six minutes when two or more nodes are unreachable. CSCtx97190 Cisco 3750 switch is profiled as “Generic Cisco Router”. CSCty00899 LiveLog Reports cannot be opened. CSCty01787 Error in Generating XML Output for EndPointIPAddress API. CSCty02379 Cisco ISE runs out of space due to a backlog of pending messages in the replication queue. CSCty05157 The Cisco ISE dashboard is not working for administrator user names with more than 15 non-English characters contained in the username. CSCty10461 Cannot register a Cisco ISE node with UTF-8 characters in administrator name. CSCty10692 Requirement is used by Policy-Need tooltip on OS. CSCty15646 Monitoring and Troubleshooting debug log alert settings get reset to WARN. CSCty16603 Administrator ISE node promotion fails, resulting in disabled replication status. CSCty19010 Editing Cisco ISE failure reason information returns error message. CSCty23790 Internet Explorer 8 is unable to import endpoints from LDAP. CSCty40077 Shared Secret Key for Inline Posture node Network Access Device is not created or updated. CSCty51260 Active Directory "dn" attribute does not work for authorization policies. CSCty59165 SNMPQuery Probe events queue runs out of memory. CSCty80451 Failed to authenticate external admin (AD user) when configured user to change password at the next log in. CSCty87291 Admin Web Portal Requests ID certification When It’s Password authentication-only CSCty98551 Race condition between CoA event and persistence event during initial endpoint login. CSCtz13306 Monitoring and Troubleshooting collector cannot collect posture audit logs to generate report. CSCtz28057 After upgrade to Release 1.1, Cisco ISE is still in “initializing” state. Release Notes for Cisco Identity Services Engine, Release 1.2.x 128 OL-27043-01 Cisco ISE, Release 1.2.0, Resolved Caveats Table 27 Cisco ISE, Release 1.2, Resolved Caveats (continued) Caveat Description CSCtz41262 Authorization policy does not match when the MAC address uses the colon delimiter (00:00:00:00:00:00). CSCtz41452 Evaluation license counter incrementing when wireless license installed. CSCtz49846 Cisco ISE does not contain the ASA attribute 146 Tunnel Group Name that is sent on the Access Request. CSCtz55815 Default Gateway is not changed if the new value is a part of old value. CSCtz56691 Research In Motion (Blackberry) devices no longer work after upgrade to Cisco ISE, Release 1.1.1. CSCtz67814 Replication disabled for secondary node. CSCua00821 Error messages appear when you configure Active Directory via the CLI. CSCua03889 Guest users are asked to accept the Acceptable Use Policy twice when first logging into Cisco ISE with password change. CSCua05003 Service status is not correct if the ARP port number changes. CSCua05433 The endpoint identity import function does not maintain correct identity group membership. CSCua25187 Employees whose user names are 41 digits long will not see their devices. CSCub18575 Problem with sponsor accounts starting with a "0" CSCuc49317 When you have more than 60 authorization policy rules, creating a new rule takes about 4 minutes. CSCuc61075 With the RADIUS probe disabled, if you indicate a device as lost or reinstate in the My Devices portal, CoA fails. CSCuc63052 Policy Service node fails to load client certificate for secure syslog configuration. CSCuc71592 In policy sets, authorization simple condition cannot be used in authorization policy rules. CSCuc82453 Monitoring data exported in a .csv file from the primary Administration node is empty. CSCuc87242 If you disable a sponsor user who has logged in to the sponsor portal, the sponsor user’s account is not disabled until the end of the session. CSCuc92010 Sponsor users who create guest user accounts cannot delete those accounts from the Sponsor Portal. CSCuc96884 Profiler Feed Service edit and save operations do not work in Internet Explorer 8. CSCuc97133 Profiler log throws exceptions when you enable FIPS mode on the primary Administration node and FIPS mode is not enabled on the secondary nodes until they are restarted. CSCud19143 Endpoint filtering does not work for the BYOD Registration and Device Registration Status fields. CSCud22608 The minimum length of admin and user passwords in the password policy by default becomes four characters, instead of six. CSCud31778 Policy set page takes a long time to load and save. