Field Notice: FN - 72354 - Identity Services Engine: Online Updates for Posture and Client Provisioning Using HTTPS Connections Might Fail - Software Upgrade Recommended
Available Languages
Notice
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
16-Feb-22 |
Initial Release |
Products Affected
| Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
|---|---|---|---|---|
NON-IOS |
Identity Services Engine System Software |
1 |
1.0, 1.0 MR, 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2, 1.2.1, 1.3, 1.4 |
For ISE 1.X - all versions |
NON-IOS |
Identity Services Engine System Software |
2 |
2.0, 2.0.1 |
For ISE 2.0 – all patch versions |
NON-IOS |
Identity Services Engine System Software |
2 |
2.1.0 |
For ISE 2.1 – all patch versions |
NON-IOS |
Identity Services Engine System Software |
2 |
2.2.0 |
For ISE 2.2 - all patch versions |
NON-IOS |
Identity Services Engine System Software |
2 |
2.3.0 |
For ISE 2.3 - all patch versions |
NON-IOS |
Identity Services Engine System Software |
2 |
2.4.0 |
For ISE 2.4 – Patch 3 and earlier |
Defect Information
| Defect ID | Headline |
|---|---|
| CSCwa85640 | Server Name Indication not supported |
Problem Description
Starting 2022-05-01, the affected Identity Services Engine (ISE) versions can no longer obtain updates online for posture and client provisioning without use of a proxy.
Background
Server Name Indication (SNI) is an extension of the Transport Layer Security (TLS) protocol that allows multiple secure (HTTPS) websites (or any other service over TLS) to be served from the same IP address without requiring all those sites to use the same certificate. As a security measure, the Cisco cloud service for online posture and client provisioning updates will require the use of SNI starting 2022-05-01. The affected versions of ISE do not support the SNI extension in the TLS protocol and will not be able to establish a connection with online posture and client provisioning update services without use of a proxy.
Problem Symptom
Connections to the Cisco site for online posture and client provisioning updates will fail with an error. The online posture updates error displayed on the ISE console is shown in this image.
The client provisioning error displayed on the ISE console is shown in this image.
Workaround/Solution
Solution
In order to continue to use online posture and client provisioning update services, upgrade the ISE system software to ISE Release 2.4 Patch 5 or later.
Workaround
If an upgrade to the ISE system software is not immediately possible, complete one of these actions:
- Set up a proxy server. In order to do so, refer to the “Configure Proxy Settings in Cisco ISE” process in the respective Cisco Identity Services Engine Administrator Guide document for the ISE version used. In order to determine if the proxy server supports SNI, refer to the proxy server’s documentation.
- Perform the "Cisco ISE Offline Updates" process. In order to do so, see the respective Cisco Identity Services Engine Release Notes document for the ISE version used.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)
This Document Applies to These Products
Unleash the Power of TAC's Virtual Assistance