Service Tool Version 3400 Engine

genesissupernal.netlify.com › ▲▲ Service Tool Version 3400 Engine

Also See for 3400

Gm 3400 Engine

Operating instructions manual - 92 pages
Operating instructions manual - 96 pages

Looking for TRACERLINE Service Tool,Automotive,Heavy-Duty,Dark (36PW59)? Grainger's got your back. Easy ordering & convenient delivery. Log-in or register for your pricing.

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788

Original

Operating

Instructions

Two-Wheel Tractor

3400; 3400KL

Versions with:

- Steering Brake Clutch

- Petrol Engine EH 34 D

3247/4291A

Before commissioning the machine, read operating instructions

Operating Instructions No. 998 749-C

Also See for Agria 3400

Related Manuals for Agria 3400

Lawn and Garden Equipment Agria 3100 Operating Instructions Manual
Single wheel hoe (44 pages)
Lawn and Garden Equipment Agria 3900 Operating Instructions Manual
Two-wheel (72 pages)
Lawn and Garden Equipment Agria 6000 Operating Instructions Manual
Power hoe (40 pages)

Lawn and Garden Equipment Agria 1000 Operating Instructions Manual
Power hoe (40 pages)
Lawn and Garden Equipment Agria 5500 GRIZZLY compact Operating Instructions Manual
Tool carrier (62 pages)