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 129 Cisco ISE, Release 1.2.0, Resolved Caveats Table 27 Cisco ISE, Release 1.2, Resolved Caveats (continued) Caveat Description CSCud32310 Current Active Sessions report displays an error when the Monitor persona runs on remote node. CSCud32485 Cannot log in to the sponsor portal after reinstating guest users and accepted the Acceptable Use Policy (AUP). CSCud38499 Replication of authorization policy fails in a distributed deployment setup if the policy set name includes an underscore (_) character. CSCud38623 MDM server’s Active status does not reflect the connectivity status. CSCud38634 Guest sponsor details shows wrong sponsor name. CSCud39871 Cannot save profiler configuration for a secondary node. CSCud42216 Authentication request from Apple MAC systems that use the EAP-FAST protocol with inner method GTC or TLS fails. CSCud43467 Posture reassessment check functionality is not working when you enable posture reassessment for a group of users. If a user moves to the compliant state, the user gains access to the network, but posture reassessment does not happen, and the user’s session gets terminated after a time interval. CSCud70219 Log.xml files are not cleaned out regularly. CSCud89273 Passed Numbers Not Appearing on Authentications Dashlet CSCue14864 Endpoint statically assigned to ID group may appear in different group CSCuf03318 The Network Setup Assistant fails when the user tries to “Cancel” the Configure Profile Tool. CSCuf24898 ISE repository max password length 16 characters. CSCuf47491 Timestamp of core files not preserved in support bundle. CSCuf76821 .trc and .trm files are not cleaned out regularly. CSCug20065 Unable to enforce RBAC as desired to a custom administrator. CSCug59579 Windows 8 not included in Client Provisioning CSCug59644 Trying dot1X authentication in an Activated Guest with “First Login” time profile fails. CSCug69311 Not able to connect to SFTP, which is required for secure backups. CSCug82539 While moving the policies from one profiled node to another, the profiler does not contain the policies in the policy cache. CSCug90502 ISE Blind SQL Injection Vulnerability. CSCug91963 Java process crashes when configuring host alias. CSCug96069 Replication status update fails for all nodes if the network is restored on PAP. CSCuh02759 While creating a support bundle, an error message appears as “node not reachable”. CSCuh05950 Certificate missed and node disconnected after PAP promotion failed. CSCuh07534 While downloading the debug logs from Administration node, an error appears as “Node is not reachable. Please check the node's status”. CSCuh13582 ISE applies wrong Authorization rule/ profile CSCuh14228 Internal administrator summary report export not working Release Notes for Cisco Identity Services Engine, Release 1.2.x 130 OL-27043-01 Cisco ISE, Release 1.2.0, Resolved Caveats Table 27 Cisco ISE, Release 1.2, Resolved Caveats (continued) Caveat Description CSCuh20322 Need ISE application server restart reason and timestamp CSCuh23536 RADIUS drop should have last event timestamp CSCuh25506 Cisco ISE CSRF Vulnerability CSCuh30587 Backup fails due to ISE restart CSCuh36333 Successful DACL download authentication is counted under authentication dashlet CSCuh41450 IP Columns Sort on Char on Network Devices Page CSCuh45239 Node Status Patch page does not refresh automatically CSCuh56278 Local Web Authentication (LWA) Guest access by iOS 6 devices on ISE 1.2 fails CSCuh65084 Scroll issue for small screens on Live Log page CSCuh79596 Freshly Installed Standalone ISE Server Not Logging MDM Events CSCuh84099 ISE should verify non-printable characters in x.509 certs CSCuh95845 After internal password change policies using NA conditions match default Policy. CSCui02984 Sponsor authentication failed for Active Directory user with Sponsor_Portal_Sequence. CSCui08084 Guest user is not terminated on the switch when suspended via Edit