For Wireless LAN Controllers, note the following:. MAB supports MAC filtering with RADIUS lookup. Support for session ID and COA with MAC filtering provides MAB-like functionality. DNS based ACL feature will be supported in WLC 8.0. Not all Access Points support DNS based ACL.
![]()
BYOD Access Guest Access Access Control Asset Visibility Cisco ISE can reach deep into the network to deliver superior visibility into who and what is accessing resources. Consistent access control across wired, wireless and VPN Networks. 802.1X, MAC, Web Authentication. The Macintosh, or Mac, is a series of several lines of personal computers, manufactured by Apple Inc. The first Macintosh was introduced on January 24, 1984, by Steve Jobs (see the lower photo) and it was the first commercially successful personal computer to feature two old known then, but still unpopular features—the mouse and the graphical user interface, rather than the command-line.
Refer to Cisco Access Points Release Notes for more details.The following tables list the support for the devices as follows:. √ — Fully supported.
X — Not supported.! — Limited support, some functionalities are not supportedThe following are the functionalities supported by each feature. 10.Cisco Wireless LAN Controllers (WLCs) and Wireless Service Modules (WiSMs) do not support downloadable ACLs (dACLs), but support named ACLs. Autonomous AP deployments do not support endpoint posturing. Profiling services are supported for 802.1X-authenticated WLANs starting from WLC release 7.0.116.0 and for MAB-authenticated WLANs starting from WLC 7.2.110.0. FlexConnect, previously known as Hybrid Remote Edge Access Point (HREAP) mode, is supported with central authentication configuration deployment starting from WLC 7.2.110.0. For additional details regarding FlexConnect support, refer to the release notes for the applicable wireless controller platform.
Cisco RoutersISR 88x, 89x SeriesIOS 15.3.2T(ED)√!X!XX√IOS 15.2(2)T!!X!XX√ISR 19x, 29x, 39x SeriesIOS 15.3.2T(ED)√!X!XX√IOS 15.2(2)T√!X!XX√SGR 2010IOS 15.3.2T(ED)√!X!XX√IOS 15.3.2T(ED)√!X!XX√4451-XSM-X L2/L3 EthermoduleIOS XE 3.11√√√√√√√IOS XE 3.11√√√√√√√CE 9331IOS XE 16.12.1√XXXXX√IOS XE 16.12.1√XXXXX√C959-2PLTEUSIOS XE 16.12.1√XXXXX√IOS XE 16.12.1√XXXXX√ASR1201IOS XE 16.12.1√XXXXX√IOS XE 16.12.1√XXXXX√ASR1202IOS XE 16.12.1√XXXXX√IOS XE 16.12.1√XXXXX√. Note The new features introduced in Cisco ISE 1.4 and later releases, such as the Service Check (MAC OS X), File Check (MAC OS X), Application Check (MAC OS X), and Patch Management Check (MAC OS X and Windows), are available only with AnyConnect 4.1.00028 or later.The new features introduced in Cisco ISE 2.2 and later releases, such as Application Visibility Monitoring, Firewall Check, and File Check enhancements (checks for SHA-256 checksum) are available only with AnyConnect 4.4. X or later.Refer to the for more information. 25.Because of the open access-nature of Android implementation on available devices, Cisco ISE may not support certain Android OS version and device combinations.Android 9 changes require:.
![]()
Update the posture feed in ISE to get the NSA for Android 9. Android no longer uses Common Name (CN). The Hostname must be in the subjectAltName (SAN) extension, or trust fails. If you are using self-signed certificates, regenerate the certificate by entering either domain name or IP Address option in the SAN field. 26.When Apple iOS devices use Protected Extensible Authentication Protocol (PEAP) with Cisco ISE or 802.1x, certificate warnings might be displayed even for publicly trusted certificates.
This usually occurs when the public certificate includes a Certificate Revocation List (CRL) distribution point that the iOS device needs to verify. The iOS device cannot verify the CRL without network access.
Click Confirm or Accept in the iOS device to authenticate to the network.If you are using Apple iOS 12.2 or later version, you must manually install the downloaded Certificate/Profile. To do this, choose Settings General Profile in the Apple iOS device and Click Install.If you are using Apple iOS 12.2 or later version, RSA key size must be 2048 bits or higher. Otherwise, you might see an error while installing the BYOD profile. AnyConnectApple macOS 10.14. Apple Safari. Mozilla Firefox.
Google ChromeApple macOS Supplicant 10.142.24.9.5.34.4. X or laterApple macOS 10.13. Apple Safari. Mozilla Firefox. Google ChromeApple macOS Supplicant 10.132.24.9.5.34.4.
X or laterApple macOS 10.12. Apple Safari.
Mozilla Firefox. Google ChromeApple macOS Supplicant 10.122.24.9.5.34.4. X or laterApple Mac OS X 10.11. Apple Safari.
Mozilla Firefox. Google ChromeApple Mac OS X Supplicant 10.112.24.9.5.34.4. X or laterApple Mac OS X 10.10.
Apple Safari. Mozilla Firefox. Google ChromeApple Mac OS X Supplicant 10.102.24.9.5.34.4. X or laterApple Mac OS X 10.9. Apple Safari.
Mozilla Firefox. Google ChromeApple Mac OS X Supplicant 10.92.24.9.5.34.4. AnyConnectMicrosoft Windows 10Windows 10.
Microsoft Edge. Microsoft IE 11.
