Cisco Cisco Identity Services Engine 1.2 Guía De Información

For third-party VPN concentrators to integrate with Cisco ISE and Inline Posture nodes, the following 
authentication, authorization, and accounting (AAA) attributes must be included in RADIUS 
communication:

Calling-Station-Id (for MAC_ADDRESS)

USER_NAME

NAS_PORT_TYPE

Also, for VPN devices, the RADIUS accounting message must have the framed-ip-address attribute set 
to the VPN client’s IP address pool.

Cisco ASA 5500 
and 5500-X Series

 

(for remote access 
only)

ASA 9.2.1

NA

NA

NA

NA

Yes 

11

Yes

Yes

Yes

No

1.

The “Recommended OS Version” is based on releases that contain both core and advanced ISE feature support and have been tested with Cisco ISE 
release 1.2.x. This table is not a representation of all possible OS versions supported by ISE. The OS versions not listed may be supported with limited 
features, may contain critical defects for selected features, and have not been fully tested with Cisco ISE 1.2.x. While selecting an OS version, it is 
recommended to refer to the OS documentation for the required Cisco ISE feature support and outstanding defects.

 

 
For previously tested OS versions with older Cisco ISE releases, refer to the following:

 

2.

Cisco Wireless LAN Controllers (WLCs) and Wireless Service Modules (WiSMs) do not support downloadable ACLs (dACLs), but support named ACLs. 
Autonomous AP deployments do not support the requirements for Inline Posture Node as they do not send Framed-IP-Address. Profiling services are 
supported for 802.1X-authenticated WLANs starting from WLC release 7.0.116.0 and for MAB-authenticated WLANs starting from WLC 7.2.110.0. 
FlexConnect, previously known as Hybrid Remote Edge Access Point (HREAP) mode, is supported with central authentication configuration deployment 
starting from WLC 7.2.110.0. For additional details regarding FlexConnect support, refer to the release notes for the applicable wireless controller 
platform.

3.

For a complete list of Cisco TrustSec feature support, see 

4.

2960 LAN Lite is supported but not recommended with ISE 1.2 due to limited feature support. LAN Lite supports only 802.1X and VLAN assignments.

5.

The current available IOS releases for converged access switches, such as 3850 or 3650, may not send Calling-Station-ID in the RADIUS accounting 
requests, which may result in incorrect session states and endpoint profiles in ISE. Refer to 

 

for more information.

6.

WLCs prior to release 7.0.116.0 do not support CoA and require deployment of an ISE Inline Posture Node to support posture services. 

7.

Supports MAC filtering with RADIUS lookup.

8.

DNS based ACL feature will be supported in WLC 8.0. Not all Access Points support DNS based ACL. Refer to Cisco Access Points Release Notes for 
more details.

9.

Support for session ID and COA with MAC filtering provides MAB-like functionality.

10. 802.1X / MAB with URL redirect is only available on non-800 ISR G2. 

 

Web Authentication with URL redirect is  not available on all ISR G2 platforms.

11. Requires ISE Version 1.2.0.899—Cumulative Patch 5 or above.