Showing results for 
Search instead for 
Did you mean: 

ISE Features by Release




ISE 1.0.4 Release


Cisco ISE Installation and Upgrade Process Updates
Wireless License Options
Cisco ISE Upgrade and Backup and Restore Enhancements
Administrator Lockout and Administrator Password Reset
Windows IE 9 and Firefox 4.x Browsers Support
Statically Assigned Endpoint Behavior Enhancement
Correlating Endpoint IP and MAC Addresses with DHCP and RADIUS Probes
Integrating with Cisco NAC Appliance, Release 4.9
Cisco Secure ACS to Cisco ISE Migration Updates



ISE 1.1.0 Release

Endpoint Protection Services
FIPS 140-2 Level 1 Compliance
Common Access Card (CAC) Support
Internationalization and Localization
IOS Sensor for Profiling
NMAP Probe
Profiling Network Scan Actions
OCSP Support
SGA Support
New Look for the User Interface
Device Registration WebAuth
Simple URL for Sponsor Portal Access
Creating a Custom Portal Theme
Network Time Protocol (NTP) Server Authentication
External Authentication for Administrator Users
Simplified Posture Policy Configuration
Support Bundle Password Protection
Updated VMware Machine Capabilities
Enhanced Security for Sponsor and Guest Portals


ISE 1.1.1 Release

New Default Authorization Profile (“Blacklist”)
Dictionary Attribute-to-Attribute Authorization Policy Configuration
New Device Registration Task Navigator
Native Supplicant Provisioning Profile Configuration Page
Enhanced Client Provisioning Policy Configuration
SCEP Authority Profile Configuration Page
RADIUS Proxy Attribute
EAP Chaining
EAP-TLS as an Inner Method for EAP-FAST
Device Registration Portal
New Reports in Cisco ISE, Release 1.1.1
Change of Authorization
Creating Activated Guests

ISE 1.1.2 Release

Global Setting for Endpoint Attribute Filter

ISE 1.1.3 Release

Bugfixes only

ISE 1.1.4 Release

Bugfixes only



ISE 1.2.0 Release

Support for UCS Hardware
Improved Performance and Scalability
Mobile Device Management Interoperability with Cisco ISE
MAB from Non-Cisco Switches
Support for Universal Certificates
Policy Sets
Profiler Feed Service
Logical Profiles
Enhanced Guest and Sponsor Pages
RADIUS Authentication Suppression
Collection Filters
Support for Secure Syslogs
Support for Windows 2012 Active Directory
Global Search
Session Trace
Enhancement to Client Provisioning
Enhanced Reports and Alarms
Enhancements to Live Authentications Page
Enhancements to Cisco NAC Agent
Cisco NAC Agent for Windows
Cisco NAC Agent for Mac OS X
External RESTful Services
Supplicant Provisioning Wizard
Cisco NAC Agent



ISE 1.2.1 Release

New Plus License
Certificate Renewal
Newly Added Dictionary Attributes
Newly Added Authorization Policy Simple Condition
CWA Redirect To Renew Certificates
Upgrade Enhancements
Virtual Machine Resource Checks
Upgrade Bundle SHA-256 Checksum Verification
Monitoring Database Object Checks
Enhanced Show Tech Support Command Output
Database Enhancements




ISE 1.3.0 Release

Guest Enhancements
Internal Certificate Authority
Support for OVA Installation on Virtual Machines
Cisco pxGrid Services
Cisco pxGrid Identity Mapping
AnyConnect Unified Agent
Multi-Forest Active Directory
Authorization Enhancements
Serviceability Enhancements
Licensing Enhancements
Log File Enhancements
Right Click Options in Live Authentications and Live Sessions
Enhanced Reports and Alarms
VLAN Change Support Dropped
Upgrade Enhancements
Other Enhancements
Support for Mac OS X 10.10
FIPS Support




ISE 1.4.0 Release


  • Periodic AUP acceptance
  • Guest max sessions enhancement

Certificate Management:

  • Multi-Use Certificates
  • Replication of Wildcard certificate changes
  • Cert deletion from Admin UI
  • Certificate API
Profiler: Profiler Feed Test button
Portals: Oracle SAML Single Sign On (SSO) support for Web Portals