Summary of Contents for Agria 3400

Page 1 Instructions Instructions Instructions Instructions Two-Wheel Tractor Two-Wheel Tractor Two-Wheel Tractor Two-Wheel Tractor Two-Wheel Tractor 3400; 3400KL 3400; 3400KL 3400; 3400KL 3400; 3400KL 3400; 3400KL Versions with: - Differential - Steering Brake Clutch - Safety hillholder - Petrol Engine EH 34 D..
Page 2: Amount Of Delivery
Please state these data when order- Reverse ing spare parts to avoid wrong deliv- eries. Fast Only use original agria spare parts! Slow Specifications, figures and dimen- sions stated in these instructions are Differential lock not binding. No claims can be derived from them.
Page 3: Differential Version
Designation of Parts: Petrol Engine / Differential Version Figure A Figure B agria-Two-Wheel Tractor 3400; 3400KL..
Page 4 7 Forward/Reverse ball handle (with steering handle swivelled (front attachment) = Gear-shift ball handle) 8 Gear-shift ball handle (with steering handle swivelled (front attachment) = Forward/Reverse ball handle) 9 Speed control lever 10 Differential lock lever 11 Differential lock pawl agria-Two-Wheel Tractor 3400; 3400KL..
Page 5: Table Of Contents
Steering Brake Clutch Version . 15 Mounting and Dismounting Implements ....48 Fig. J, Diesel Engine ..82 4. Commissioning and Operation Fig. K, Petrol Engine ..86 Commissioning the Machine . 49, 51 Starting the Petrol Engine .. 50 agria-Two-Wheel Tractor 3400; 3400KL..
Page 6: Recommendations Lubricants
Recommendations Lubricants and Maintenance and Anti-Corrosive Agents Repair Use the specified lubricants for en- The trained mechanics of your agria gine and gearbox (see “Specifica- workshop carry out expert mainte- tions”). nance and repair. We recommend using bio-lubricat- You should only carry out major main-..
Page 7: Designation Of Parts
Designation of Parts: Diesel Engine / Differential Version Figure C Figure D <34018361 agria-Two-Wheel Tractor 3400; 3400KL..
Page 8 7 Forward/Reverse ball handle (with steering handle swivelled (front attachment) = Gear-shift ball handle) 8 Gear-shift ball handle (with steering handle swivelled (front attach- ment) = Forward/Reverse ball handle) 9 Speed control lever 10 Differential lock lever 11 Differential lock pawl agria-Two-Wheel Tractor 3400; 3400KL..
Page 9: Fuel
-26°C app. -15°C app. -20°C app. - 9°C As a last resort, you can add up to 30% of regular petrol to avoid paraffine deposits. However, this has negative effects on consumption rate and performance. agria-Two-Wheel Tractor 3400; 3400KL..
Page 10 = yellow = red = brown Safety circuit Circuit, Petrol Engine Version Engine bl = blue Magnet ignition system br = brown Engine shut-off switch rt = red Switch in clutch lever Switch in safety circuit lever agria-Two-Wheel Tractor 3400; 3400KL..
Page 11: Designation
Designation of Parts: Petrol Engine / Steering Brake Clutch Version Figure E Figure F agria-Two-Wheel Tractor 3400; 3400KL..
Page 12: Designation
8 Gear-shift ball handle (with steering handle swivelled (front attach- ment) = Forward/Reverse ball handle) 9 Speed control lever 12 Steering brake clutch lever, left 13 Steering brake clutch lever, right 14 Central hand brake lever agria-Two-Wheel Tractor 3400; 3400KL..
Page 13 Electrical Wiring: Diesel Engine Diesel Engine / Recoil Starter Version = yellow 1 Generator 12V 90W = red 2 Regulator = black 3 Socket = white gnws = green-white agria-Two-Wheel Tractor 3400; 3400KL..
Page 14 5 Electric starter 12V gnws = green-white 6 Start switch 7 Battery charge control light, 12V 2W 8 Battery 12V 20Ah 9 Central connector for regulator 10 Work light terminal 12V 55W (snap-in receptacle diameter: 4 mm) agria-Two-Wheel Tractor 3400; 3400KL..
Page 15: Designation
Designation of Parts: Diesel Engine / Steering Brake Clutch Version Figure G Figure H <34018361 agria-Two-Wheel Tractor 3400; 3400KL..
Page 16 8 Gear-shift ball handle (with steering handle swivelled (front attach- ment) = Forward/Reverse ball handle) 9 Speed control lever 12 Steering brake clutch lever, left 13 Steering brake clutch lever, right 14 Central hand brake lever agria-Two-Wheel Tractor 3400; 3400KL..
Page 17: Safety Instructions
Any unauthorized changes to the two- Careful with rotating tools – keep at a wheel tractor render manufacturer liabil- safe distance! ity null and void. agria-Two-Wheel Tractor 3400; 3400KL..
Page 18 (jumper cable). Danger of explosion. tion, always watch out for further objects and remove them in time. For operation in enclosed areas, ensure that a safety distance is kept to enclo- sures to prevent damage to tools. agria-Two-Wheel Tractor 3400; 3400KL..
Page 19 Secure two-wheel tractor and implement If possible, always work diagonally to the against unauthorized use and rolling off slope. when you leave the machine. If neces- sary, install transport or security devices and secure. agria-Two-Wheel Tractor 3400; 3400KL..
Page 20 No additional passengers may be car- ried. When driving downhill, shift into lower gears in time. On slopes never de-clutch to change gears. Weights Fit weights properly and at specified points. agria-Two-Wheel Tractor 3400; 3400KL..
Page 21 Only use original agria spare parts. All Make sure fuel is of specified quality. other commercial spare parts must cor- respond to quality and technical require- Store fuel in approved cans only.
Page 22 Any repairs are to be carried out by Persons having a pacemaker may not trained mechanics only and with the touch live parts of the ignition system appropriate tools. when the engine is running. agria-Two-Wheel Tractor 3400; 3400KL..
Page 23 Do not touch moving machinery parts. Wait until they have come to a complete stop. With engine running, keep at a safe distance from tractor. Signs When working with the machine, wear individual pro- tective ear plugs. Wear protective gloves. Wear solid shoes. agria-Two-Wheel Tractor 3400; 3400KL..
Page 24: Specifications
3221 051 Pair of wheel weights . 52 kg 3490 611 21x11.00- 8 Terra Grip for the steering brake clutch version additional customised wheel bolts are For mounting drive-wheel and use refer required ... parts kit 760 33 to p41–44. agria-Two-Wheel Tractor 3400; 3400KL..
Page 25: Machine
Steering handle: .height adjustable Generator ..alternating current side adjustable without tools, with petrol engine (accessory, swivels 180° item no. 3479 021) ..12V 90W for mounting front implements with diesel engine ..12V 90W agria-Two-Wheel Tractor 3400; 3400KL..
Page 26: Track Widths
Wheel combination and Track Widths Table 3400 Diff. (mm) 4.00-8 AS 460 360 260 570 470 370 550 450 350 660 560 460 670 570 470 780 680 580 730 630 530 840 740 640 16x6.50-8 AS 480 310 140 700 530 360 570 400 230 790 620 450 690 520 350 910 740 570 750 580 410 970 800 630 3 21x11.00-8 Terra..
Page 27: Track Widths
Wheel combination and Track Widths Table 3400 KL 220A (mm) Gf +S +90 + B1 ' ' 4.00-8 AS 630 530 430 640 540 440 750 650 550 700 600 500 810 710 610 1070 430 1090 430 16x6.50-8 AS 760 590 420..
Page 28: Petrol Engine
Operability on Slopes: (refer to fuel recommendations) Engine is suited for use on slopes Fuel tank capacity: .. approx. 8 l (with oil level at “max” = upper level mark) Continuous operation possible: up to 45° inclination (100%) agria-Two-Wheel Tractor 3400; 3400KL..
Page 29: Diesel Engine
(oil level at “max” = upper mark) Coarse-mesh strainer .in filler neck Continuous operation possible Fine-mesh strainer ... in fuel tank up to ..20° inclination (37 %) drain hole Fuel tank capacity: .approx. 5.5 l agria-Two-Wheel Tractor 3400; 3400KL..
Page 30: Devices And Operating
3. Devices and Operating Elements The two-wheel tractor 3400 is a Engine basic motorised unit and is always The four-stroke petrol engine runs on used with an implement. There- commercial petrol (refer to fuel recommenda- fore it is most suitable for normal tions p9).
Page 31 = idle to max. = full throttle. The lever also is for shutting the engine off. The engine speed control le- ver also serves to shut off the engine in an emergency. It then goes into STOP position. agria-Two-Wheel Tractor 3400; 3400KL..
Page 32: Safety Circuit
Do not fasten safety circuit lever. D/6, D/5, The safety circuit lever also serves to shut off the engine in an emergency. Release the safety cir- cuit lever for fast engine shut-off. The lever automatically goes to STOP position. agria-Two-Wheel Tractor 3400; 3400KL..
Page 33: Clutch
“0”. Now, the engine stops driving the tool carrier. The pulled hand clutch lever can be locked with pawl (B/7). The safety hillholder is operated by further pulling the hand lever upwards. agria-Two-Wheel Tractor 3400; 3400KL..
Page 34: Gearbox
For drives with mounted trailer, this screw can be set to position “4th gear un- locked” . Loosen hexagonal nut slightly, move screw to position “unlocked” and tighten nut. After driving, set screw back to position “locked”. agria-Two-Wheel Tractor 3400; 3400KL..
Page 35: Differential Gear
Pull lever for differential lock slightly (B/10 or D/10). Unlock pawl (B/11 or D/11). Slowly release lever while pressing the throt- tle. Disengaging the Differential Lock: Pull lever for differential lock until pawl locks into place. agria-Two-Wheel Tractor 3400; 3400KL..
Page 36: Steering Brake Clutch
Swivel the eccentric lever (F/14 or H/14) backwards and up beyond the dead centre. The eccentric lever automatically comes to a stop – both drive-wheels are blocked and clutch is disengaged. To release hand brake, swivel eccentric lever back to original position – brake is released. agria-Two-Wheel Tractor 3400; 3400KL..
Page 37: Pto
PTO is at work. When mounting the hoeing attachment, the FR- lever must be set to idling position, too (Safety pin on gearbox protruding approx. 5 mm). safety pin agria-Two-Wheel Tractor 3400; 3400KL..
Page 38: Steering Handle
Push up swivel control lever (B/2; D/2; F/2; H/2) and swivel steering handle to the right or left into desired position. Push swivel control lever back down and swivel steering handle slightly to the left and right until it locks into place. agria-Two-Wheel Tractor 3400; 3400KL..
Page 39 On steering brake clutch ma- chines, re-route the cables that operate the steering brake clutch to en- sure the right steering brake lever acts on the right wheel, etc. – see following page. agria-Two-Wheel Tractor 3400; 3400KL..
Page 40 = two-wheel tractor operated as haulage machine or with rear- mounted attachments. = two-wheel tractor operated as tool carrier with front-mounted 1 Steering brake cable, top end 2 Cross-bar attachments. 3 Retarder 4 R-clip 5 Steering brake cable, bottom end agria-Two-Wheel Tractor 3400; 3400KL..
Page 41: Drive-wheels
2 operating hours with 100 Nm. Re- tighten bolts and nuts in each mainte- nance. Snow Chains When working with snow chains fitted on wheels, observe manufacturer’s instruc- tions, make sure there is sufficient clearance between chains and machine parts. agria-Two-Wheel Tractor 3400; 3400KL..
Page 42 66cm outer width drive-wheels (with 5.00-10 agricultural tyres) for tillage work to give an outer width of 70cm. Item 5516 031 used to fit Terra Grip 5519 031 100 Nm drive wheels 21 x 11.00-8 TG. agria-Two-Wheel Tractor 3400; 3400KL..
Page 43 Differential position grease) after every 100 operat- ing hours or after cleaning the machine with a pressure washer. Adjustment The differential hubs are factory- Rigid position set to differential effect, mount- ing of rigid position see fig. agria-Two-Wheel Tractor 3400; 3400KL..
Page 44 B (double end stud). Fit ball spring rings between drive wheel and flange. Ensure the strake wheel webs face the machine in travel direction (see fig.). Attach the tension spring (9) to se- cure the tommy screw. agria-Two-Wheel Tractor 3400; 3400KL..
Page 45: Front And Wheel Weights
(A/16 or C/16) which is positioned at the front under the engine protection base. For parking the tractor, push the leg down and forward. For parking, push it back agria-Two-Wheel Tractor 3400; 3400KL..
Page 46: Engine Cover
Replace the fuse if it is defective. To do this, remove the panel (23) and open the protective bracket (J/25). Inside this bracket you will find a spare fuse. En- sure to provide another spare fuse in time. agria-Two-Wheel Tractor 3400; 3400KL..
Page 47: Electric Starter Version
- Service engine is running, the generator does Warning: Do not set ignition not charge the battery correctly: start switch to “0” while the en- - Service gine is running. This can damage the charging regulator. agria-Two-Wheel Tractor 3400; 3400KL..
Page 48: Mounting And Dismounting Implements
Are flanges flat fitted? Tighten cap nuts evenly. For PTO driven implement, press PTO link (6) onto shift le- ver (4) until it locks into place. Insert circlip (8) and secure. For dismounting, proceed in reverse order. agria-Two-Wheel Tractor 3400; 3400KL..
Page 49: Commissioning And Operation
Check transmission oil level Note: For reasons of transport, the engine is not filled completey with engin oil! Before you operate the engine the first time, fill in engine oil agria-Two-Wheel Tractor 3400; 3400KL..
Page 50: Starting The Petrol Engine
After the start, carefully let rope glide back. Do not let snap. Once the engine has started, let it warm up for some time. Slowly push choke back into operating position, if necessary. agria-Two-Wheel Tractor 3400; 3400KL..
Page 51 Check transmission oil level Note: For reasons of transport, the engine is not filled completey with engin oil! Before you operate the engine the first time, fill in engine oil agria-Two-Wheel Tractor 3400; 3400KL..
Page 52: Starting The Diesel Engine
After the start, carefully let rope glide back. Do not let snap. Decompression automatically goes back into former position. Slowly set speed conrol lever to centre po- sition (half throttle) and let engine warm up for some time. agria-Two-Wheel Tractor 3400; 3400KL..
Page 53 If the engine does not start and re-start is necessary, turn key back to position “0” to repeat start (re-start lock). Slowly move speed control lever to cen- tre position (half throttle) and let engine warm up for some time. agria-Two-Wheel Tractor 3400; 3400KL..
Page 54: Shutting Off The Petrol Engine
This ensures carburetor to be empty and no resin residue to deposit. agria-Two-Wheel Tractor 3400; 3400KL..
Page 55: Shutting Off The Diesel Engine
Electric-starter version: turn key back to position “0” – battery charge indica- tor goes out. Close the fuel tap (J/3). Secure two-wheel tractor against unauthorized use Electric starter version: – remove ignition key. agria-Two-Wheel Tractor 3400; 3400KL..
Page 56: Operation
Pull hand clutch lever and hold. Move F/R drive to position reverse. Slowly release hand clutch lever while pressing the throttle. Proceed vice versa for direction change from re- verse to forward. Never leave two-wheel tractor unattended with the engine running. agria-Two-Wheel Tractor 3400; 3400KL..
Page 57: Working On Slopes
Steering brake clutch version: Engage central brake. Move clutch lever and safety cir- cuit lever to start position. Petrol engine version: Move en- gine stop-switch (B/3, F/3) to op- erating position (“I”). Re-start engine. agria-Two-Wheel Tractor 3400; 3400KL..
Page 58: Driving With Mounted Trailer
Besides, the operator is required to Anti-winding kit: .agria No. 719 65 carry a type approval both for the two- wheel tractor and the trailer attached. If cleaning becomes neces-..
Page 59 (A/7; C/7; E/7; Operating brake = G/7). Insert linch pin (7) Connect cable and connector (2) to Park brake = socket (A/18; C/18; E/18; G/18) of two- Remove linch pin (7) wheel tractor. agria-Two-Wheel Tractor 3400; 3400KL..
Page 60 4. When driving in curves, as well as when travelling in curves). when going uphill or downhill, Only keep differential lock engaged as adjust the speed accordingly. long as it is necessary. 5. Only brake using the trailer brake. agria-Two-Wheel Tractor 3400; 3400KL..
Page 61 Constant attention needs to be ations (Disengage the clutch and paid to the ground conditions. brake using the trailer. If necessary Where possible clear objects out of turn the engine off). the way beforehand or drive slowly agria-Two-Wheel Tractor 3400; 3400KL..
Page 62: Maintenance
Clean oil filler plug, drain plug and sur- rounding parts. Change the oil and dispose of prop- erly. Check sealing washer for good condition and exchange, if necessary! - For engine oil quality refer to “Specifiactions” agria-Two-Wheel Tractor 3400; 3400KL..
Page 63: Air Filter
Reinstall the filter element and the foamed preliminary filter. Reposition the filter cap and fasten the wing nut. Replace the filter element af- ter 5 cleaning actions or approx. every 200 operating hours. Replace immediately damaged filter elements. agria-Two-Wheel Tractor 3400; 3400KL..
Page 64: Spark Plug
100 h remove soot from spark plug elec- 0,6 - 0,7 mm trodes with a steel brush, check spark plug gap and set to 0.6…0.7mm. Exchange spark plugs after approx. 200 hours of operation. agria-Two-Wheel Tractor 3400; 3400KL..
Page 65 Close the fuel tap. Remove the fuel strainer and remove the impurities, replace if damaged. Rinse the strainer container in fuel. Then screw it back on correctly, to avoid fuel leakage. agria-Two-Wheel Tractor 3400; 3400KL..
Page 66 Any changes to the position of the spring cause warranty and type approval to become void. Keep governor spring, speed control le- ver and linkages free from dirt and plant trash at all times. agria-Two-Wheel Tractor 3400; 3400KL..
Page 67: Diesel Engine
Fill fresh engine oil into the oil filling opening. Check sealing washer for good condition and exchange, if necessary! Refer to Specifications for oil quantity and quality. Use a fun- nel or a similar device to fill the oil reservoir. agria-Two-Wheel Tractor 3400; 3400KL..
Page 68: Air Filter
Re-insert the filter element and attach the foamed pre-filter. Reposition air filter cap and fasten with wing nut. Replace paper filter element af- ter every 400 operating hours or at least once a year. Replace immediately damaged filter elements. agria-Two-Wheel Tractor 3400; 3400KL..
Page 69 Fill diesel fuel into fuel tank. Crank engine several times with re- Fuel Hoses coil starter or electric starter and start Exchange after every 2 years; exchange engine. leaking fuel hoses immediately. Let engine run for approx.1 minute. agria-Two-Wheel Tractor 3400; 3400KL..
Page 70: Diesel Engine
After every 400 operating hours, clean and check injection jet. - Service Idling Speed Always ensure that idling engine speed is adjusted correctly. At low speeds, the engine is supposed to run smoothly, with speed control lever at stop in neutral. - Service agria-Two-Wheel Tractor 3400; 3400KL..
Page 71: Machine
100 Nm and the nuts (E/23; G/23) on the wheel hubs to 160 Nm. Check tyre air pressure regularly. For smooth driving, make sure that there is the same pres- sure in front and rear tyres respectively. agria-Two-Wheel Tractor 3400; 3400KL..
Page 72 If circuit breakers are too strong, the elec- necessary, correct engine tric system will be destroyed speed cable or STOP- danger of fire! Bowden cable on Bowden cable set screws. - Service agria-Two-Wheel Tractor 3400; 3400KL..
Page 73: Adjustments On Levers
Then fix adjustment screw with a lock nut (2). Free play of clutch and differential lock: A = 5–6 mm For adjusting the steering brake clutch levers refer to “Petrol Engine Version”. agria-Two-Wheel Tractor 3400; 3400KL..
Page 74 Loosen and unscrew the hex head nut (1) on 3 mm both sides. Dismount the angles (2) with discs and brake housing. Replace the brake linings (4 + 5). Mount the park brake in the opposite order. Adjust. agria-Two-Wheel Tractor 3400; 3400KL..
Page 75: General Maintenance
Apply grease generously to leave a grease ring around bearings to prevent water, plant sap, and dirt from penetrating. agria-Two-Wheel Tractor 3400; 3400KL..
Page 76: Storage
Petrol Engine Benzin (pawl locked in – Drain fuel completely or fill fuel tank place). Otherwise and add fuel stabilizer (agria No. 799 09). clutch problems - Observe enclosed instructions. may result due to Let engine run for approx. 1 minute.
Page 77: Troubleshooting
6. Troubleshooting Observe safety instructions! Have all serious malfunctions on the machine or engine repaired by your agria workshop. They have the proper tools. Improper repairs can only add to the damage. Problem Possible cause Possible solution Page Petrol engine:..
Page 78 - Wrong injection pressure Re-adjust injection pressure Engine - Air filter clogged Clean air-filter frequently stalls in idle Engine - Improper adjustment Re-adjust engine-off-cable does not stop of engine-off-cable when set to “STOP” agria-Two-Wheel Tractor 3400; 3400KL..
Page 79: Troubleshooting
Clutch slips - Clutch lever misadjusted Adjust clutch free play - Worn out clutch Exchange clutch disc Excessive - Loosened attachment bolts Tighten attachment bolts vibration = For this purpose contact your agria workshop. agria-Two-Wheel Tractor 3400; 3400KL..
Page 80: Varnishes, Wear Parts
009 16 O-ring 16x22x1.5, oil drain plug, Yanmar engine 768 99 Fuse 15A (30x6.5mm) 009 16 O-ring 16x22x1.5, oil dip-stick and oil drain plug, gearbox Lists of Spare Parts 997 012 Base machine 3400 997 083 Implements for 3400 997 077 Robin Engines 997 147 Yanmar Engines 997 062 Cutter Bar agria-Two-Wheel Tractor 3400;..
Page 81 17 Engine type plate; engine I.D. 18 Ball-head, engine cover 21 Hex head bolt (E-Start Version) 22 Serrated washer (E-Start Version) 23 Panel (E-Start Version) 24 Distancer (E-Start Version) 25 Fuse holder (E-Start Version) 26 Fuse 15 amps (E-Start Version) agria-Two-Wheel Tractor 3400; 3400KL..
Page 82: Figs. G + H, Diesel Engine / Steering Brake Clutch Version . 15 Fig. J, Diesel Engine
Designation of Parts Diesel Engine Figure J Engine L100 agria-Two-Wheel Tractor 3400; 3400KL..
Page 83: Lubrication Chart
(25 h) 50 h = yearly and after each cleaning with a high-pressure cleaner Diesel Engine (50 h) 200 h 25 h (50 h) 200 h (400 h) = yearly and after each cleaning with a high-pressure cleaner agria-Two-Wheel Tractor 3400; 3400KL..
Page 84: Inspection And Maintenance Chart
Replace fuel filter Clean carburetor and adjust Clean cylinder head Clean injection jet and check Adjust valve lash 66, 70 Lubricate steering handle/trailer hitch Lubricate all gliding parts Replace fuel hoses 65, 69 agria-Two-Wheel Tractor 3400; 3400KL..
Page 85: Figs. A + B, Petrol Engine
B = After each cleaning K = Checks and maintenance to be executed by operator W = Maintenance to be executed by professional workshop F = Maintenance should be carried out by your agria workshop * = after 2 years agria-Two-Wheel Tractor 3400; 3400KL..
Page 86: Figs. E + F, Petrol Engine
Designation of Parts Petrol Engine Figure K Engine EH 34 D agria-Two-Wheel Tractor 3400; 3400KL..
Page 87: Conformity Declaration
Conformity Declaration agria-Two-Wheel Tractor 3400; 3400KL..
Page 88 GmbH Bittelbronner Straße 42 D-74219 Möckmühl Tel. +49/ (0)6298 /39-0 Fax +49/ (0)6298/39-111 e-mail: info@agria.de Internet: www.agria.de Your local agria specialist dealer:..

Release Notes for Cisco Identity Services Engine, Release 2.1

Revised: May 3, 2019

These release notes describe the features, limitations and restrictions (caveats), and related information for Cisco Identity Services Engine (ISE), Release 2.1. These release notes supplement the Cisco ISE documentation that is included with the product hardware and software release, and cover the following topics:

Introduction
New Features in Cisco ISE, Release 2.1
Context Visibility
System Requirements
Installing Cisco ISE Software
Upgrading to Release 2.1
Cisco Secure ACS to Cisco ISE Migration
Known Limitations in Cisco ISE, Release 2.1
Features Not Supported in Cisco ISE, Release 2.1
Cisco ISE License Information
Deployment Terminology, Node Types, and Personas
Requirements for CA to Interoperate with Cisco ISE
Cisco ISE Installation Files, Updates, and Client Resources
Using the Bug Search Tool
Cisco ISE, Release 2.1.0.474 Patch Updates
Cisco ISE, Release 2.1 Open Caveats
Resolved Caveats
Documentation Updates
Related Documentation

Introduction

The Cisco ISE platform is a comprehensive, next-generation, contextually-based access control solution. It offers authenticated network access, profiling, posture, BYOD device onboarding (native supplicant and certificate provisioning), guest management, device administration (TACACS+), and security group access services along with monitoring, reporting, and troubleshooting capabilities on a single physical or virtual appliance. Cisco ISE is available on two physical appliances with different performance characterization, and also as software that can be run on a VMware server. You can add more appliances to a deployment for performance, scale, and resiliency.

Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also allows for configuration and management of distinct personas and services. This feature gives you the ability to create and apply services where they are needed in the network, but still operate the Cisco ISE deployment as a complete and coordinated system.

For more information about the features that are supported in Cisco ISE 2.1, see Cisco Identity Services Engine Admin Guide, Release 2.1.

New Features in Cisco ISE, Release 2.1

Ability to Download Core Files and Heap Dumps for Troubleshooting
Certificate Page Navigation Changes/Enhancements
Customizable Alarms
Customizable Dashboard
Context Visibility
Easy Connect
Enable or Disable IPv6 on Each Interface
Feed Service Enhancements
Google Chromebook Onboarding Support
Guest Enhancements
IP SGT Mapping and Mapping Groups
Livelog Page Enhancements
Persistent Machine Access Restriction (MAR) Cache
MDM Enhancements
Time Interval For Compliance Device ReAuth Query
NIC Bonding for High Availability
ODBC Identity Source
Option to View the Process and Thread Utilization in Cisco ISE
Posture Enhancements
Profiler Enhancements
pxGrid Certificate Template for the Internal Cisco ISE CA
pxGrid Client Authentication Settings
Report List for Work Centers
SAML Identity Source Enhancements
SAML Signing Certificate
SAML SSO Support for Certificate Provisioning Portal
Smart Licensing
Support for Elliptical Curve Cryptography (ECC) Certificates
Support for SNMP Traps
TACACS+ Device Administration Enhancements
Third-Party Device Support Enhancements
TrustSec ACI Integration
TrustSec Matrix Workflow Process
TrustSec Matrix Enhancements

Ability to Download Core Files and Heap Dumps for Troubleshooting

The show logging CLI command lists the system and application log files. The core files and heap dumps can be listed by using this command. You can now use the copy command to move these files to a repository.

Certificate Page Navigation Changes/Enhancements

The Certificate Authority (CA) Certificates page lists all the certificates related to the internal Cisco ISE CA. In previous releases, these CA certificates were present in the Trusted Certificates store and are now moved to the CA Certificates page. These certificates are listed node wise in this page. You can expand a node to view all the ISE CA certificates of that particular node. The Administration node has the root CA, node CA, subordinate CA, and OCSP responder certificates. The other nodes in the deployment have the node CA, subordinate CA, and OCSP certificates.

Customizable Alarms

You can customize alarms and configure email notifications to be sent to different recipients for each alarm. You can also globally define email recipients who will receive notifications for all alarms configured in the system.

Customizable Dashboard

You can create a new dashboard and add any of the dashlets that you need to the dashboard.

You can customize the tabs, dashlets, and layout. You can drag and drop dashlets, export data from a dashboard as an Excel or PDF file, and provide role-based access control for the dashlets.

Context Visibility

The Context menus display graphical information about endpoints based on a variety of configurable attributes. Endpoint data can be segmented by features, applications, BYOD, and other categories, depending on your license. The Context menus use a central database, gathers information from database tables, caches, and buffers, which makes updates to context dashlets and list content very fast. You can use controls on context visibility pages to filter the data that is displayed, and by applying multiple filters, progressively narrow the displayed data for particular endpoints.

Easy Connect

Easy Connect enables you to easily connect users from a Windows based endpoint to a network in a secured manner and monitor those users by authenticating them through an Active Directory (AD) Domain Controller (DC) and not by Cisco ISE. With Easy Connect, Cisco ISE collects user authentication information from the Active Directory (AD) Domain Controller. With Easy Connect, Cisco ISE issues a CoA (change of authorization) to the network access device (NAD) after the user is authenticated by Active Directory. Authenticated users are then shown in the Cisco ISE live sessions view, and can be queried from the session directory.

Enable or Disable IPv6 on Each Interface

This release of Cisco ISE provides an option from the CLI to enable or disable IPv6 at the interface level.

Feed Service Enhancements

If you are unable to connect the Cisco ISE deployment to the Cisco feed service, you can download the profiler policies and OUI updates offline and import them to the Cisco ISE Primary Administration Node using an offline feed update.

Google Chromebook Onboarding Support

Support for onboarding of managed Chromebook devices on a corporate network. Chromebook devices must download the Cisco Network Setup Assistant extension from the Chrome Web Store to start the onboarding process.

Note Cisco ISE supports onboarding of Chromebook devices that are managed by Google console. Unmanaged Chromebook devices are not supported.

Guest Enhancements

Support for SMS Proxy —Guest now supports SMS text through a proxy. The SMS gateway provides HTTP API access to SMS providers, and uses a proxy if a proxy server is defined in Administration > System > Proxy.

From First Logon —A Guest Type can be configured to start a user’s account duration when that user logs on. This allows a sponsor to create and distribute logon credentials ahead of time, instead of as people arrive for a meeting.

New SAML Server support —Cisco ISE end-user web portals now support PingIdentity (Cloud), PingFederate (CPE), Azure Active Directory, SecureAuth, and servers running generic SAML 2.0.

Single portal for credentialed and SAML SSO login —The login portal can be configured to provide the option to log in with credentials, or to click a link that redirects the user to an SSO portal page. The link that the user clicks to redirect to an SSO provider can be customized.

Sponsor Approval Filtering —A sponsor can be limited to approving accounts based on the sponsor’s email address, or all pending accounts. Currently this feature is supported only for internal sponsors and SAML SSO sponsors.

Workcenter menu —The Guest menu has been removed, and all the options related to Guest portal are listed under the Guest heading under Work Centers.

Shorter default username and password —The guest default username is four alpabetic and password is four numeric characters. Short, easy to remember usernames and passwords are adequate for short-term guests. You can change the username and password length in ISE, if you desire.

IP SGT Mapping and Mapping Groups

While adding an IP SGT static mapping, you can use an existing mapping group or map the IP address/hostname to a SGT individually and specify the SXP VPN groups and target devices.

You can import or export the IP SGT static mappings.

While adding a mapping group, you can select the SGT and specify the SXP VPN groups and the devices on which the mappings must be deployed.

Livelog Page Enhancements

You can do the following in the RADIUS, TACACS, and RADIUS Sessions Live Logs page:

Hide all or some columns
Change column width
Change the order of columns
Filter the data by time range, number of records, refresh interval and also set quick and advanced filters

Persistent Machine Access Restriction (MAR) Cache

Cisco ISE stores the MAR cache content, calling-station-ID list, and the corresponding time stamps to a file on its local disk when you manually stop the Cisco ISE application services. Cisco ISE does not store the MAR cache entries of an instance when there is an accidental restart of its application services.

Cisco ISE reads the MAR cache entries from the file on its local disk based on the cache entry time to live when the Cisco ISE application services get restarted. When the run-time services of an Cisco ISE instance come up after a restart, Cisco ISE compares the current time of that instance with the MAR cache entry time. If the difference between the current time and the MAR entry time is greater than the MAR cache entry time to live, then Cisco ISE does not retrieve that entry from disk. Otherwise, Cisco ISE retrieves that MAR cache entry and updates its MAR cache entry time to live.

MDM Enhancements

Cisco ISE now supports Microsoft Intune and Microsoft SCCM as external MDM servers. The following versions of SCCM are supported with this release:

– Windows 2008 R2 and SCCM 2008 R2

– Windows 2012 R2 and SCCM 2012 R2

Attributes from MDM servers can now be published to pxGrid.

Time Interval For Compliance Device ReAuth Query

When the endpoint is authenticated or re-authenticated, ISE uses a cache to get the MDM variables for that endpoint. If the age of cached value is older than the value of Time Interval For Compliance Device ReAuth Query, then ISE makes a device query to the MDM server to get new values. If the compliance status changed, then ISE triggers a CoA. The valid range is from 1 to 1440 minutes. The default value is 1 minute.

Note This feature is introduced as a part of Release 2.1 Patch 4.

NIC Bonding for High Availability

Cisco ISE supports bonding of two Ethernet interfaces into a single virtual interface to provide high availability for the physical interfaces. The NIC bonding feature in Cisco ISE does not support load balancing or link aggregation features. The bonding of interfaces ensures that Cisco ISE services are not affected when there is:

Physical interface failure
Loss of switch port connectivity (shut or failure)
Switch line card failure

ODBC Identity Source

Cisco ISE supports Open Database Connectivity (ODBC)-compliant relational databases. The following database engines are supported:

Microsoft SQL Server
Oracle
PostgreSQL
Sybase

ODBC identity source can be used in an identity store sequence and for Guest and Sponsor authentications. It can also be used for BYOD flow.

You must configure the required stored procedures to authenticate users against an ODBC identity source. The values that are returned and the tasks that are required of the stored procedure vary based on the authentication protocol used.

While adding an ODBC identity source, you can also add the required attributes and user groups. Cisco ISE allows you to fetch the attributes and user groups from ODBC database. You can use these attributes and user groups in the authorization policies.

Option to View the Process and Thread Utilization in Cisco ISE

A new CLI command, show cpu usage, is introduced in this release. This command lists the CPU usage for each component such as policy services, PSC, profiler, TACACS+, and so on.

Posture Enhancements

Anti-malware condition to check the installation of an anti-malware program on the client and to check if the latest anti-malware definition file of the selected vendor is updated on the client. It supports both MAC and Windows OS.
USB mass storage Cisco predefined condition to check if a USB mass storage device is connected to an endpoint.
OESIS version 4 to check and remediate endpoint compliance.

Profiler Enhancements

Profiler related options are grouped under the Profiler Work Center menu (Work Centers > Profiler), so that the administrator can easily access all the options related to Profiling service at one location.
Supports the NMAP scan action to run the SMB discovery script that is provided by NMAP.
Identifies the services running on an endpoint using the service version information probe.
Allows the use of custom ports for automatic and manual NMAP scan actions.
Skips the NMAP host discovery of known endpoints.
Profiles endpoints that are running McAfee agents as corporate devices, by using the McAfee ePolicy Orchestrator (McAfee ePO) security management software. Cisco ISE provides an in-built NMAP scan action (MCAFeeEPOOrchestratorClientscan) to check if the McAfee agent is running on an endpoint using NMAP McAfee script on the configured port.
Provides the Active Directory probe to improve the fidelity of OS information for Windows endpoints.
Allows the export of probe data from the GUI.
Facilitates the offline update of feed services when Cisco ISE is not directly connected to the Cisco feed server.

pxGrid Certificate Template for the Internal Cisco ISE CA

To deploy pxGrid service easily, Cisco ISE provides a certificate template that signs an end entity's CSR and has the client and server EKUs on the certificate. From the Certificate Provisioning Portal, you can paste the CSR text from the pxGrid client and sign the keys using the pxGrid template. Cisco ISE nodes can also use this function for pxGrid certificates. As a Cisco ISE administrator, you can revoke the pxGrid certificates.

pxGrid Client Authentication Settings

You can enable username/password based authentication for pxGrid clients. A pxGrid client can register itself with the pxGrid controller by sending the username via REST API. The pxGrid controller generates a password for the pxGrid client during client registration. The administrator can approve or deny the connection request.

Report List for Work Centers

Reports that are tagged for different work centers appear in the Reports menu under each Work Center.

SAML Identity Source Enhancements

Cisco ISE is SAMLv2 compliant and supports all SAMLv2 compliant IdPs that use Base64-encoded certificates. The IdPs listed below have been tested with Cisco ISE:

Oracle Access Manager (OAM)
Oracle Identity Federation (OIF)
SecureAuth
PingOne
PingFederate
Azure Active Directory

SAML SSO is supported for Guest, Sponsor, My devices, and Certificate Provisioning portal.

You can add a load balancer in front of Cisco ISE nodes to simplify the configuration on the Identity Provider side and optimize the load on ISE nodes.

While adding an IdP, you can add the attributes and user groups. These attributes and user groups can be used in the authorization policies. You can configure the Identity attribute and logout settings in the Advanced Settings tab.

SAML Signing Certificate

From the System Certificates page of the Admin Portal, you can set up a certificate for SAML signing use. SAML certificate can be a wildcard or non-wildcard certificate. SAML certificate is replicated to all the nodes in the deployment.

SAML SSO Support for Certificate Provisioning Portal

While configuring the Certificate Provisioning Portal settings in the Admin portal, you can now select an identity provider such as Oracle Access Manager as an external identity store to allow for single sign on across all Cisco ISE end user portals. When an IdP user launches the Certificate Provisioning Portal, the user is redirected to the IdP login page for authentication. If authentication is successful, the user is redirected back to the Certificate Provisioning Portal.

Reports and audit logs include information about users logging in via the SAML SSO as well as other identity sources.