Account. CSCui08084 Guest user is not terminated on the switch when suspended via Edit Account. CSCui15038 ISE HTTP control interface for NAC Web Agent XSS Vulnerability CSCui15064 Certain ISE Reports Vulnerable to XSS Injection CSCui16528 Wrong service selection for NDAC Policy CSCui21439 Message code texts are blank or incorrect CSCui21839 “Export Endpoints” Creates Empty File When Quick Filter is On CSCui22884 ISE presents wrong HTTPS certificate CSCui26708 ISE node to node HTTP Basic Authentication username and password logged CSCui30266 ISE MDM Portal Cross-Site Scripting Vulnerability CSCui30275 Component of the administration page of the Cisco Identity Services Engine (ISE) was vulnerable to a cross-site scripting (XSS) attack CSCui34389 RADIUS accounting drop is not suppressed, flooding live log. CSCui35514 'show tech' script in support bundle needs fixing CSCui36160 Whitelist and expiration notification. CSCui36643 ISE Editing schedule report complains of existing report name in use. CSCui40950 Guest login takes long time and times out. CSCui42788 Exporting of imported profile policy results a garbled description. CSCui44324 Backup task can't be configured in ISE 1.2 UI. CSCui46739 Guest applet fails after update to Java 7 update 25. CSCui48779 Clicking ‘Undo Latest’ on Feed Service page does not clean up rules in some conditions. CSCui56071 ISE: Ignore 0.0.0.0 in Framed-IP-Address Profiler Updates Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 131 Cisco ISE, Release 1.2.0, Resolved Caveats Table 27 Cisco ISE, Release 1.2, Resolved Caveats (continued) Caveat Description CSCui57100 EAP-TLS auth fails with two sets of CRLs because CRL signature decrypt failed CSCui57152 Endpoint Policy not updated for endpoints added using ERS API CSCui57882 Some expired guest accounts cannot be deleted from PDP CSCui57933 Purge expired guest accounts does not work CSCui57961 When editing an expired guest account that cannot be deleted, logs out. CSCui58390 Multiple names in SAN Field and ISE choose value randomly. CSCui67495 Uploaded Filenames/Content Not Properly Sanitized CSCui67511 Certain File Types are not Filtered and are Executable CSCui71484 ISE SEC PAP has write access via ERS API CSCui72269 ISE unable to understand SNMP attribute coming from Switch. CSCui72658 Guest Portal cookies not set as Secure or HTTP Only. CSCui75335 ISE 1.2 NAC agent fails posture due to 'NAC Server not available.' CSCui77336 Customized URL ISE self registration not working. CSCui78135 On Alpha Alarms Still Show Up When We Select All and Acknowledge CSCui82998 Custom Guest Portal Loops after AUP Due to Loss of Session ID CSCui83009 Unable to push compliance module to NAC agent on Macs. CSCui89741 ISE ERS API creates endpoint with invalid format MAC address. CSCui94488 MyDevice Portal allows endpoints with static endpoint ID group other than RegisteredDevices. CSCui96322 Default Guest Portal Email Address Limited to 24 Characters CSCui96960 MNT Livelog/Dashboard performance. CSCuj01781 ISE uses SAN of user certificate for machine lookup in Active Directory CSCuj03071 EndPoint update not being saved to PAP due to high latency CSCuj03131 Lower "Request Rejection Interval" minimum to 5 minutes CSCuj03697 Allow Tunnel* attributes in policies CSCuj05295 ISE App server crashed and stuck in initialized state with "null" in collection filter CSCuj07535 IP Address Change is Not Recorded in Endpoint Profile on ISE 1.2 CSCuj09430 Guest account is not working according to its Time Zone CSCuj11040 ISE Should Not Degrade a Profile Based on Problematic User-Agent CSCum97337 CSCuj13804 IE8 gives error on ISE1.2 when accessing the provisioning portal CSCuj14382 Cannot statically assign IP address as FramedAddress CSCuj15372 Authentications fail with MDM authentication rules enabled CSCuj16049 HA Licensing CSCuj19882 Unable to edit the existing Guest accounts after restoring old backup CSCuj25038 ERS Service Disabled After Reboot Release Notes for Cisco Identity Services Engine, Release 1.2.x 132 OL-27043-01 Cisco ISE, Release 1.2.0, Resolved Caveats Table 27 Cisco ISE, Release 1.2, Resolved Caveats (continued) Caveat Description CSCuj26086 ISE Client