Administration: Automated Primary PAN Monitoring and Switchover


  • Meraki support; Multi-MDM support
  • Off-Prem MDM Onboarding

FIPS Mode:

  • Use of embedded FIPS 140-2 validated cryptographic modules
  • Cisco Common FIPS Mode (Certificate #1643 and #2100)
Patches: Posture Support for Patch Management vendor integration for Windows and Mac OS
Endpoints and AnyConnect: AnyConnect Provisioning of SOURCEfire's Advanced Malware Protection (AMP) module




ISE 2.0 Release



ISE 2.0.1 Release




ISE 2.1 Release


From the ISE 2.1 Release Notes:




ISE 2.2 Release


From the ISE 2.2 Release Notes:




ISE 2.3 Release





ISE 2.4 Release

From the New Features section of the ISE 2.4 Release Notes :




Business Outcome

Active Directory Domain Controller Failover Mechanism

The Domain Controller (DC) failover mechanism is managed based on the DC priority list, which determines the order in which the DCs are selected in case of failover. If a DC is offline or not reachable due to some error, its priority is decreased in the priority list. When the DC comes back online, its priority is adjusted accordingly (increased) in the priority list.

Results in higher serviceability as a Network Access Control solution and increases reliability of the Cisco ISE connection to Active Directory deployments.

Keberos Authentication for the Sponsor Portal

Kerberos SSO is performed inside the secure tunnel after the browser establishes the SSL connection with ISE.


Kerberos authentication is NOT supported for the Guest portal.

You can use Kerberos to authenticate a sponsor for access to the sponsor portal.

Some Dashlets Removed to Resolve Performance Issues

The following dashlets have been decommissioned to prevent performance issues when displaying large datasets:

  •   Context Visibility > Endpoint > Compliance: Status Trend


  •   Home > Endpoints > Endpoint


A large number of endpoints caused performance problems with some dashlets.

Cisco ISE Can Pull IoT Device Context and Session Data from Cisco IND Cisco ISE can profile and display the status of devices attached to a Cisco Industrial Network Director (IND). Cisco Platform Exchange Grid (pxGrid) is used to communicate the endpoint (Internet of Things [IoT]) data between Cisco ISE and Cisco IND. pxGrid is used to receive the context from Cisco IND and query Cisco IND to update endpoint type. Effective network monitoring and full visibility and control of industrial networks offer:
  • Full visibility and control of automation endpoints, such as controllers, IO devices, and human machine interfaces (HMIs).


  • Lowered asset management cost and improved operator productivity with Cisco IND and Cisco ISE integration.


Control Permissions for pxGrid Clients

You can create pxGrid authorization rules for controlling the permissions for the pxGrid clients (under Administration > pxGrid Services > Permissions).

Use these rules to control the services that are provided to the clients. You can create different types of groups and map the services provided to clients to these groups. Use the Manage Groups option in the Permissions window to add new groups.

You can view the predefined authorization rules that use predefined groups (such as EPS, ANC) on the Permissions window. You can update only the Operations field in the predefined rules.

Better pxGrid backward compatibility:
  • Significantly shortens the integration time with Cisco ISE to collect context information and initiate Adaptive Network Control (ANC) actions through Cisco ISE.


  • Helps control the services that are provided to the clients.


TrustSec Enhancements

You can select the ISE node from which the configuration changes must be sent to the network device while adding the network device (under Advanced TrustSec Settings section). You can select the PAN or PSN node. If the PSN node that you selected is down, the configuration changes are sent to this device using the PAN.

While deploying the IP SGT static mappings, you can select the devices or the device groups to which the selected mappings must be deployed. You can select all the devices if required. You can use the filter option to search for the devices that you want. If you do not select any device, the selected mappings are deployed on all TrustSec devices.

You can use the Check Status option to check if different SGTs are assigned to the same IP address for a specific device. You can use this option to find the devices that have conflicting mappings, IP address that is mapped to multiple SGTs, and the SGTs that are assigned to the same IP address. This option can be used even if device groups, FQDN, hostname, or IPv6 addresses are used in the deployment. You must remove the conflicting mappings or modify the scope of deployment before deploying these mappings.