Smart Licensing

Cisco offers Smart Licensing, which enable you to monitor ISE software licenses and endpoint license consumption easily and efficiently. When Smart Licensing is activated from Cisco ISE, it monitors the consumption of licenses and notifies the administrator about the license usage. When licenses are available and not consumed, the administrator is notified of available licenses. When consumption exceeds the amount of licenses available, an alarm is activated and the administrator is notified through alarms and notifications.

When Smart Licensing is activated, the Smart Call Home (SCH) feature is enabled by default. This feature monitors Cisco ISE devices in your network and notifies you via e-mail about critical events. It also provides real-time alerts with remediation advice for issues that are detected. SCH monitors and sends event notifications for configuration, inventory, Telemetry, crash, hardware, and environment issues.

The Anonymous Reporting feature of SCH provides minimal health information about the Cisco ISE devices in your network.

You can choose to enable only Anonymous Reporting or enable the full set of features offered by SCH.

Gm 3400 Engine

Support for Elliptical Curve Cryptography (ECC) Certificates

Cisco ISE CA service now supports client side certificates based on Elliptical Curve Cryptography (ECC) algorithms. ECC offers increased security and better performance than other cryptographic algorithms while providing the same level of security as other systems with a much smaller key size.

Cisco ISE CA service supports ECC certificates for devices connecting through the BYOD flow. You can also generate ECC certificates from the Certificate Provisioning Portal.

If the BYOD flow with Enrollment over Secure Transport (EST) protocol is not working properly, check the following:

Certificate Services Endpoint Sub CA certificate chain is complete. To check whether the certificate chain is complete:

1. Choose Administration > System > Certificates > Certificate Authority > Certificate Authority Certificates.

2. Check the check box next to the certificate that you want to check, and then click View.

Ensure that the CA and EST services are up and running. If the services are not enabled, go to Administration > System > Certificates > Certificate Authority > Internal CA Settings to enable the CA service.

Note This release of Cisco ISE does not support EST clients to authenticate directly against the EST server that resides in Cisco ISE.
When an Android or Windows endpoint onboards and the request is for an ECC-based certificate, an EST flow is triggered internally within Cisco ISE.

If you have upgraded to Cisco ISE 2.1 from an ISE version prior to 2.0, replace the ISE Root CA certificate chain after the upgrade. To do this:

1. Choose Administration > System > Certificates > Certificate Management > Certificate Signing Requests.

2. Click Generate Certificate Signing Requests (CSR).

3. Choose ISE Root CA from the Certificate(s) will be used for drop-down list.

4. Click Replace ISE Root CA Certificate Chain.

The following table lists the operating systems and versions that support ECC along with the curve types that are supported. If your devices are not running a supported operating system or on a supported version, you can use RSA-based certificates instead.

Supported Versions
Windows	8 and later	P-256, P-384, and P-512
Android	4.4 and later Note Android 6.0 requires May 2016 patch to support ECC certificates.	All curve types (except Android 6.0, which does not support the P-192 curve type).

Supported Versions

Windows

8 and later

P-256, P-384, and P-512

Android

4.4 and later

Note Android 6.0 requires May 2016 patch to support ECC certificates.

All curve types (except Android 6.0, which does not support the P-192 curve type).

Note Windows 7 and Apple iOS do not natively support ECC for EAP-TLS authentication. This release of Cisco ISE does not support the use of ECC certificates on MAC OS X devices.

Support for SNMP Traps

SNMP traps help you to monitor the status of Cisco ISE processes. Without accessing the Cisco ISE server, if you want to monitor the Cisco ISE processes, you can configure a MIB browser as an SNMP host in Cisco ISE. You can then monitor the status of Cisco ISE processes from the MIB browser.

TACACS+ Device Administration Enhancements

The Device Administration Deployment page lists the PSNs in your deployment and allows you to centrally view the device administration system without referring to each node in the deployment section. You can collectively enable the device admin service for multiple PSNs.
New fields such as Shared Secret and Retire Shared Secret have been included in the TACACS authentication settings to authenticate users.
Support for authentication protocol services, such as PAP/ASCII, CHAP, and MS-CHAPv1, in FIPS and non-FIPS modes.
Support for new common task types such as Shell, WLC, Nexus, and Generic.
The TACACS Ports field allows you to configure a maximum of four TCP ports using which Cisco ISE nodes and their interfaces listen for TACACS+ requests.

Third-Party Device Support Enhancements

If a device supports neither dynamic nor static URL redirect, Cisco ISE provides an Auth VLAN by which it simulates URL redirect. Auth VLAN is based on unique DHCP/DNS server attributes you define in ISE.

Additionally, SNMP-based Change of Authorization (CoA) support has been added to support network access devices that lack support for RADIUS CoA.

If you enable the ACL (Filter-ID) option while creating an authorization profile, Cisco ISE does not appends '.in' to the ACL for non-Cisco devices. By default,'.in' is appended to the ACL for Cisco devices. When you upgrade to Cisco ISE 2.1 from an earlier release, '.in' is not appended to ACL for non-Cisco devices.

Cisco ISE 2.1 has been tested with the vendor devices listed in the following table:

Table 1 Vendor Devices Tested With Cisco ISE 2.1
Vendor	URL Redirect Type
Vendor	URL Redirect Type	802.1X / MAB	Profiler with CoA	Guest/ BYOD
Wireless	Aruba 7000, InstantAP	RADIUS	Static URL	√	√	√	√	√
	Motorola RFS 4000	RADIUS	Dynamic URL	√	√	√	√	√
	HP 830	RADIUS	Static URL	√	√	√	√	√
	Ruckus ZD 1200	RADIUS	—	√	√	√	—	—
Wired	HP A5500	RADIUS	Auth VLAN provided by ISE	√	√	√	√	√
	HP 3800 and 2920 (ProCurve)	RADIUS	Auth VLAN provided by ISE	√	√	√	√	√
	Alcatel 6850	SNMP	Dynamic URL	√	√	√	√	√
	Brocade ICX 6610¹	RADIUS	Auth VLAN provided by ISE	√	√	√	√	√
	Juniper EX3300-24p	RADIUS	Auth VLAN provided by ISE	√	√	√	√	√
For additional third-party NADs, you must identify the device properties and capabilities and create custom NAD profiles in Cisco ISE.				√	√	Requires CoA support	Requires CoA support. For URL redirect, if the wired device has no URL redirect, utilizes Cisco ISE Auth VLAN. Wireless devices have not been tested with Auth VLAN.

^1.Brocade switch (ICX6610-24 SW: Version 08.0.20aT7f3) requires a session ID to send a Change of Authorization (CoA) request. Advanced flows such as BYOD, Guest, and Posture using MAB authentication do not work properly because accouting information and session ID are not collected and hence Change of Authorization (CoA) cannot be issued.

Note In Cisco ISE, a session cannot be created in the session cache when Network Access Device does not send calling station ID in the Access-Request. As a result, scenarios which relies on the session attribute lookup like guest, posture, BYOD are currently not supported with such network access devices.

Threat-Centric NAC

Threat Centric Network Access Control (TC-NAC) feature enables you to create authorization policies based on the threat and vulnerability attributes received from the threat and vulnerability adapters. Threat severity levels and vulnerability assessment results can be used to dynamically control the access level of an endpoint or a user.

You can configure the vulnerability and threat adapters to send high fidelity Indications of Compromise (IoC), Threat Detected events, and CVSS scores to Cisco ISE, so that threat-centric access policies can be created to change the privilege and context of an endpoint accordingly.

Cisco ISE supports the following adapters:

SourceFire FireAMP
Qualys

Note Only the Qualys Enterprise Edition is currently supported for TC-NAC flows.

TrustSec ACI Integration

Cisco ISE allows you to synchronize SGTs and SXP mappings with the Internal Endpoint Groups (IEPGs), External Endpoint Groups (EEPGs), and endpoint (EP) configuration of Cisco Application Centric Infrastructure (ACI).

Cisco ISE supports packets coming from the ACI domain to the TrustSec domain by synchronizing the IEPGs and creating correlating read-only SGTs in ISE. These SGTs are used to map the endpoints configured in ACI and create correlating SXP mappings in ISE. These SGTs are displayed on the Security Groups page (with the value 'ACI' in the Learned From field). You can view the SXP mappings on the All SXP Mappings page.

ACI supports the packets coming from the TrustSec domain to the ACI domain by synchronizing the SGTs and creating correlating EEPGs.

TrustSec Matrix Workflow Process

The Matrix Workflow feature provides the ability to roll out new policy in a phased manner. A new policy is created as the staging matrix. This feature includes an approval workflow, where the staging policy cannot be deployed until it is approved. After approval, the staging matrix can be deployed on a limited set of devices. This is useful for evaluating the policy before full deployment. The staging matrix can be edited, if required. The deployment can continue on to the next set of devices or to all devices. Once the staging matrix is fully deployed, the staging matrix can be set as the new production matrix.

TrustSec Matrix Enhancements

Cisco ISE allows you to import and export the egress policy in CSV format. You can export the file to a local drive or a remote repository. The exported file can be encrypted by using an encryption key.

You can include the empty cells (which do not have any SGACL configured) in the exported file. When this option is enabled, the whole matrix is exported and the empty cells are marked with the “Empty” keyword in the SGACL column.

While importing the egress policy, you can overwrite the existing policy with the one that you are importing. If empty cells are included in the imported file, the existing policy in the corresponding matrix cells will be deleted.

System Requirements

Supported Hardware
FIPS Mode Support
Supported Virtual Environments
Supported Browsers
Supported Cipher Suites
Supported Devices and Agents
Support for Microsoft Active Directory
Supported Anti-Virus and Anti-Malware Products

Note For more details on Cisco ISE hardware platforms and installation, see the Cisco Identity Services Engine Hardware Installation Guide, Release 2.1.

Supported Hardware

Cisco ISE software is packaged with your appliance or image for installation. Cisco ISE, Release 2.1 is shipped on the following platforms. After installation, you can configure Cisco ISE with specified component personas (Administration, Policy Service, Monitoring, and pxGrid) on the platforms that are listed in Table 2.

Table 2 Supported Hardware and Personas
Persona
Cisco SNS-3415-K9 (small)	Any	See the Cisco Identity Services Engine Hardware Installation Guide for the appliance hardware specifications.
Cisco SNS-3495-K9 (large)	Any
Cisco SNS-3515-K9 (small)	Any	See the Cisco Identity Services Engine Hardware Installation Guide for the appliance hardware specifications.
Cisco SNS-3595-K9 (large)
Cisco ISE-VM-K9 (VMware, Linux KVM)		For CPU and memory recommendations, refer to the “VMware Appliance Sizing Recommendations” section in the Cisco Identity Services Engine Hardware Installation Guide, Release 2.1.² For hard disk size recommendations, refer to the “Disk Space Requirements” section in the Cisco Identity Services Engine Hardware Installation Guide, Release 2.1. NIC—1 GB NIC interface required. You can install up to 6 NICs. Supported virtual machine versions include: – ESXi 5. x, 6. x – KVM on RHEL 7.0

^2.Memory allocation of less than 8 GB is not supported for any VM appliance configuration. In the event of a Cisco ISE behavior issue, all users will be required to change allocated memory to at least 8 GB prior to opening a case with the Cisco Technical Assistance Center.

Note Legacy ACS and NAC appliances (including the Cisco ISE 3300 series) are not supported with Cisco ISE, Release 2.0 and later releases.

FIPS Mode Support

Product Cisco Identity Services Engine uses embedded FIPS 140-2 validated cryptographic module Cisco FIPS Object Module Version 4.1 (Certificate #2100). For details of the FIPS compliance claims, see the FIPS Compliance Letter.

Supported Virtual Environments

Cisco ISE supports the following virtual environment platforms:

VMware ESXi 5. x, 6. x
KVM on RHEL 7.0

Supported Browsers

Supported browsers for the Admin portal include:

Mozilla Firefox 66 and earlier versions
Google Chrome 74 and earlier versions

Note If you use Chrome 65.0.3325.189, you may be unable to view guest account details in the print preview section.

Microsoft Internet Explorer 10.x and 11.x

If you are using Internet Explorer 10.x, enable TLS 1.1 and TLS 1.2, and disable SSL 3.0 and TLS 1.0 (Internet Options > Advanced).

Adobe Flash Player 11.1.0.0 or above must be installed on the system running your client browser.

The minimum required screen resolution to view the Cisco ISE Admin portal and for a better user experience is 1280 x 800 pixels.

Note After you install Cisco ISE, Release 2.1 or upgrade to Release 2.1, some of the Admin portal pages (especially the Context Visibility and MDM pages) might not get updated correctly because of browser cache issues.
If you do not find the expected results in the Admin portal, clear your browser cache frequently.

Supported Cipher Suites

Cisco ISE, Release 2.1 supports the following ciphers. TLS versions 1.0, 1.1, and 1.2 are supported.