Provisioning - NSP does not launch on Safari 7 (Mac OS X 10.9) CSCuj80131 CSCuj28447 Endpoint statically assigned to ID group may appear in different group CSCuj28968 Guest Activity Report is not working CSCuj34004 User name change detected for the session removes all session attributes CSCuj36104 ISE does not allow CRL when the name is the same on two Certificate Authorities CSCuj36310 “@” Character Not Accepted in Wireless SSIDs Fields CSCuj38204 ISE does not allow access for guest with no webagent if posture is configured CSCuj39926 Kaspersky remediation does not appear anymore in the AV remediation CSCuj45431 ISE Support for Mac OS X 10.9 NAC Agent CSCuj45766 Add/Remove MDM server never got replicated to PSNs in distributed deployment CSCuj47806 ISE redirects to default guest pages when it’s configured to redirect to custom pages CSCuj48111 Hyphen and minus sign can't be entered as first or last name CSCuj49903 Downloading / viewing large logfiles from PDP causes out of memory error CSCuj51094 Captured TCPDump file is not working CSCuj54630 ISE 1.2 patch 2 is rejecting https cookies from the Mobile Iron Server CSCuj57335 Egress Matrix: require default SGACL that includes log option CSCuj60796 ISE Support for IE 11 CSCuj61976 Admin UI fails to display certain UI pages when using Firefox 25 CSCuj62435 ISE 1.2 TrendMicro not listed for AV Remediation CSCuj63046 Text fields impose 24 character limit during guest self-registration CSCuj66093 86017 Error page sessionExpired.jsp images links are invalid CSCuj70022 EAP-FAST authenticated provisioning with Android doesn't work CSCuj72022 Cannot use "Ends With" operator in a Posture condition on ISE CSCuj82836 Manual CoA - Re-authorization is not working CSCuj84194 ISE sometimes does not send DACL in authorization profile CSCuj84427 ISE 1.2 Admin password alerts not functioning properly CSCuj90823 Guest Portal: IP Refresh Failing in IE 11 CSCuj91050 Creating Guest users shows incorrect timezone 'GMT+2 ECT' CSCuj95908 ISE does not do domain stripping for Active Directory external store CSCuj97669 DNS Resolution Failed for CNAME:"hostname" from the ISE node "hostname" CSCuj98726 iOS devices bypass account suspension/lock by starting new EAP session CSCul02821 MDM attributes doesn't update to Endpoint objective CSCul02860 Struts Action Mapper Vulnerability CSCul03127 Struts 2 Dynamic Method Invocation Vulnerability CSCul03597 LDAP User Authorization Doesn't Work with EAP-FAST Chaining Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 133 Cisco ISE, Release 1.2.0, Resolved Caveats Table 27 Cisco ISE, Release 1.2, Resolved Caveats (continued) Caveat Description CSCul03621 Endpoint Profiling Information is not being replicated correctly CSCul06431 Active Directory attribute value in ATZ profile is not sent CSCul10677 ISE 1.2 CWA Failure Reason 86017 CSCul13757 Audit records MUST log to External Syslog Servers: CLI log level CSCul13805 Audit records MUST log to External Syslog Servers: HTTPS idle timeout CSCul13812 Audit records MUST log to External Syslog servers: SSH publickey CSCul13883 Audit records MUST log to External Syslog servers: SSH KEX Group14 CSCul13905 Audit records MUST log to External Syslog Servers: CLI clock set CSCul13946 Audit records MUST log to External Syslog servers: Purge M&T Data CSCul15967 ISE 1.2 Patch 3 Windows 8.1 CPP OS Detection Failure in Distributed Setup CSCul16300 Audit records MUST log to External Syslog servers: CLI idle timeout CSCul18169 Blocking ISE admin UI access for Chrome browser CSCul18521 Audit records MUST log to External Syslog servers: VGA CLI AUTHC CSCul18555 Audit records MUST log to External Syslog servers: SSH conn fail CSCul21337 The Posture Troubleshooting tool was vulnerable to blind SQL injection. CSCul23070 Audit records MUST log to External Syslog Servers: SSH exit forceout CSCul23252 CSCul25066 ISE Wireless Upgrade License Type Doesn't include Profiler Feed Service CSCul28451 RADIUS Accounting Report “Account Session Time” blank. CSCul29344 ISE 1.2 HTML Custom Pages for Different Portals Not Working. CSCul35820 ISE Guest Registration Breaks with Apple IOS7 User Name as Emil Address CSCul39011 The Mobile