Verify TrustSec deployment option in the General TrustSec Settings page helps you to verify whether the latest TrustSec policies are deployed on all the network devices. Alarms are displayed in the Alarms dashlet (under Work Centers > TrustSec > Dashboard), if there are any discrepancies between the policies configured on Cisco ISE and the network device. The following alarms are displayed in the TrustSec dashboard:

  •   An alarm with an Info icon is displayed whenever the verification process is started or completed.


  •   An alarm with an Info icon is displayed if the verification process is cancelled due to a new deployment request.


  •   If the verification process resulted in an error (for instance, failed to open SSH connection with the network device, or the network device is unavailable), or if there is any discrepancy between the policies configured on Cisco ISE and the network device, an alarm with a Warning icon is displayed for each of these network devices.


The Verify Deployment option is also available on the following pages:

  •   Work Centers > TrustSec > Components > Security Groups


  •   Work Centers > TrustSec > Components > Security Group ACLs


  •   Work Centers > TrustSec > TrustSec Policy > Egress Policy > Matrix


  •   Work Centers > TrustSec > TrustSec Policy > Egress Policy > Source Tree


  •   Work Centers > TrustSec > TrustSec Policy > Egress Policy > Destination Tree


Check the Automatic Verification After Every Deploy check box if you want Cisco ISE to verify the updates on all the network devices after every deployment. When the deployment process is complete, the verification process is started after the time that you specify in the Time after Deploy Process field. The current verification process is cancelled if a new deployment request is received during the waiting period or when the verification is in progress. Click Verify Now to start the verification process immediately.

IPv6 addresses can be used in IP SGT static mappings. These mappings can be propagated using SSH or SXP to specific network devices or network device groups.

If FQDN and hostnames are used, Cisco ISE looks for the corresponding IP addresses in the PAN and PSN nodes while deploying the mappings and checking the deployment status. You can use the IP SGT Static Mapping of Hostnames option in the General TrustSec Settings window to specify the number of mappings created for the IP addresses returned by the DNS query. You can select one of the following options:
  • Create mappings for all IP addresses returned by DNS query


  • Create mappings only for the first IPv4 address and the first IPv6 address returned by DNS query


Enhanced IP SGT workflow:
  • Improves network device misconfiguration error handling and operational efficiency through Check Status option.


  • Verifies TrustSec configuration on Network Devices.


  • Selectively deploy the IP SGT static mappings.


  • Create IP static mappings with IPv6 addresses.


  • Create mappings for first or all known IP addresses based on DNS FQDN query.


IPv6 Support Expanded

IPv6 addresses are now supported for RADIUS configurations. The IP Address field in the Administration > Network Resources > Network Devices page and the Host IP field in the Administration > Network Resources > External RADIUS Server page now support both IPv4 and IPv6 addresses for RADIUS configurations.

Additional support for IPv6 addressing:
  • Allows you to migrate your network to IPv6-based networks. You can migrate to IPv6 addressing if you have fragmented networks or have exhausted IPv4 addresses.


  • Facilitates more efficient routing, packet processing, security, and simplified network configuration.


Large Virtual Machine for Monitoring Persona

Cisco ISE introduces a large VM for Monitoring nodes. Starting from Release 2.4, the large VM is required for any deployment that handles greater than 500,000 sessions.

This form factor is available only as a VM in Release 2.4 and above, and requires a large VM license.

Deploying Monitoring persona on a large VM offers the following advantages:
  • Supports greater than 500,000 sessions and is scalable


  • Improved performance in terms of faster response to live log queries and report completion


Posture Enhancements

  • Grace Period for Noncompliant Devices— Cisco ISE provides an option to configure grace time for devices that become noncompliant.


    Cisco ISE caches the results of posture assessment for a configurable amount of time. If a device is found to be noncompliant, Cisco ISE looks for the previously known good state in its cache and provides grace time for the device, during which the device is granted access to the network. You can configure the grace time period in minutes, hours, or days (up to a maximum of 30 days).


    The Posture Assessment by Endpoint report is updated and displays a Grace Compliant status for an endpoint that is currently not compliant, but is under the grace period.


  • Posture Rescan—AnyConnect users now have the option to manually restart posture at any point of time.


  • AnyConnect Stealth Mode Notifications—Several new failure notifications are added for AnyConnect stealth mode deployment to help users identify issues with their VPN connection.


  • Disabling UAC Prompt on Windows—You can choose to disable the User Access Control (UAC) prompts on Windows endpoints from the AnyConnect posture profile.