For EAP-TLS, PEAP, EAP-FAST, EAP-TTLS:

– ECDHE-RSA-AES256-GCM-SHA384

– ECDHE-RSA-AES128-GCM-SHA256

– ECDHE-RSA-AES256-SHA384

– ECDHE-RSA-AES128-SHA256

– ECDHE-RSA-AES256-SHA

– ECDHE-RSA-AES128-SHA

– AES256-SHA256

– AES128-SHA256

– AES256-SHA

– AES128-SHA

– DES-CBC3-SHA

The following ciphers are supported when you check the Allow weak ciphers for EAP check box:

– RC4-SHA

– RC4-MD5

For EAP-FAST Anonymous Provisioning:

– ADH_WITH_AES_128_SHA

Note If you have legacy devices such as old IP phones that use these deprecated ciphers authenticating against Cisco ISE, the authentication fails because these devices use legacy ciphers. To allow Cisco ISE to authenticate such legacy devices, after upgrade to Release 2.1, ensure that you update the Allowed Protocols configuration as follows:

1. From the Admin portal, choose Policy > Policy Elements > Authentication > Allowed Protocols.

2. Edit the Allowed Protocols service and check the Allow weak ciphers for EAP check box.

3. Click Submit.

Supported Devices and Agents

Refer to Cisco Identity Services Engine Network Component Compatibility, Release 2.1 for information on supported devices, browsers, and agents.

Cisco NAC Agent Interoperability

The Cisco NAC Agent version 4.9.5.8 is a common agent for Cisco NAC Appliance Releases 4.9(1), 4.9(3), 4.9(4), 4.9(5), and Cisco ISE Releases 1.1.3-patch 11, 1.1.4-patch 11, 1.2.0, 1.2.1, 1.3, 1.4, 2.0 and 2.1.

This is the recommended model of deploying the NAC agent in an environment where users will be roaming between ISE and NAC deployments.

Support for Microsoft Active Directory

Cisco ISE, Release 2.1 works with Microsoft Active Directory servers 2003, 2003 R2, 2008, 2008 R2, 2012, and 2012 R2 at all functional levels.

Note Microsoft has ended support for Windows Server 2003 and 2003 R2. We recommend that you upgrade Windows Server to a supported version.

Microsoft Active Directory version 2000 or its functional level is not supported by Cisco ISE.

Cisco ISE 2.1 supports Multi-Forest/Multi-Domain integration with Active Directory infrastructures to support authentication and attribute collection across large enterprise networks. Cisco ISE 2.1 supports up to 50 domain join points.

Supported Anti-Virus and Anti-Malware Products

See the following link for specific anti-virus and anti-malware support details for Cisco NAC Agent and Cisco NAC Web Agent:

https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html

Installing Cisco ISE Software

To install Cisco ISE, Release 2.1 software on Cisco SNS-3415, SNS-3495, SNS-3515, and SNS-3595 hardware platforms, turn on the new appliance and configure the Cisco Integrated Management Controller (CIMC). You can then install Cisco ISE, Release 2.1 over a network using CIMC or a bootable USB.

Note When using virtual machines (VMs), we recommend that the guest VMs have the correct time set using an NTP server before installing the.ISO image or OVA file on the VMs.

Perform Cisco ISE initial configuration according to the instructions in the Cisco Identity Services Engine Hardware Installation Guide, Release 2.1. Before you run the setup program, ensure that you know the configuration parameters listed in Table 3.

Table 3 Cisco ISE Network Setup Configuration Parameters
Description
Hostname	Must not exceed 19 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). The first character must be a letter.	isebeta1
(eth0) Ethernet interface address	Must be a valid IPv4 address for the Gigabit Ethernet 0 (eth0) interface.	10.12.13.14
Netmask	Must be a valid IPv4 netmask.	255.255.255.0
Default gateway	Must be a valid IPv4 address for the default gateway.	10.12.13.1
DNS domain name	Cannot be an IP address. Valid characters include ASCII characters, any numerals, the hyphen (-), and the period (.).	mycompany.com
Primary name server	Must be a valid IPv4 address for the primary name server.	10.15.20.25
Add/Edit another name server	(Optional) Allows you to configure multiple name servers. Must be a valid IPv4 address for an additional name server.	Enter y to add additional name server or n to configure the next parameter.
Primary NTP server	Must be a valid IPv4 address or hostname of a Network Time Protocol (NTP) server.	clock.nist.gov
Add/Edit another NTP server	(Optional) Allows you to configure multiple NTP servers. Must be a valid IPv4 address or hostname.	Enter y to add additional NTP server or n to configure the next parameter.
System Time Zone	Must be a valid time zone. For details, see Cisco Identity Services CLI Reference Guide, Release 2.1, which provides a list of time zones that Cisco ISE supports. For example, for Pacific Standard Time (PST), the System Time Zone is PST8PDT (or UTC-8 hours). The time zones referenced are the most frequently used time zones. You can run the show timezones command from the Cisco ISE CLI for a complete list of supported time zones. Note We recommend that you set all Cisco ISE nodes to the UTC time zone. This setting ensures that the reports, logs, and posture agent log files from the various nodes in the deployment are always synchronized with the time stamps.	UTC (default)
Username	Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default (admin), you must create a new username. The username must be three to eight characters in length and composed of valid alphanumeric characters (A–Z, a–z, or 0–9).	admin (default)
Password	Identifies the administrative password that is used for CLI access to the Cisco ISE system. You must create this password (there is no default). The password must be a minimum of six characters in length and include at least one lowercase letter (a–z), one uppercase letter (A–Z), and one numeral (0–9).	MyIseYPass2

Note For additional information on configuring and managing Cisco ISE, see Release-Specific Document to access other documents in the Cisco ISE documentation suite.

Upgrading to Release 2.1

You can directly upgrade to Release 2.1 from the following Cisco ISE releases:

1.3
1.4
2.0
2.0.1

This release of Cisco ISE supports GUI as well as CLI based upgrade.

Note If you have installed a hot patch, roll back the hot patch before applying an upgrade patch.

GUI-Based Upgrade

The GUI-based upgrade from the Admin portal is supported only if you are currently on Release 2.0 and want to upgrade to Release 2.1.

CLI-Based Upgrade

From the Cisco ISE CLI, you can upgrade from Release 1.3, 1.4, and 2.0 directly to Release 2.1.

Virtual Machine Settings - Support for Red Hat Enterprise Linux 7

If you are upgrading Cisco ISE nodes on virtual machines, ensure that you change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down the VM, change the Guest Operating System to RHEL 7, and power on the VM after the change.

Note If you are installing Cisco ISE on an ESXi 5.x server, to support RHEL 7 as the Guest OS, update the VMware hardware version to 9 or later. RHEL 7 is supported with VMware hardware version 9 and later.

Refer to the Cisco ISE Upgrade Guide, Release 2.1 for a list of pre and post upgrade tasks.

Note When you upgrade to Cisco ISE, Release 2.1, you may be required to open network ports that were not used in previous releases of Cisco ISE. For more information, see Cisco ISE Ports Reference in the Cisco Identity Services Engine Hardware Installation Guide, Release 2.1.

Upgrade Considerations and Requirements

Read the following sections before you upgrade to Cisco ISE, Release 2.1:

SSL Exceptions in Elasticsearch.log File
Upgrade to Release 2.1 Restores Old Guest Accounts
Hostname Corruption in Elastic Search Configuration Files
Reverse DNS Lookup Configuration
Firewall Ports That Must be Open for Communication
Disable Backup Before You Upgrade
Admin User Unable to Access the ISE Login Page Post Upgrade
Rename Active Directory Join Point Name if the Join Point Name is ActiveDirectory
Rejoin Cisco ISE with Active Directory
Update Authorization Policies for New Guest Types
Other Known Upgrade Considerations and Issues

SSL Exceptions in Elasticsearch.log File

The Visibility and Context Service in Cisco ISE uses the Elastic search engine to filter records. The SSL exception on Elastic search results in an “Internal server error” in the Endpoints page. Three different types of SSL exceptions appear in the elasticsearch.log file:

Certificate unknown issue can be seen in the elasticsearch.log file. As a workaround, confirm that the certificate PAN is using is correct. If CA certificate and admin certificate are not installed, reapply them for primary PAN after the upgrade
Null certificate chain issue is seen in the elasticsearch.log file : This issue occurs when the ISE admin certificate chain is missing from the Elastic search key store. As a workaround, add the entire certificate chain of ISE admin certificate to the Elastic search key store and restart application services.
No subject alternative names present : This issue appears when the Cisco ISE Admin certificate does not include the IP address in the SAN field of the certificate. As a workaround, generate a self-signed certificate or obtain a CA-signed certificate for Admin use with the IP address in the SAN field for both the Primary and Secondary Administration nodes in the deployment.

Upgrade to Release 2.1 Restores Old Guest Accounts

If you have From First Login guest type accounts created in Release 1.2, the accounts that were never used or is still active are migrated to Release 2.1. If you no longer need these accounts, you can delete them manually from the Sponsor portal.

Hostname Corruption in Elastic Search Configuration Files

This issue occurs when you have duplicate host entries in the /etc/hosts file and you might run in to deployment-related issues after upgrade (ISE Indexing Engine status turns to “not running”). As a workaround, remove the duplicate host entries with root, and restart Cisco ISE services.

Reverse DNS Lookup Configuration

Configure reverse DNS lookup for all Cisco ISE nodes in your distributed deployment in the DNS server(s). Otherwise, you may run into deployment-related issues after upgrade (“ISE Indexing Engine” status turns to “not running”).

Also, the secondary PAN is unable to join the primary PAN to make a cluster for ISE Indexing engine if reverse DNS is not configured, displays error in VCS pages.

The SSL Exception “No subject alternative name present” displays on secondary PAN on the ise-elasticsearch.log file, if reverse DNS is missing.

Firewall Ports That Must be Open for Communication

If you have deployed a firewall between the primary Administration node and any other node, the following ports must be open before you upgrade to Release 2.1:

TCP 1521—For communication between the primary administration node and monitoring nodes.
TCP 443—For communication between the primary administration node and all other secondary nodes.
TCP 12001—For global cluster replication.
TCP 7800 and 7802—(Applicable only if the policy service nodes are part of a node group) For PSN group clustering.

For a full list of ports that Cisco ISE, Release 2.1 uses, refer to Cisco ISE Ports Reference in the Cisco Identity Services Engine Hardware Installation Guide, Release 2.1.

Disable Backup Before You Upgrade

Cisco ISE does not support deployment changes when a backup is in progress. Plan your deployment upgrade in such a way that you reschedule the backups after the upgrade. You can choose to disable the backup schedules and recreate them after upgrade to Release 2.1.

Backups with a schedule frequency of once get triggered every time the Cisco ISE application is restarted. Hence, if you have a backup schedule that was configured to run just once, be sure to disable it before upgrade.

Admin User Unable to Access the ISE Login Page Post Upgrade

If you had enabled certificate-based authentication for administrative access to Cisco ISE (Administration > Admin Access) before upgrade and used Active Directory as your identity source, after upgrade, you will not be able to launch the ISE Login page because Active Directory join is lost during upgrade.

Workaround

From the Cisco ISE CLI, start the ISE application in safe mode using the following command:

application start ise safe

This command brings up the Cisco ISE node in safe mode and you can use the internal admin user credentials to log in to the ISE GUI.

After you log in, you can join ISE with Active Directory.

Rename Active Directory Join Point Name if the Join Point Name is ActiveDirectory

Before you upgrade to Release 2.1, if the Active Directory join point name is called “ActiveDirectory,” this might cause database corruption and RADIUS requests might be dropped after upgrade.

As a workaround, before you upgrade to Release 2.1, change the Active Directory join point name to something other than “ActiveDirectory.” For example, ActiveDirectory1. You don’t have to rename the join point name again after upgrade.

Rejoin Cisco ISE with Active Directory

Ensure that you have the Active Directory credentials if you are using Active Directory as your external identity source. After an upgrade, you might lose Active Directory connections. If this happens, you must rejoin Cisco ISE with Active Directory. After rejoining, perform the external identity source call flows to ensure the connection.

Update Authorization Policies for New Guest Types

After upgrading to Cisco ISE 2.1, the new guest types that are created do not match the upgraded authorization policies. You need to make sure that the authorization policies are updated with the new guest types.

Other Known Upgrade Considerations and Issues

This section provides a list of known upgrade-related caveats. See Cisco ISE, Release 2.1 Open Caveats for a description of these caveats and for fixes in patch releases, if available.

CSCux07023
CSCuz49154
CSCuz95165
CSCva01828
CSCva13610
CSCva44235
CSCva56322
CSCva57479
CSCva96507
CSCvb75125
CSCvc40084

Refer to the Cisco Identity Services Engine Upgrade Guide, Release 2.1 for other known upgrade considerations and issues.

Cisco Secure ACS to Cisco ISE Migration

You can directly migrate to Cisco ISE, Release 2.1 only from Cisco Secure ACS, Releases 5.5 and later. For information about migrating from Cisco Secure ACS, Releases 5.5 and later to Cisco ISE, Release 2.1, see the Cisco Identity Services Engine Migration Tool Guide.

You cannot migrate to Release 2.1 from Cisco Secure ACS 5.1, 5.2, 5.3, 5.4, 4.x, or earlier versions, or from Cisco Network Admission Control (NAC) Appliance. From Cisco Secure ACS, Releases 4.x, 5.1, 5.2, 5.3, or 5.4, you must upgrade to ACS, Release 5.5 or 5.6, and then migrate to Cisco ISE, Release 2.1.