Device Management (MDM) client failed to reject queries when MDM server was not responding. CSCul42646 Failed to create Posture Condition with "NOT ENDS WITH" Operator CSCul46893 URL preservation not working with self service guest user in MAB flow CSCul48352 Right-Click - Copy to MAC and Username in Live Log CSCul50495 Device Registration failed with Cisco Catalyst 3850 Switch CSCul50720 Samsung Galaxy S4 cannot be on-boarded in dual SSID flow CSCul55934 ISE 1.2 Cannot Delete Guest Users Created Using Unavailable Timezone Setting CSCul58758 Redirecting to 'null' page in the browser after LWA flow with WLC-5500 CSCul58758 Redirected to null page in the browser after Local Web Authentication (LWA) flow with WLC-5500 series. CSCul58895 ISE 1.2 Patch 3 StartEnd time profiles do not work for guest import CSCul62175 ISE BYOD enhancement troubleshooting for SCEP CSCul65045 Cannot create/edit network device if advanced license expired CSCul66218 Posture delays due to HTTP thread exhaustion Release Notes for Cisco Identity Services Engine, Release 1.2.x 134 OL-27043-01 Cisco ISE, Release 1.2.0, Resolved Caveats Table 27 Cisco ISE, Release 1.2, Resolved Caveats (continued) Caveat Description CSCul66272 Terminate Change of Authorization during Posture for Unknown User-agent DynGate CSCul71176 Endpoints manually assigned to identity groups might change groups randomly CSCul71532 XML external entity injection found under ERS CSCul77732 Warning message while creating Guest user with hyphen in Self Registration CSCul77793 Scheduled Reports Not Exported When Using Illegal Character as a Report Name CSCul82658 “Strip prefixes listed below” for Active Directory in GUI is a typo CSCul84544 Retrieval of Active Directory Groups or Attributes from GUI is Failing CSCul86970 GUI does not display the Allow only listed IP addresses option to connect. CSCul87300 Special Character in LDAP password is not read correctly by ISE CSCum01290 MDM Integration Not Working With ISE 1.2 Patch 3 and Patch 4 CSCum10047 Invalid Account Date When Changing Account Duration CSCum13453 ISE SYSLOG Parsing Failure when Forwarding to Third-Party SYSLOG CSCum26362 Authentications Details are Missing All the Required Data CSCum29186 With Account Creation Time Zone Change Not Reflecting New Updated Allowed Time CSCum37237 ISE No Sufficient Permission Error with Bulk Import of Guest Account CSCum37237 Insufficient permission error with bulk import of guest account. CSCum40721 Optional Data Field Not Matching in Authorization Rules CSCum41138 NAS IP Address showing MnT address in ISE live logs after CoA REST API. CSCum54099 ISE Does Not Send Sponsor-related syslog Message to External syslog Server CSCum57372 NAS identifier does not appear the authentication details in the web UI. CSCum60627 Client EAP Sessions Never Get Cleared CSCum69410 ISE 1.2 CWA with DRW Included Doesn't Register Endpoint CSCum77223 Increase Maximum Login Failures for Guest CSCum82815 Acceptable Use Policy Page Shouldn't Be Presented if ISE Knows Session is Expired on Login CSCum82829 Cisco-branded Expiration Page Presented on Custom Portal CSCum85930 ISE 1.2 Custom Guest Portal Images and CSS Broken on Final Redirect CSCum86347 ISE Guest Start and Expiration Dates Don't Reflect Sponsor Portal Time Zone CSCum88817 ISE 1.2 Logs Filled with Unnecessary License Validity Info CSCum92155 ISE REST API (ERS) - PUT Update Request Removes identityGroups Value CSCum96035 Guest Custom Portal Password Change Does Not Have Error Handling CSCun00215 ISE RSA Agent Exhausted Under Heavy Load CSCun00427 ISE 1.2 match operator returns true when LHS is NULL and RHS is constant. CSCun08410 Guest Account’s Start and End Time Validated Against System Time Zone CSCun11240 Guest Sponsor Mapping Report Incorrectly Changes Sponsor Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 135 Cisco ISE, Release 1.2.0, Resolved Caveats Table 27 Cisco ISE, Release 1.2, Resolved Caveats (continued) Caveat Description CSCun15601 Invalid Text Message Template Error Shown if Sponsor is CC'ed in Guest Mail CSCun25178 Fetching Group Information Takes a Long Time Because of SIDHistory CSCun28502 Sponsor, My Devices, and Guest