    By default, this value is set to No while configuring the Anyconnect Profile. When you change it to Yes, the UAC prompts are disabled and the Windows users no longer receive these prompts.

    If you want to enable the UAC prompt again, you should change this setting to No in the Anyconnect Profile. This setting takes effect only when the Windows endpoint is restarted.

  • New URL for Downloading Client Provisioning and Posture Updates—The client provisioning and posture feed URL has changed.


    The new URL is:







  • File Condition Enhancements—A new operator, within, is introduced under File Conditionto check for the changes in a file within a certain period of time.


  • Certificate Attributes in Client Provisioning and Posture Policies—Certificate attributes are now available in the client provisioning and posture policy pages.


Improved security alerts and enforcement:
  • Provides admin users with more flexible options for educating end users about posture condition failures including grace-period-specific messaging scenarios.


  • Helps effective management of some posture checks and remediations that require additional privileges and prompts the user for such privileges.


Profiler Enhancements

  • Added 512 new profile policies from vendors, including ADtranz, AudioCode, Barracuda, BlackBerry, Brother, Hewlett Packard, Lexmark, NetApp, Samsung, and Xerox.


  • Added additional conditions to 189 profile policies to support additional probes. For example, DHCP conditions are added to Xerox devices such that customers who do not want to profile Xerox devices based on SNMP, can profile Xerox devices using DHCP.


  • Reorganized profiles into families for better identification of new devices. For example, HP-LaserJet-4350 was previously profiled directly under HP-Device. It is now profiled under HP-LaserJet, which in turn is profiled under HP-Device. When Hewlett Packard introduces a new Hewlett Packard LaserJet printer model, Cisco ISE will classify the new model as HP-LaserJet, and not as HP-Device until a new profile policy for that exact LaserJet printer model is added.


Effective classification of devices:
  • Helps you gain visibility of previously unknown devices, such as Xerox printers or Vista link printers with improved profiler efficacy.


Endpoint API Enhancements for Mobile Device Management (MDM) Attributes

MDM attributes are made available through the endpoints API to enable additional synchronization capability between Cisco ISE and a third-party MDM server.

Helps customers to better integrate third party systems with ISE and provide better user experience for end users using mobile devices that are managed by an MDM server.

Support for Two Shared Secrets Per IP for RADIUS NAD Clients

You can specify two shared secrets (keys) to be used by the network device and Cisco ISE. You can configure the shared secrets in the RADIUS authentication settings section for a NAD in the Administration > Network Resources > Network Devices page in Cisco ISE.

Replace Shared Secrets on network devices:

You can now replace shared secrets on network devices independently without Cisco ISE. Changing a RADIUS secret is now simplified and allows you to enter a new shared secret.

Support for Sending Separate SNMP CoA Packets

You can check the Send SNMP COA Separate Request check box in the Administration > Network Resources > Network Device Profiles > Change of Authorization (CoA) page to send the SNMP CoA packets to the NAD as two packets.

Increased compatibility with devices:

Provides support for older Cisco and third party NADs that mandate the sending of SNMP CoA packets as two packets (for the shutdown and no shutdown interface configuration commands).



ISE 2.6 Release

From the New Features section of the ISE 2.6 Release Notes :



Business Outcome

Base Licensing Features

IPv6 Phase 3 Support

ISE Management

You can now install and access ISE with either IPv4 or IPv6 addresses. The following ISE functionalities are supported over IPv6:

  • Setup: Configure IPv6 for eth0 along with IPv4.
  • Manage (modify/add/remove/bonding) IPv4 or IPv6 address via CLI for any interface.
  • SSH manageability.
  • ISE Admin UI access over IPv4 or IPv6.
  • Restrict Admin UI and CLI access by IP.
  • CLI CDP visibility.
  • ISE Node Management (registration, manual-sync, replication, etc).
  • CLI: Configure multiple IPv6 addresses on any interface.

Network Time Protocol Support

You can configure and access the NTP server with an IPv4 or an IPv6 address.