Note If you are installing Cisco ISE, Release 2.1 on Cisco SNS-3500 series appliances with ACS PIDs (Cisco SNS-3515-ACS-K9 and Cisco SNS-3595-ACS-K9), you must update the BIOS and CIMC firmware on the hardware appliance before you install Cisco ISE, Release 2.1. Refer to the Cisco Identity Services Engine Hardware Installation Guide for information on how to update the BIOS and CIMC firmware.

Known Limitations in Cisco ISE, Release 2.1

This section lists known limitations in Release 2.1:

High Memory Utilization
Diffie-Hellman Minimum Key Length
SXP Protocol Security Standards
System and Trusted Certificates With Duplicate Extensions Do Not Allow ISE Services to Start
LDAP Sponsor Created Guest Users Not Visible When Upgraded From 1.2
LDAP Imported Guest Accounts Not Upgraded From Version 1.2
Do Not Delete the Default Internal Cisco ISE CA Templates
Do not Install a Patch Until Upgrade
TLS Authentication on Android Devices Does Not Use Certificates Issued by the Assigned Certificate Authority
EKU Validation: OCSP Signing Certificate Returns Unknown for Root CA
Backup and Restore Page Takes a Long Time to Load
EST Service Does Not Run in Cisco ISE 2.1
Profiler RADIUS Probe

High Memory Utilization

Cisco ISE Version 1.3 and later use RHEL, version 6. You may experience high memory utilization after installing or upgrading to Cisco ISE Version 1.3 or later. However, this does not negatively impact Cisco ISE performance and there are no alarms that are triggered. In case, if the memory usage is consistently above 90% or if there is any performance impact, you can contact Cisco TAC for troubleshooting.

Diffie-Hellman Minimum Key Length

Connection to LDAP server will fail if the Diffie-Hellman minimum key length configured on the LDAP server is less than 1024.

SXP Protocol Security Standards

SXP protocol transfers unencrypted data and uses weak hash algorithm for message integrity checking per draft-smith-kandula-sxp-06.

SXP service must be enabled on a dedicated node

SXP service must be enabled on a dedicated node. If both Passive Identity and SXP service are enabled on the same node, static SXP mappings are not added to the SXP table and the ise-psc log shows ClassCastExceptions warnings.

System and Trusted Certificates With Duplicate Extensions Do Not Allow ISE Services to Start

An X.509 certificate has an extension field that you can use to add additional fields to the certificate. For example, basicConstraints, Key Usage, etc. A certificate can include only one instance of a particular extension.

If a certificate in the Cisco ISE System or Trusted Certificates Store has more than one instance of a particular extension, the ISE application services do not start when the system is restarted.

Workaround: Contact Cisco Technical Assistance Center (TAC) to remove the certificate from the database.

LDAP Imported Guest Accounts Not Upgraded From Version 1.2

Guests that were imported by an LDAP authenticated sponsor in version 1.2 will not be migrated during an upgrade to 1.3, 1.4, 2.0, or 2.1.

LDAP Sponsor Created Guest Users Not Visible When Upgraded From 1.2

When upgrading from 1.2 to 1.3, 1.4, 2.0, or 2.1, guests who were created by a sponsor who was authenticated through LDAP can only be seen by the direct sponsor. These guests cannot be seen by other sponsors from the same sponsor group.

Do Not Delete the Default Internal Cisco ISE CA Templates

The internal Cisco ISE CA comes with two default certificate templates:

CA_SERVICE_Certificate_Template—Cisco ISE uses this template to issue certificates when other network services use Cisco ISE as the CA. For example, for client machines that connect over ASA VPN.
EAP_Authentication_Certificate_Template—Cisco ISE issues certificates for EAP authentication based on this template.

Do not delete these default certificate templates. If you want to customize the certificate template, you can create a new one, or copy an existing template and edit it.

Do not Install a Patch Until Upgrade

When upgrade is in progress, do not install a patch on any node in the deployment simultaneously. Patch installation should be done after deployment upgrade is complete.

TLS Authentication on Android Devices Does Not Use Certificates Issued by the Assigned Certificate Authority

This issue occurs when you have configured:

Internal and external Certificate Authority (CA) in Cisco ISE.
Two profiles (SSID1 and SSID2) for TLS authentication using the internal and external CA, respectively.

The certificates provisioned from Cisco ISE are imported in to the Android certificate store. Sometimes, the wireless networks use one of the many certificates when connecting to the network. For example, when an Android device connects to the network using SSID 1, the certificate used for authentication is issued by the internal CA. When a second Android device connects using SSID 2, the certificate used for authentication is again issued by the internal CA instead of the external CA (as configured in SSID2).

This issue is seen only in Android devices and there is no workaround.

Cisco recommends that you update your Android device with all fixes and upgrades offered by the vendor.

EKU Validation: OCSP Signing Certificate Returns Unknown for Root CA

The Bouncy Castle OCSP signing certificate returns an 'unknown' response for the Root CA. If you have configured Cisco ISE to reject requests when an unknown certificate status is returned by the OCSP service, Cisco ISE rejects the certificate that is being evaluated and the user authentication fails.

This issue is seen in Bouncy Castle, version 1.6.145-generated certificates. There is no workaround.

Backup and Restore Page Takes a Long Time to Load

This issue occurs if the “Admin” certificate is configured with CRL check and the CRL server URL is not reachable from Cisco ISE.

As a workaround, you can do one of the following:

Ensure that the CRL server is reachable from Cisco ISE.
Generate a new “Admin” certificate without CRL check.
Generate a self-signed certificate for Admin usage.

EST Service Does Not Run in Cisco ISE 2.1

After a fresh installation of Cisco ISE 2.1, when you run the show application status ise command, the EST service might be shown as disabled. This issue occurs when the root certificate of the Cisco ISE internal CA is signed by an external CA and the external CA certificate is not present in your Trusted Certificates store. Import the external CA certificate in to the Trusted Certificates store to bring up the EST service.

This issue is also seen after upgrade to Release 2.1, if the entire certificate chain of the internal ISE CA is not present. You must generate the Cisco ISE CA chain to bring up the EST service.

Profiler RADIUS Probe

When the RADIUS probe is disabled, endpoints are not profiled but are only authenticated and added to the database.

Features Not Supported in Cisco ISE, Release 2.1

IPN / iPEP configuration is not supported with Cisco ISE, Release 2.0 and later.
You cannot access the Operations menu from the primary Monitoring node in Cisco ISE, Release 2.1; it appears only in the Primary Administration Node (PAN).

Cisco ISE License Information

Cisco ISE licensing provides the ability to manage the application features and access, such as the number of concurrent endpoints that can use Cisco ISE network resources.

All Cisco ISE appliances are supplied with a 90-day Evaluation license. To continue to use Cisco ISE services after the 90-day Evaluation license expires, and to support more than 100 concurrent endpoints on the network, you must obtain and register Base licenses for the number of concurrent users on your system. If you require additional functionality, you will need Plus and/or Apex licenses to enable that functionality.

Cisco ISE, Release 2.1, supports licenses with two UIDs. You can obtain a license based on the UIDs of both the primary and secondary Administration nodes.

For more detailed information on license types and obtaining licenses for Cisco ISE, see the “Cisco ISE Licenses” chapter in the Cisco Identity Services Engine Administration Guide, Release 2.1.

For more information on Cisco ISE, Release 2.1 licenses, see the Cisco Identity Services Engine (ISE) Data Sheet.

Cisco Identity Services Engine Ordering Guide is available at http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

Deployment Terminology, Node Types, and Personas

Cisco ISE provides a scalable architecture that supports both standalone and distributed deployments.

Table 4 Cisco ISE Deployment Terminology
Description
Service	Specific feature that a persona provides such as network access, profiler, posture, security group access, and monitoring.
Node Buddha in daily life pdf file.	Individual instance that runs the Cisco ISE software. Cisco ISE is available as an appliance and also as software that can be run on a VMware server. Each instance (either running on a Cisco ISE appliance or on a VMware server) that runs the Cisco ISE software is called a node.
Persona	Determines the services provided by a node. A Cisco ISE node can assume any or all of the following personas: Administration, Policy Service, and Monitoring.
Deployment Model	Determines if your deployment is a standalone, high availability in standalone (a basic two-node deployment), or distributed deployment.

Types of Nodes and Personas

A Cisco ISE network has the following types of nodes:

Cisco ISE node, which can assume any of the following personas:

– Administration—Allows you to perform all administrative operations for Cisco ISE. It handles all system-related configurations related to functionality such as authentication, authorization, auditing, and so on. In a distributed environment, you can have one or a maximum of two nodes running the Administration persona and configured as a primary and secondary pair. If the primary Administration node goes down, you have to manually promote the secondary Administration node. There is no automatic failover for the Administration persona.

– Policy Service—Provides network access, posturing, BYOD device onboarding (native supplicant and certificate provisioning), guest access, and profiling services. This persona evaluates the policies and makes all the decisions. You can have more than one node assuming this persona. Typically, there is more than one Policy Service persona in a distributed deployment. All Policy Service personas that reside behind a load balancer can be grouped together to form a node group. If one of the nodes in a node group fails, the other nodes in that group process the requests of the node that has failed, thereby providing high availability.

Note SXP service must be enabled on a dedicated node.

– Monitoring—Enables Cisco ISE to function as a log collector and store log messages from all the Administration and Policy Service personas on the Cisco ISE nodes in your network. This persona provides advanced monitoring and troubleshooting tools that you can use to effectively manage your network and resources.

A node with this persona aggregates and correlates the data that it collects to provide meaningful reports. Cisco ISE allows a maximum of two nodes with this persona that can assume primary or secondary roles for high availability. Both the primary and secondary Monitoring personas collect log messages. In case the primary Monitoring persona goes down, the secondary Monitoring persona automatically assumes the role of the primary Monitoring persona.

Note At least one node in your distributed setup should assume the Monitoring persona. It is recommended that the Monitoring persona be on a separate, designated node for higher performance in terms of data collection and reporting.

– pxGrid—Cisco pxGrid is a method for network and security devices to share data with other devices through a secure publish and subscribe mechanism. These services are applicable for applications that are used external to ISE and that interface with pxGrid. The pxGrid services can share contextual information across the network to identify the policies and to share common policy objects. This extends the policy management.

Table 5 Recommended Number of Nodes and Personas in a Distributed Deployment
Minimum Number in a Deployment
Administration	1	2 (Configured as a high-availability pair)
Monitor	1	2 (Configured as a high-availability pair)
Policy Service	1	2—when the Administration/Monitoring/Policy Service personas are on the same primary/secondary appliances 5—when Administration and Monitoring personas are on same appliance 40—when each persona is on a dedicated appliance
pxGrid	0	2 (Configured as a high-availability pair)

You can change the persona of a node. See the “Set Up Cisco ISE in a Distributed Environment” chapter in the Cisco Identity Services Engine Admin Guide, Release 2.1 for information on how to configure personas on Cisco ISE nodes.

Requirements for CA to Interoperate with Cisco ISE

While using a CA server with Cisco ISE, make sure that the following requirements are met:

RSA key size should be 1024, 2048, or higher. In CA server, the key size is defined using certificate template. You can define the key size on Cisco ISE using the supplicant profile.
Key usage should allow signing and encryption in extension.
While using GetCACapabilities through the SCEP protocol, cryptography algorithm and request hash should be supported. It is recommended to use RSA + SHA1.
Online Certificate Status Protocol (OCSP) is supported. This is not directly used in BYOD, but a CA which can act as an OCSP server can be used for certificate revocation.

Note EJBCA 4.x is not supported by Cisco ISE for proxy SCEP. EJBCA is supported by Cisco ISE for standard EAP authentication like PEAP, EAP-TLS, and so on.

If you use an enterprise PKI to issue certificates for Apple iOS devices, ensure that you configure key usage in the SCEP template and enable the “Key Encipherment” option.

For example, If you use Microsoft CA, edit the Key Usage Extension in the certificate template. In the Encryption area, click the Allow key exchange only with key encryption (key encipherment) radio button and also check the Allow encryption of user data check box.

Cisco ISE supports the use of RSASSA-PSS algorithm for trusted certificates and endpoint certificates for EAP-TLS authentication. When you view the certificate, the signature algorithm is listed as 1.2.840.113549.1.1.10 instead of the algorithm name.

Note However, if you use the Cisco ISE internal CA for the BYOD flow, the Admin certificate should not be signed using the RSASSA-PSS algorithm (by an external CA). The Cisco ISE internal CA cannot verify an Admin certificate that is signed using this algorithm and the request would fail.

Cisco ISE Installation Files, Updates, and Client Resources

There are three resources you can use to download to provision and provide policy service in Cisco ISE:

Cisco ISE Downloads from the Download Software Center
Cisco ISE Live Updates
Cisco ISE Offline Updates

Cisco ISE Downloads from the Download Software Center

In addition to the.ISO installation package required to perform a fresh installation of Cisco ISE as described in Installing Cisco ISE Software, you can use the Download software web page to retrieve other Cisco ISE software elements, like Windows and Mac OS X agent installers and AV/AS compliance modules.