Mozilla Firefox. Google Chrome. Microsoft Windows 10 802.1X Client.
AnyConnect Network Access Manager2.24.9.5.84.9.5.74.9.5.64.9.5.94.9.5.84.9.5.44.9.5.34.4. X or laterMicrosoft Windows 8,Windows 8.1Windows 8Windows 8 x64Windows 8 ProfessionalWindows 8 Professional x64Windows 8 EnterpriseWindows 8 Enterprise x64. Microsoft IE 11.
Mozilla Firefox. Google Chrome.
![]()
Microsoft Windows 8 802.1X Client. AnyConnect Network Access Manager2.24.9.5.84.9.5.74.9.5.64.9.5.94.9.5.84.9.5.44.9.5.34.4. X or laterWindows 7 ProfessionalWindows 7 Professional x64Windows 7 UltimateWindows 7 Ultimate x64Windows 7 EnterpriseWindows 7 Enterprise x64Windows 7 Home PremiumWindows 7 Home Premium x64Windows 7 Home BasicWindows 7 Starter Edition. Microsoft IE 11. Mozilla Firefox. Google Chrome.
Microsoft Windows 7 802.1X Client. AnyConnect Network Access Manager2.24.9.5.84.9.5.74.9.5.64.9.5.94.9.5.84.9.5.44.9.5.34.4.
Note Cisco ISE BYOD or Guest portal will fail to launch in Chrome Operating System 73 even though the URL is redirected successfully.To launch the portals in Chrome Operating System 73, follow the steps below:1. Generate a new self-signed certificate from ISE GUI by filling the Subject Alternative Name field. Both DNS and IP Address must be filled.2. Export and Copy the certificate to the end client (chrome book).3. Choose Settings Advanced Privacy and Security Manage certificates Authorities.4.
Import the certificate.5. Open the browser and try to redirect the portal. RADIUS DTLS client for CoATLS 1.0 supportWhen TLS 1.0 is allowed(DTLS server supports only DTLS 1.2)Note Allow TLS 1.0 option is disabled by default in Cisco ISE 2.2 Patch 2 and above. TLS 1.0 is not supported for TLS based EAP authentication methods (EAP-TLS, EAP-FAST/TLS) and 802.1X supplicants when this option is disabled. If you want to use the TLS based EAP authentication methods in TLS 1.0, check the Allow TLS 1.0 check box in the Security Settings page (Administration System Settings Protocols Security Settings).When TLS 1.0 is allowed(DTLS client supports only DTLS 1.2). ECC RSA ciphersECDHE-RSA-AES256-GCM-SHA384When ECDHE-RSA is allowedWhen ECDHE-RSA is allowedECDHE-RSA-AES128-GCM-SHA256When ECDHE-RSA is allowedWhen ECDHE-RSA is allowedECDHE-RSA-AES256-SHA384When ECDHE-RSA is allowedWhen ECDHE-RSA is allowedECDHE-RSA-AES128-SHA256When ECDHE-RSA is allowedWhen ECDHE-RSA is allowedECDHE-RSA-AES256-SHAWhen ECDHE-RSA and SHA1 are allowedWhen ECDHE-RSA and SHA1 are allowedECDHE-RSA-AES128-SHAWhen ECDHE-RSA and SHA1 are allowedWhen ECDHE-RSA and SHA1 are allowed. Requirements for CA to Interoperate with Cisco ISEWhile using a CA server with Cisco ISE, make sure that the following requirements are met:.
Key size should be 1024, 2048, or higher. In CA server, the key size is defined using certificate template. You can define the key size on Cisco ISE using the supplicant profile.
Key usage should allow signing and encryption in extension. While using GetCACapabilities through the SCEP protocol, cryptography algorithm and request hash should be supported. It is recommended to use RSA + SHA1. Online Certificate Status Protocol (OCSP) is supported.
This is not directly used in BYOD, but a CA which can act as an OCSP server can be used for certificate revocation. If you use an enterprise PKI to issue certificates for Apple iOS devices, ensure that you configure key usage in the SCEP template and enable the “Key Encipherment” option.For example, If you use Microsoft CA, edit the Key Usage Extension in the certificate template. In the Encryption area, click the Allow key exchange only with key encryption (key encipherment) radio button and also check the Allow encryption of user data check box. Cisco ISE supports the use of RSASSA-PSS algorithm for trusted certificates and endpoint certificates for EAP-TLS authentication. When you view the certificate, the signature algorithm is listed as 1.2.840.113549.1.1.10 instead of the algorithm name. Table 18 Client-Certificate Requirements for RSA and ECCRSASupported Key Sizes1024, 2048, and 4096 bitsSupported Secure Hash Algorithms (SHA)SHA-1 and SHA-2 (includes SHA-256)ECC,Supported Curve TypesP-192, P-256, P-384, and P-521Supported Secure Hash Algorithm (SHA)SHA-256Client Machine Operating Systems and Supported Curve TypesWindows8 and laterP-256, P-384, and P-521Android4.4 and laterNote Android 6.0 requires May 2016 patch to support ECC certificates.All curve types (except Android 6.0, which does not support the P-192 curve type). Obtaining Documentation and Submitting a Service RequestFor information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:Subscribe to the What’s New in Cisco Product Documentation as a RSS feed and set content to be delivered directly to your desktop using a reader application.
The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
![]() Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
March 2023
Categories |