  • Primary PAN NTP configuration is not replicated to secondary nodes.
  • Each node in a deployment can be configured with different NTP servers.
  • An ISE node can be configured with IPv4, IPv6 or FQDN NTP servers, or a mix of these.
  • Administrator can configure NTP Authentication Keys and can be associated to primary/secondary/tertiary NTP servers by marking the keys as trusted.
  • When ISE isn’t able to sync with all configured NTP servers (either IPv4 or IPv6), ISE raises an alarm called NTP Sync Failure.
  • When NTP service on Cisco ISE does not work, Cisco ISE raises an alarm called NTP Service Failure.

The following ISE functionalities are supported over IPv6:

  • Setup: Configure NTP server with IPv4, IPv6 or FQDN.
  • CLI: Admin can manage primary/secondary/tertiary NTP servers via IPv4, IPv6 or FQDN.
  • NTP server configuration sync between CLI and UI.
  • NTP alarms are triggered if all NTP servers are not configured.
  • NTP alarms are triggered if service itself is affected.
  • NTP fallback mechanism from primary to secondary, and from secondary to tertiary NTP servers.
  • NTP authentication mechanism.

Domain Name System Support

You can configure a combination of IPv4 and IPv6 Domain Name System (DNS) servers. Failover between all combinations is also possible. For further details, see ISE Cisco Identity Services Engine CLI Reference Guide, Release 2.6.

The following ISE functionalities are supported over IPv6:

  • Setup: Allow IPv4 or IPv6-based DNS server during setup wizard.
  • CLI: Managing IPv4 or IPv6-based DNS servers.
  • Configuring a combination of IPv4 and IPv6-based DNS server.
  • Configure static hostnames with IPv6 addresses.
  • Failover between DNS servers.

External Repositories

You can now add an external repository with an IPv6 address on ISE. For further details, see Cisco Identity Services Engine Administrator Guide, Release 2.6. Communication between an ISE node and an IPv6 external repository is only possible if the node has an IPv6 address configured to Eth0.

Repositories configured with an FQDN will communicate over IPv4 or IPv6 based on:

  • Whether or not ISE is in dual stack.
  • Whether FQDN external repository is getting resolved to IPv4 or IPv6 or both.

Audit Logs and Reports

You can now view logs of login/logout, password change, and operational changes by IPv6 users in the relevant audit reports generated.

Simple Network Management Protocol

Simple Network Management Protocol (SNMP) servers can now be contacted via IPv6 addresses.

  • ISE supports NMS/SNMP server.
  • Configuration is allowed only from CLI. 
  • Admin can configure IPv4 or IPv6-based SNMP server.
  • Admin can also configure IPv4 or IPv6 based SNMP server hosted with v1/v2c/v3.
  • Admin can configure multiple SNMP servers.
  • Admin can send SNMP traps to SNMP server over IPv4 or IPv6.
  • Admin can configure multiple SNMP servers (a mix of IPv4 and IPv6 SNMP servers is possible).
  • ISE can send TRAPS or MIBs information with IPv6 (for example, CDP IPv6 info) to IPv4 or IPv6 SNMP servers.

The following ISE functionalities are supported over IPv6:

  • CLI: Managing configuration of SNMP servers (IPv4 or IPv6) from CLI.
  • CLI: Configure SNMP server hosted on IPv4 or IPv6 with v1/v2c/v3 compatibility.
  • UI: Configure SNMP server from UI.
  • CLI: Support for SNMP queries snmp-get, getmany, and getBulk from IPv4 or IPv6 SNMP servers to an ISE node.
  • Traps can be sent to IPv4 or IPv6 SNMP servers.
  • Traps or MIBs info having IPv6 details send to IPv4 or IPv6 SNMP servers.
  • Multiple SNMP servers support.

Access Control Lists

You can now define Access Control Lists (ACLs) and Airespace ACLs with IPv6 addresses.

Dynamic Access Control Lists

You can now define Dynamic Access Control Lists (DACLs) with IPv6 addresses.

Active Directory

You can now connect to IPv6 deployments of Active Directory from ISE.

External Restful Service Portal

You can now specify an IPv6 address or hostname to connect with External Restful Service (ERS).

Syslog Client or Logging Targets

You can connect to IPv6 syslog targets.


ISE can connect to RADIUS servers with an IPv6 address.

Allows you to migrate to IPv6-based network for the above mentioned ISE features.