Downloaded agent files may be used for manual installation on a supported endpoint or used with third-party software distribution packages for mass deployment.

To access the Cisco Download Software center and download the necessary software:

Step 1 Go to the Download Software web page at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You may need to provide login credentials.

Step 2 Navigate to Products > Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software.

Choose from the following Cisco ISE installers and software packages available for download:

Cisco ISE installer.ISO image
Supplicant Provisioning Wizards for Windows and Mac OS X Native Supplicants
Windows client machine agent installation files (including MST and MSI versions for manual provisioning)
Mac OS X client machine agent installation files
AnyConnect agent installation files
AV/AS compliance modules

Step 3 Click Download or Add to Cart.

Cisco ISE Live Updates

Cisco ISE Live Update locations allow you to automatically download Supplicant Provisioning Wizard, Cisco NAC Agent for Windows and Mac OS X, AV/AS support (Compliance Module), and agent installer packages that support client provisioning and posture policy services. These live update portals should be configured in Cisco ISE upon initial deployment to retrieve the latest client provisioning and posture software directly from Cisco.com to the Cisco ISE appliance.

Prerequisite:

If the default Update Feed URL is not reachable and your network requires a proxy server, you may need to configure the proxy settings in Administration > System > Settings > Proxy before you are able to access the Live Update locations. If proxy settings are enabled to allow access to the profiler and posture/client provisioning feeds, then it will break access to the MDM server as Cisco ISE cannot bypass proxy services for MDM communication. To resolve this, you can configure the proxy service to allow communication to the MDM servers. For more information on proxy settings, see the “Specify Proxy Settings in Cisco ISE” section in the “Administer Cisco ISE” chapter of the Cisco Identity Services Engine Admin Guide, Release 2.1.

Client Provisioning and Posture Live Update portals:

Client Provisioning portal —https://www.cisco.com/web/secure/pmbu/provisioning-update.xml

The following software elements are available at this URL:

– Supplicant Provisioning Wizards for Windows and Mac OS X Native Supplicants

– Windows versions of the latest Cisco ISE persistent and temporal agents

– Mac OS X versions of the latest Cisco ISE persistent agents

– ActiveX and Java Applet installer helpers

– AV/AS compliance module files

For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the “Download Client Provisioning Resources Automatically” section of the “Configure Client Provisioning” chapter in the Cisco Identity Services Engine Admin Guide, Release 2.1.

Posture portal —https://www.cisco.com/web/secure/pmbu/posture-update.xml

The following software elements are available at this URL:

– Cisco predefined checks and rules

– Windows and Mac OS X AV/AS support charts

– Cisco ISE operating system support

For more information on automatically downloading the software packages that become available at this portal to Cisco ISE, see the “Download Posture Updates Automatically” section of the “Configure Client Posture Policies” chapter in the Cisco Identity Services Engine Admin Guide, Release 2.1.

If you do not enable the automatic download capabilities described above, you can choose to download updates offline. See Cisco ISE Offline Updates.

Cisco ISE Offline Updates

Cisco ISE offline updates allow you to manually download Supplicant Provisioning Wizard, agent, AV/AS support, compliance modules, and agent installer packages that support client provisioning and posture policy services. This option allows you to upload client provisioning and posture updates when direct Internet access to Cisco.com from a Cisco ISE appliance is not available or not permitted by a security policy.

Offline updates are also available for Profiler Feed Service. For more information, see the Configure Profiler Feed Services Offline section in the Cisco Identity Services Engine Administrator Guide.

To upload offline client provisioning resources:

Step 1 Go to the Download Software web page at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You may need to provide login credentials.

Step 2 Navigate to Products > Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software.

Choose from the following Off-Line Installation Packages available for download:

win_spw- <version> -isebundle.zip — Off-Line SPW Installation Package for Windows
mac-spw- <version>.zip — Off-Line SPW Installation Package for Mac OS X
compliancemodule- <version> -isebundle.zip — Off-Line Compliance Module Installation Package
macagent- <version> -isebundle.zip — Off-Line Mac Agent Installation Package
nacagent- <version> -isebundle.zip — Off-Line NAC Agent Installation Package
webagent- <version> -isebundle.zip — Off-Line Web Agent Installation Package

Step 3 Click Download or Add to Cart.

For more information on adding the downloaded installation packages to Cisco ISE, refer to the “Add Client Provisioning Resources from a Local Machine” section of the “Configure Client Provisioning” chapter in the Cisco Identity Services Engine Admin Guide, Release 2.1.

You can update the checks, operating system information, and antivirus and antispyware support charts for Windows and Macintosh operating systems offline from an archive on your local system using posture updates.

For offline updates, you need to ensure that the versions of the archive files match the version in the configuration file. Use offline posture updates when you have configured Cisco ISE and want to enable dynamic updates for the posture policy service.

To upload offline posture updates:

Step 1 Go to https://www.cisco.com/web/secure/pmbu/posture-offline.html.

Save the posture-offline.zip file to your local system. This file is used to update the operating system information, checks, rules, and antivirus and antispyware support charts for Windows and Macintosh operating systems.

Step 2 Access the Cisco ISE administrator user interface and choose Administration > System > Settings > Posture.

Step 3 Click the arrow to view the settings for posture.

Step 4 Choose Updates. The Posture Updates page appears.

Step 5 From the Posture Updates page, choose the Offline option.

Step 6 From the File to Update field, click Browse to locate the single archive file (posture-offline.zip) from the local folder on your system.

Note The File to Update field is a required field. You can select only a single archive file (.zip) that contains the appropriate files. Archive files other than.zip (like.tar, and.gz) are not allowed.

Step 7 Click the Update Now button.

Once updated, the Posture Updates page displays the current Cisco updates version information under Update Information.

Using the Bug Search Tool

This section explains how to use the Bug Search Tool to search for a specific bug or to search for all bugs in a release.

Search Bugs Using the Bug Search Tool
Export to Spreadsheet

Search Bugs Using the Bug Search Tool

In Cisco ISE, use the Bug Search Tool to view the list of outstanding and resolved bugs in a release. This section explains how to use the Bug Search Tool to search for a specific bug or to search for all the bugs in a specified release.

Step 1 Go to https://tools.cisco.com/bugsearch/search.

Step 2 At the Log In screen, enter your registered Cisco.com username and password; then, click Log In. The Bug Toolkit page opens.

Note If you do not have a Cisco.com username and password, you can register for them at http://tools.cisco.com/RPF/register/register.do.

Step 3 To search for a specific bug, enter the bug ID in the Search For field and press Enter.

Step 4 To search for bugs in the current release:

a. Click Select from list link. The Select Product page is displayed.

b. Choose Security > Access Control and Policy > Cisco Identity Services Engine.

c. Click OK.

d. When the search results are displayed, use the filter tools to find the types of bugs you are looking for. You can search for bugs based on different criteria such as status, severity, and modified date.

Export to Spreadsheet

The Bug Search Tool provides the following option to export bugs to an Excel spreadsheet:

Click Export Results to Excel link in the Search Results page under the Search Bugs tab to export all the bug details from your search to an Excel spreadsheet. Presently, up to 10,000 bugs can be exported at a time to the Excel spreadsheet.

If you are unable to export the spreadsheet, log in to the Technical Support Website at
http://www.cisco.com/cisco/web/support/index.html for more information or call Cisco TAC (1-800-553-2447).

Cisco ISE, Release 2.1.0.474 Patch Updates

This section provides information on patches that were made available after the initial availability of the Cisco ISE 2.1 release. Patches are cumulative such that any patch version also includes all fixes delivered in the preceding patch versions. Cisco ISE version 2.1.0.474 was the initial version of the Cisco ISE 2.1 release. After installation of the patch, you can see the version information from Settings > About Identity Services Engine page in the Cisco ISE GUI and from the CLI in the following format “2.1.0.474 patch N”; where N is the patch number.

Note Within the bug database, issues resolved in a patch have a version number with different nomenclature in the format, “2.1(0.9NN)” where NN is also the patch number, displayed as two digits. For example, version “2.1.0.474 patch 1' corresponds to the following version in the bug database “2.1(0.901)”.

Note We recommend you to clear your browser cache after you install a patch on Cisco ISE, Release 2.1.

The following patch releases apply to Cisco ISE release 2.1:

Resolved Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 8

Resolved Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 7

Resolved Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 6

Resolved Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 5

Resolved Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 4

Known Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 4

Resolved Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 3

Known Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 3

Resolved Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 2

New Features and Resolved Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 1

Resolved Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 8

Table 6 lists the issues that are resolved in Cisco Identity Services Engine, Release 2.1 cumulative patch 8. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.1, log in to the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine, and save a copy of the patch file to your local machine.

Patch 8 might not work with older versions of SPW. MAC users need to upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later and Windows users need to upgrade their SPW to WinSPWizard 2.2.1.53 or later.

Then refer to the “Installing a Software Patch ” section of the “Administer Cisco ISE” chapter of the Cisco Identity Services Engine Administrator Guide, Release 2.1. for instructions on how to apply the patch to your system.

Note Although it is necessary to roll back a hot patch before installing a cumulative patch, you are not required to roll back the struts hot patch CSCvm14030 and CSCvn17524, if they have been applied before installing Patch 8.

Table 6 Cisco ISE Patch Version 2.1.0.474-Patch 8 Resolved Caveats

Description
CSCvf63414	Cisco Identity Services Engine Authenticated CLI Denial of Service Vulnerability
CSCvf75968	Multiple Vulnerabilities in httpasyncclient
CSCvg21535	ISE pxGrid stuck in initializing state with bond interface
CSCvg79089	Upgrade timeout during enable / disable of MnT persona
CSCvg86743	Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability
CSCvh11308	Cisco Identity Services Engine Logs Cross-Site Scripting Vulnerability
CSCvh51992	Cisco Identity Services Engine Authenticated CLI Denial of Service Vulnerability
CSCvi09426	Modifying the Auth policy causes application server to crash
CSCvj62592	Cisco Identity Services Engine (ISE) Java Deserialization Vulnerability
CSCvj62614	Cisco Identity Services Engine (ISE) File Upload Code Execution Vulnerability
CSCvm03681	EAP-FAST doesn't support correct key generation in TLS 1.2
CSCvm03842	PxGrid SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection - CVE-2009-3555
CSCvm14030	Evaluation of positron for Struts remote code execution vulnerability August 2018
CSCvm16523	ISE 2.3 to 2.4 upgrade is failing with error 'nodes are not on the same ISE patch version'
CSCvm72082	ISE DB Lock without name is getting created and blocking Backup, Patch install
CSCvn17524	ISE Apache Struts CVE-2016-1000031 Vulnerability
CSCvn59383	ISE 2.3 patch 5 issue when creating guest user on sponsor portal using special character

Resolved Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 7

Table 7 lists the issues that are resolved in Cisco Identity Services Engine, Release 2.1 cumulative patch 7. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.1, log in to the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine, and save a copy of the patch file to your local machine.

Patch 7 might not work with older versions of SPW. MAC users need to upgrade their SPW to MACOSXSPWizard 2.2.1.43 or later and Windows users need to upgrade their SPW to WinSPWizard 2.1.0.53 or later.

Table 7 Cisco ISE Patch Version 2.1.0.474-Patch 7 Resolved Caveats.

Description
CSCvh30752	Launching the RADIUS accounting reports take time
CSCvh32178	Profiler Radius probe listener not listening on port 30514
CSCvd74794	Cisco Identity Services Engine Guest Portal Cross-Site Scripting Vulnerability
CSCve31857	Cisco Identity Services Engine EAP-TLS Certificate Denial of Service Vulnerability.
CSCvf36421	Catalina.<date>.log files are not log-rotated

This release also contains general Security Fixes.

Resolved Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 6

Table 8 lists the issues that are resolved in Cisco Identity Services Engine, Release 2.1 cumulative patch 6. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.1, log in to the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.

Patch 6 might not work with older versions of SPW. MAC users need to upgrade their SPW to MacOsXSPWizard 2.1.0.42 or later and Windows users need to upgrade their SPW to WinSPWizard 2.1.0.51 or later.

Table 8 Cisco ISE Patch Version 2.1.0.474-Patch 6 Resolved Caveats
Description
CSCvf22318	An ElasticSearch and database shards errors occur on the Endpoints Context Visibility page.
CSCvf42061	An “Exception: all shards failed” error is reported on the Endpoints Context Visibility page.
CSCvf44272	ISE 2.2 Patch 2 core files should not be written to root partition. Delete core files from the root directory.
CSCvf47316	Fix for Entry Definition Framework (EDF) memory leak upon rollback.
CSCvf69018	Issue with reverse lookup when nodes are registered with Cisco ISE after applying ISE 2.2 Patch 1.
CSCvf75225	PAN runs high CPU due to 100K limit in the Redis server.
CSCvf87844	Filtering of endpoints in the Context Visibility page occasionally does not display existing endpoints. Note The context visibility sync option and reset commands can be found in Release 2.1 Patch 6. a. Run the app configure ise command on the Secondary Admin node CLI and select the following option: `[19]Reset Context Visibility` b. When you see a prompt to proceed with reset on the Primary Admin node, switch to Primary Admin node and select `[19]Reset Context Visibility` option. c. After reset is complete on the Primary Admin node, switch to the Secondary Admin node and press Y to confirm that the reset was successful on the Primary Admin node. d. Select the following option in the Primary Admin node: `[20]Synchronize Context Visibility With Database`
CSCvg26227	PSN reloads when Allow Weak Ciphers for EAP option is enabled in the Allowed Protocols page.
CSCvg41689	Platform.properties-active file is not deleted as part of ISE 2.2 Patch 4 installation.