portals does not have a defined character limit. CSCun36594 ISE 1.2 Endpoint Identity Group is Lost When Importing From CSV CSCun41732 Cisco ISE Certificate Trusted List is Not Fully Read When a Corrupted Certificate is Present CSCun51094 Bulk Import of Guests by Sponsor Falls in Wrong Guest Role CSCun60443 No Dashboard or Live Logs for Long Time After Primary MnT Failure CSCun61928 Not All Authorization Profiles are Recognized by Runtime CSCun67719 Guest Portal: Error Message When Password Expired Confusing CSCun68637 SNMP Query Fails to Complete during NMAP-triggered Probe CSCun74285 ISE safe mode did not bypass admin portal certificate authentication. CSCun74460 Incorrect Daylight Saving Time (DST) time zone offset in ISE affects remote syslog targets. CSCun74636 OSX Mavericks is profiled as Apple device based on incorrect User-Agent. CSCun84251 Error after application ise reset-config on 1.2.0.899 Patch 6. CSCun93673 ISE 1.2 Endpoint Export Results in Empty File if Using Lower Case Letter CSCun94304 ISE RSA server configuration may fail to replicate to PSNs. CSCun97606 ISE Roaming Authentication Failing CSCuo02708 ERS Port Should Not Request Client Certificate CSCuo04860 Raise Alarms for EAP Session and Context Limits CSCuo13099 ISE Sponsor, email ID used as username with space in it, throws an error. CSCuo16503 ISE 1.2 Patch 7 AD Sponsor Created Guest Users Cannot Log In CSCuo32987 Endpoint Register Broken CSCuo34449 ISE Posture Dropped via CoA Terminate Due to Invalid HTTP User-Agent CSCuo39442 ISE 1.2 does not validate remote log target names. CSCuo56780 ISE RADIUS Service Denial of Service Vulnerability CSCuo58919 Endpoint static group assignment toggles between true or false option every 55 seconds. CSCuo63448 Modifying the ISE parent profile disables child profile. CSCuo63892 CIAM: ISE-commons-fileupload-1-0 CSCuo73070 ISE 1.2 GUI Elements Missing Due to No Advanced License CSCuo76078 CSCuo75506 ISE authorization profile with Central WebAuth (CWA) and custom guest portal does not redirect to default settings. CSCuo88571 The IP release renew operation was not performed on Mac OSX devices. CSCup33018 Apple iOS 8 beta fails Native Supplicant Provisioning flow. Release Notes for Cisco Identity Services Engine, Release 1.2.x 136 OL-27043-01 Cisco ISE, Release 1.2.0, Resolved Caveats Table 27 Cisco ISE, Release 1.2, Resolved Caveats (continued) Caveat Description CSCup50216 ISE 1.2+ API update was overwritten by the profiler. CSCup51902 Exporting active endpoints does not work from the admin node. CSCup63424 Downloading software to effect release or renew of guest virtual LAN (VLAN) was not accomplished. CSCup79399 Cisco ISE-related reports return blank page while launching from PI. CSCup88315 Apple iOS 8 beta failing External Web Authentication (WebAuth) with ISE. CSCup99806 Custom data access permissions were not working as expected. CSCuq01548 ISE posture dropped during Change of Authorization (CoA) due to invalid HTTP User-Agent [Trident 7.0]. CSCuq02222 The Simple Network Management Protocol (SNMP) Query probe failed to discover endpoints using periodic polling. CSCuq26320 EAP-FAST authenticated provisioning with Android doesn't work CSCuq26320 EAP-FAST authenticated provisioning with Android does not work. Resolved Agent Caveats Table 28 Cisco ISE, Release 1.2, Resolved Agent Caveats Caveat Description CSCto03644 Tray icon flickers click focus if user changes applications from login successfully. CSCto19507 Mac OS X agent does not prompt for upgrade when coming out of sleep mode. CSCto97422 Auto Popup does not happen after clicking Cancel during remediation failure. CSCug26558 Live Authentications: Posture links redirect to wrong MAC address and empty report CSCue98661 Cisco ISE NAC Agent on Windows 8 checks for AV that is not selected CSCue41912 Posture: Cisco NAC Agent not triggering on Windows 8 Resolved SPW Caveats Table 29 Cisco ISE, Release 1.2, Resolved SPW Caveats for Windows Caveat Description SPW Version CSCug95980 Cisco ISE NSP does not support SDIO based wireless adapters. 1.0.0.31 CSCug66885 Windows SPW-Trusted Root CA not set in network profile. 