REST Support for External Administrators

From Cisco ISE 2.6, External RESTful Services (ERS) users could be either internal user or belong to an external Active Directory. The Active Directory group to which the external user belongs should be mapped to either ERS Admin or ERS Operator group. With this enhancement, administrators no longer need to create an internal user counterpart for external users that need access to ERS services, making this feature easier to use. Simplified process of enabling external administrators to access RESTful services.

Japanese Version of the Administrator Portal

The Administration console currently supports two languages, Japanese and English. You can select either Japanese or English view under Account Settings. Suitable for Japanese administrators to configure and use Cisco ISE.

TrustSec Deployment Verification Report

You can use this report to verify whether the latest TrustSec policies are deployed on all network devices or if there are any discrepancies between the policies configured on Cisco ISE and the network devices. Can easily verify whether the latest TrustSec policies are deployed on the network devices or if there are any discrepancies.

CLI Access by External Identity Store

ISE supports authentication of CLI Administrators by external identity sources, such as Active Directory. Manage a single source for passwords without the need to manage multiple password policies and administer internal users within ISE, thereby reducing time and effort.

Support for MUD

Manufacturer Usage Descriptor (MUD) is an architecture for IoT devices. MUD is tracked by IETF, and the spec is available here:

For release 1.0, ISE supports identification of IoT devices, and automatic creation of profiling policies and Endpoint Identity Groups. ISE gets IoT attributes as a MUD-URL in DHCP and LLDP packets, which are delivered by Cisco network devices.

ISE does unsigned classification of IoT devices, and accessed through profiler policies. ISE does not store the MUD attributes, the attributes are only used in the current session. In the Endpoints display under Context and Visibility, you can filter IoT devices by the Endpoint profile name.

The number of IoT devices that are connected to enterprise networks is increasing, and, until now, ISE could not classify those devices. With ISE 2.6, ISE can classify and display the IoT devices that are connected to your network, with an automated process.

Syslog over ISE Messaging

Cisco ISE 2.6 offers MnT WAN Survivability for UDP syslog collection. System logs are recorded using ISE Messaging Services. Remote Logging Targets uses the port TCP 8671 and Secure Advanced Message Queuing Protocol (AMQPs) for sending syslog to MnT.

By default, the ISE Messaging Service option is disabled.

Operational data will be retained for a finite duration even when MnT node is unreachable.

PSN Light Session Directory

The Light Session Directory can be used to store user session information and replicate it across the Policy Service Nodes (PSNs) in a deployment, thereby eliminating the need to be totally dependent on Primary Administration Node (PAN) or Monitoring and Troubleshooting (MnT) nodes for user session details. The Light Session Directory stores only the session attributes required for Change of Authorization (CoA). To enable the Light Session Directory feature, choose Administration > Settings > Light Session Directory and select the Enable Light Session Directory check box. Improved performance and scalability.

Plus Licensing Features


Apex Licensing Features

Identify Managed Devices with Dynamic MAC Addresses

AnyConnect 4.7 now provides a Unique Device ID (UDID) to identify a connected user. The UDID value can be mapped with information from Mobile Device Management (MDM) providers to help identify users who have the same MAC address. MAC address sharing is common in open offices, where more than one person shares a dock or USB dongle.

You can develop a solution that uses the UDID to uniquely identify a user, when device connections are shared.

Flexible Remediation Notification

Go to Policy > Posture > Delay Notification to delay the grace period prompt from being displayed to the user until a specific percentage of grace period has elapsed. For example, if the Delay Notification field is set to 50 percent and the configured grace period is 10 minutes, Cisco ISE checks the posture status after 5 minutes and displays the grace period notification if the endpoint is found to be noncompliant. Grace period notification is not displayed if the endpoint status is compliant. If the notification delay period is set to 0 percent, the user is prompted immediately at the beginning of the grace period to remediate the problem. However, the endpoint is granted access until the grace period expires. Flexible Grace Period Remediation prompts start for endpoints. Prevents unnecessary remediation prompts for endpoints waiting for JAMF or Microsoft System Center Configuration Manager (SCCM) updates.

Generic or Custom Messaging through Cisco AnyConnect

More informative messages can now be displayed by Cisco AnyConnect, when it is used for ISE Posture. End users can now see messages about posture status and errors. You can also modify the content that is displayed in AnyConnect posture profiles. Note that this requires Cisco AnyConnect Version 4.7. Better communication with the end user.