1.0.0.30 CSCud65260 DualSSID_Win7_PEAP_AutoLogin NSP not connecting to Closed SSID. 1.0.0.29 CSCud01247 BYOD: Messages are not localized. 1.0.0.28 CSCud56448 PEAP Supplicant Provisioning does not set Validate Server Certificate. 1.0.0.28 Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 137 Cisco ISE, Release 1.2.0, Resolved Caveats Table 29 Cisco ISE, Release 1.2, Resolved SPW Caveats for Windows Caveat Description SPW Version CSCue38943 BYOD: Characters corrupted. A vertical line appears at the end of the Applying Configuration screen. 1.0.0.28 CSCue43405 Windows 8- Dual SSID is broken (MAB + PEAP), if wrong networking password is entered in SPW. 1.0.0.28 CSCue43413 Login failure message displayed in dual SSID (MAB + PEAP). 1.0.0.28 CSCue47503 Win SPW v1.0.0.27 fails with Wired dual SSID (MAB > PEAP). 1.0.0.28 CSCud05296 NSP installation on Windows 8 failed. 1.0.0.26 Table 30 Cisco ISE, Release 1.2, Resolved SPW Caveats for Mac OS X Caveat Description SPW Version CSCuf61159 Wired MAC10.8.3-Fails to auto re-connect to network using new profile. 1.0.0.21 CSCug16632 BYOD CR: SPW configures the profile and succeeds even when PDP is down. 1.0.0.20 CSCug18081 NSP page does not show status of Mac SPW consistently. 1.0.0.20 CSCuf03318 Network Setup Assistant fails, if user clicks ‘Cancel’ in the Config 1.0.0.19 profile Tool. CSCue53450 Cisco Network Setup Assistant copy right year should be changed. 1.0.0.19 CSCue62005 Macintosh SPW 1.0.0.17 is not able to configure wired adapters. CSCud00349 Translation property file has new line character in the JA translation 1.0.0.17 property file. CSCud64592 MAC OS X 10.6.8: Fails to connect to Closed SSID using the TSL 1.0.0.16 Profile. CSCub29212 In MAC OS X 10.8, modify system network configuration needs confirmation from system administrator. 1.0.0.15 CSCuc42511 Localization for NSP wizards - support for additional languages. 1.0.0.14 CSCub27769 Cisco ISE does not block both wired and wireless interface MAC addresses for lost devices. 1.0.0.13 CSCub65963 Certificate Enrollment is vulnerable to session Hija. 1.0.0.12 CSCub29185 MAC 10.8: Agent and SPW fails to install, when “MAC App Store 1.0.0.11 and identified developers” is selected in the Security & Privacy Preference Pane. 1.0.0.18 Release Notes for Cisco Identity Services Engine, Release 1.2.x 138 OL-27043-01 Documentation Updates Documentation Updates Table 31 Date 10/24/2014 Updates to Release Notes for Cisco Identity Services Engine, Release 1.2.x Description • Added Open Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 12, page 39 • Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 12, page 48 9/17/2014 Added Resolved Issues in Cisco ISE Version 1.2.1.198—Cumulative Patch 2, page 32 9/15/2014 Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 11, page 53 8/7/2014 Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 10, page 55. 7/18/2014 Added Resolved Issues in Cisco ISE Version 1.2.1.198—Cumulative Patch 1, page 35 7/3/2014 Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 9, page 58 6/20/2014 6/2/2014 5/30/2014 3/26/2014 • Updated Upgrading Cisco ISE Software, page 9 • Added Enhancements in Cisco ISE Version 1.2.0.899—Cumulative Patch 8 Updated Support for Microsoft Active Directory, page 7 • Cisco Identity Services Engine, Release 1.2.1 • Added New Features in Cisco ISE, Release 1.2.1, page 12 • Added Cisco ISE, Release 1.2.1, Resolved Caveats, page 117 • Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 7, page 65 • Updated Open Caveats, page 91 2/21/2014 Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 6, page 69 1/22/2014 Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 5, page 72 12/20/2013 12/5/2013 11/27/2013 • Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 5, page 72 • Updated Open Caveats, page 91 Added No iPEP Support in Cisco ISE 1.2.x Patches, page 10 • Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 4, page 79 • Updated Open Caveats, page 91 • Updated Open Agent Caveats, page 114 Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 139 Related Documentation Table 31 Date 10/29/2013 10/28/2013 9/19/2013 Updates to Release Notes for Cisco Identity Services Engine, Release 1.2.x Description • Added Support for Windows 8.1 and Mac OS X 10.9 in Cisco ISE Version 1.2.0.899—Cumulative Patch 3, page 81 • Updated Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 3, page 81 Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 3, page 81 • Added New Features in Cisco ISE Version 1.2.0.899—Cumulative Patch 2, page 86 • Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 2, page 89 8/1/2013 Added Resolved Issues in Cisco ISE Version 1.2.0.899—Cumulative Patch 1, page 91 7/25/2013 Cisco Identity Services Engine, Release 1.2 Related Documentation Release-Specific Documents General product information for Cisco ISE is available at http://www.cisco.com/go/ise. End-user documentation is available on Cisco.com at http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html. Table 32 Product Documentation for Cisco Identity Services Engine Document Title Location Release Notes for the Cisco Identity Services Engine, Release 1.2 http://www.cisco.com/en/US/products/ps11640/pr od_release_notes_list.html Cisco Identity Services Engine Network Component Compatibility, Release 1.2 http://www.cisco.com/en/US/products/ps11640/pr oducts_device_support_tables_list.html Cisco Identity Services Engine User Guide, Release 1.2 http://www.cisco.com/en/US/products/ps11640/pr oducts_user_guide_list.html Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 http://www.cisco.com/en/US/products/ps11640/pr od_installation_guides_list.html Cisco Identity Services Engine Upgrade Guide, Release 1.2 http://www.cisco.com/en/US/products/ps11640/pr od_installation_guides_list.html Cisco Identity Services Engine, Release 1.2 Migration Tool Guide http://www.cisco.com/en/US/products/ps11640/pr od_installation_guides_list.html Cisco Identity Services Engine Sponsor Portal User Guide, Release 1.2 http://www.cisco.com/en/US/products/ps11640/pr oducts_user_guide_list.html Cisco Identity Services Engine CLI Reference Guide, Release 1.2 http://www.cisco.com/en/US/products/ps11640/pr od_command_reference_list.html Release Notes for Cisco Identity Services Engine, Release 1.2.x 140 OL-27043-01 Obtaining Documentation and Submitting a Service Request Table 32 Product Documentation for Cisco Identity Services Engine (continued) Document Title Location Cisco Identity Services Engine API Reference Guide, Release 1.2 http://www.cisco.com/en/US/products/ps11640/pr od_command_reference_list.html Cisco Identity Services Engine Troubleshooting Guide, Release 1.2 http://www.cisco.com/en/US/products/ps11640/pr od_troubleshooting_guides_list.html Regulatory Compliance and Safety Information for Cisco Identity Services Engine 3300 Series Appliance, Cisco Secure Access Control System 1121 Appliance, Cisco NAC Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler http://www.cisco.com/en/US/products/ps11640/pr od_installation_guides_list.html Cisco ISE In-Box Documentation and China RoHS Pointer Card http://www.cisco.com/en/US/products/ps11640/pr oducts_documentation_roadmaps_list.html Platform-Specific Documents Links to other platform-specific documentation are available at the following locations: • Cisco ISE http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html • Cisco UCS C-Series Servers http://www.cisco.com/en/US/docs/unified_computing/ucs/overview/guide/UCS _rack_roadmap.html • Cisco Secure ACS http://www.cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html • Cisco NAC Appliance http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html • Cisco NAC Profiler http://www.cisco.com/en/US/products/ps8464/tsd_products_support_series_home.html • Cisco NAC Guest Server http://www.cisco.com/en/US/products/ps10160/tsd_products_support_series_home.html Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0. Release Notes for Cisco Identity Services Engine, Release 1.2.x OL-27043-01 141 Obtaining Documentation and Submitting a Service Request This document is to be used in conjunction with the documents listed in the “Related Documentation” section. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. © 2014 Cisco Systems, Inc. All rights reserved. Release Notes for Cisco Identity Services Engine, Release 1.2.x 142 OL-27043-01
© Copyright 2024