Resolved Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 5

Note If you have previously installed Cisco ISE 2.1 Patch 4, it is recommended that you install Cisco ISE 2.1 Patch 5 to address few significant issues that you may have encountered with the installed Cisco ISE 2.1 Patch 4.

Table 9 lists the issues that are resolved in Cisco Identity Services Engine, Release 2.1 cumulative patch 5. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.1, log in to the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.

Patch 5 might not work with older versions of SPW. MAC users need to upgrade their SPW to MacOsXSPWizard 2.1.0.42 or later and Windows users need to upgrade their SPW to WinSPWizard 2.1.0.51 or later.

Table 9 Cisco ISE Patch Version 2.1.0.474-Patch 5 Resolved Caveats
Description
CSCvb34095	MAB authentication fails in a three-node deployment.
CSCvc02009	ISE drops accounting packets from ASA.
CSCvc80485	ISE 2.1 enhancement request to support Aruba Wireless 3200.

Resolved Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 4

Table 10 lists the issues that are resolved in Cisco Identity Services Engine, Release 2.1 cumulative patch 4. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.1, log in to the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.

Patch 4 might not work with older versions of SPW. MAC users need to upgrade their SPW to MacOsXSPWizard 2.1.0.42 or later and Windows users need to upgrade their SPW to WinSPWizard 2.1.0.51 or later.

Table 10 Cisco ISE Patch Version 2.1.0.474-Patch 4 Resolved Caveats
Description
CSCur60613	PSN occasionally reloads due to race condition in handling authentications.
CSCux51093	GET operation with ERS API fails with 'CRUD operation exception' error when trying to fetch the list of guests.
CSCux66193	In ISE 2.0, you receive a non-existing SGT tag when your device call for environment data.
CSCuy19991	Intermittent Guest Authentication Fail on Guest portal.
CSCuy76263	Sec(PAP) and Sec(MnT) persona shows MnT related tabs.
CSCuy80749	Redis server crashed on PSN node with core files.
CSCuy98580	AD connector crashed when changing the DNS while AD is joined.
CSCuz53660	In ISE 2.1, license consumption is 0 on live network.
CSCuz59037	ISE redirect profiling doesn't work on initial page load.
CSCva02256	The Alarm Configuration from the Alarm Settings Page is missing from ISE GUI.
CSCva16918	Endpoint Purge doesn't work in ISE 1.4 P7.
CSCva18717	ISE 1.4 App Server crashes while reading SG ACL ExpiryLifetime for NAD.
CSCva41898	Unable to create user/admin accounts from CLI.
CSCva46497	ISE XSS vulnerability in admin dashboard page.
CSCva52753	ISE shows error when viewing details of an entry in “Posture Assessment by Endpoint” report.
CSCva56322	In ISE 2.1, an internal error occurs when accessing Workcenters > Identities.
CSCva91445	PSN triggers change of ownership and CoA when new attributes are added to the existing endpoint.
CSCva94303	ISE 2.1 triggers false alarm when backup or a bond interface configured for redundancy.
CSCva95303	In ISE 2.0 Catalina.out.<date> and catalina.<date>.log take huge space.
CSCva95468	Support for configuration selection to enable/disable weak TLS cipher suites is added in the Security Settings page (Administration > System > Settings > Protocols > Security Settings) when ISE acts as TLS client.
CSCva98129	ISE adds one more unsuccessful failed attempts in Guest Portal setting.
CSCvb11462	Enhancement request to improve error message to show switch name or IP on SNMP probe.
CSCvb14612	SNMP Query is not triggered due to lack of synchronization between Redis database and Oracle database.
CSCvb15627	Cisco Identity Services Engine SQL Injection Vulnerability.
CSCvb16324	During VSS switchover, ISE stays connected to the old VSS.
CSCvb25290	Endpoint purge takes a long time (~10 hrs) when a deployment has 400 thousand endpoints.
CSCvb30158	Upon registering a self-registered guest on 1.4 P9 multi-node deployment, ISE throws an email failure error.
CSCvb42551	Radius Context Allocation Failure Alarms are seen running for a few days in MNT.
CSCvb44902	Missing reqd Secure Syslog Audit record Termination LDAPS connections.
CSCvb46440	After upgrading from ISE 1.3 patch 7 to ISE 2.0.1, purge rules are not working as expected.
CSCvb46604	Incorrect inactivity days are discovered for some static endpoints via SNMP query to the distribution switch (ARP cache) to which the endpoints are connected.
CSCvb46609	When there are large number of endpoints (400 thousand endpoints) in the database, endpoint search by MAC address is slow.
CSCvb56581	PortalUser attribute is missing from ISE 2.1.
CSCvb59454	Unable to remove 'Help Link' in My Devices Portal customization.
CSCvb60653	Despite disabling the local log collector, UDP syslogs continue to be collected.
CSCvb61885	Unable to export endpoints when certain filters are applied.
CSCvb75125	After upgrading from ISE 2.0 to ISE 2.1 and enabling AD profiling probe in GUI, operation success message is displayed. However, AD probe field remains unchecked after navigating to another tab and returning to the previous page.
CSCvb81755	Replication on all the ISE PSNs doesn't work if any of the PSNs in the deployment has latency issue.
CSCvb86332	In ISE 2.0.1.130, authentication is performed through GET requests Guest Portal.
CSCvb86760	In ISE 2.0.1, authentication is performed through GET requests Sponsor Portal.
CSCvb97077	Exporting an endpoint list filtered with IP address or hostname gives a blank excel file.
CSCvc13039	Endpoint identity group does not change via the hot spot portal.
CSCvc20234	Manual NMAP scan doesn't work properly.
CSCvc28417	ISE back-up fails intermittently from CLI and GUI.
CSCvc34224	ISE crashes and restarts automatically in JVM layer.
CSCvc36548	Unable to delete./oracle/base/diag/tnslsnr alert files in ISE.
CSCvc41641	When you login to Sponsor portal and resend credentials using print option, password is displayed in a plain text.
CSCvc41646	When you select language other than English for print notification, password is displayed in plain text in Sponsor portal.
CSCvc42835	ISE displays NullPointerException error when you request entitlement count from the DB.
CSCvc49434	Enhancement for TCP timeout on MS SQL Server ODBC connector.
CSCvc51943	ISE application-server process crashes due to syslog handling.
CSCvc54962	Exporting and importing language files under Sponsor Portal removes all customization.
CSCvc60412	ISE restore breaks Log Collector's value and Node status on summary.
CSCvc61195	ISE system log files ADE.log/backup.log/restore.log logrotate displays incorrect data.
CSCvc61931	In ISE 2.1, PostgreSQL authentications fails, throws random errors.
CSCvc65379	ISE 2.1 Admin GUI user login delays, takes a minute.
CSCvc69935	Frequent RADIUS traffic drops in ISE 2.1.
CSCvc71503	Jedis throws error and gets disconnected automatically.
CSCvc72637	An error occurs while adding a SourceFire FireAMP adaptor in the Threat Centric Network Access Control (TC-NAC) service.
CSCvc74300	Due to huge amount of oracle logins, /var/log/secure file size is increasing rapidly.
CSCvc74307	Unable to remove logwatch temp files from /var/cache/logwatch.
CSCvc75209	ISE 2.1 and above shows High IO and High CPU usage for oracle process on MNT mode.
CSCvc75576	Purging unwanted data takes longer if a large number of endpoints exist.
CSCvc79381 It also supports new formats which recently Youtube rolled out. It can download Vevo videos, age-restricted videos, region protected videos. Agnisakshi serial today's episode in voot app. GenYoutube is based on super fast script which can handle a number of downloads simultaneously. So you will never any downloading speed issue.	In ISE 2.1, replication fails, displays “Error in synchronizing object.”
CSCvc79739	ISE data base grows very large due to EDF database table logs, causing giant backups.
CSCvc80485	ISE 2.1 enhancement request to support Aruba Wireless 3200.
CSCvc83795	Guest portal doesn't accept password with < and ! special characters.
CSCvc84399	Admin COA fails. Secure MnT logic before updating an active session.
CSCvc85415	Cisco Identity Services Engine Reflected Cross-Site Scripting Vulnerability.
CSCvc86247	CPU runs with or without authentications when multiple threads go to infinite loop on PSN.
CSCvc87853	SNMP process stops and restarts by itself after.
CSCvc93699	Posture lease option is not working for VPN users using AnyConnect 4.4 and Mac OSX 10.x.
CSCvc95735	ISE 2.1 /tmp files becomes full when you use `show logging command`
CSCvd07886	Upgrade to ISE 2.2 fails. Throws error.
CSCvd08518	Policy push does not work for changes made to policies using EPGs as the destination.
CSCvd10486	When the endpoints are profiled and associated with a suspended/deleted sponsored guest user, remain in the GuestEndpoints and do not get disabled.
CSCvd11537	ISE generates huge number of start/stop dropping messages in syslog.
CSCvd14878	Unable to delete Filtered Endpoints when custom filter is in use.
CSCvd21954	TACACS+ authentication requests fail due to memory leak.
CSCvd27408	ISE fails to reconnect to syslog server if TCP connectivity gets disconnected.
CSCvd31126	AnyConnect displays “No policy server detected” error.
CSCvd36405	It takes approximately 2 hours to generate authentication report with MAC Address or network device.
CSCvd41050	In ISE 2.1, endpoint lookup is slow when DB is huge.
CSCvd48590	In ISE 2.0, 2.1 and 2.2, unable to delete email logo in email notification for guest account credentials.
CSCvd49141	Cisco Identity Services Engine Cross-Site Scripting Vulnerability.
CSCvd49829	Evaluation of positron for struts2-jakarta rce vulnerability.
CSCvd50693	Unable to delete endpoints from GUI.
CSCvd52520	Watchdog process is unable to restart redis server after getting crashed.
CSCvd56328	SYSAUX tablespace fills up, and CPU spikes on MNT nodes.
CSCvd56372	ISE displays Dead lock in oracle alert log.
CSCvd56439	On reload ISE services on PSN doesn't run after applying ISE 2.1 Patch 3.
CSCvd62856	ISE Application Server initializes after Applying patch 3 on ISE 2.1.
CSCvd69677	ISE 2.1 sends wrong guest password from the secondary and PSN nodes.
CSCvd69784	ISE shows high authentication latency on PSN nodes.
CSCvd81222	MNT collation job takes longer time than expected.
CSCvd88782	ISE gets stuck when connected to a troubled device. The SSH session to device doesn't complete, and ISE hangs. IP-SGT mapping download stays incomplete.
CSCve13949	In ISE 2.1, directory /opt/oracle/base/diag/rdbms/cpm10/cpm10/trace get filled with .trm and .trc files. ISE needs rebooting.
CSCve22444	ISE optimizes on demand queries & increases the compliance query interval.
CSCve25374	External REST API support provided for Read-Only ISE administrators.
CSCve27506	AnyConnect displays “No policy server detected” error when the endpoint is a part of posture lease NON-VPN connections.
CSCve31569	Unable to access the reports and live logs from PAN.
CSCve33558	Curly braces or parentheses in TACACS+ shell profile fails input validation.
CSCve39239	ISE crashes on simultaneous RADIUS requests from same endpoint.
CSCve50763	ISE 2.1 unable to display logs for Radius authentication report for a specific time range.
CSCve51076	Unable to create profiler condition of NMAP Extension type in ISE 2.1.
CSCve53737	Enhancement request to add an additional field to certificate generated by ISE CSR.
CSCve60096	Enhancement request to display the device name when the download starts and ends.
CSCve73657	ISE 2.1 configuration change gets reverted back after reload.
CSCve74916	Cisco ISE restricted shell privilege escalation vulnerability.
CSCve78606	ISE 2.3 application service resets as ISE runs out of memory.
CSCve87076	Guest account fails authentication via PSN node.
CSCve97765	EAP-TLS BYOD doesn't work on Apple iOS 11, throws error.
CSCvf00883	pxGrid authorization denied and also takes 20 minutes to start working after primary pxGrid node is down.
CSCvf18466	ISE 2.1 endpoint lookup using MnT REST API is very slow.
CSCvf26139	A “System Error! Trust Cert not found” error occurs while modifying an LDAP profile.
CSCvf31398	In ISE 2.1 TACACS+ allows all users with valid credentials to login to Nexus.
CSCvf32992	LDAP ID store gets corrupted when you import an existing CA certificate which is already in use for LDAPS into ISE trust store.
CSCvf33004	Unable to delete corrupted files in LDAP identity sources.
CSCvf42743	When ISE is restarted, the trusted certificate configured in the LDAP identity source can be deleted.
CSCvf52671	ISE 2.1 TACACS+ Authorization report does not display the executed commands.

Known Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 4

TACACS Authorization Report

Perform the following steps to view the contents of the Command column in the TACACS Authorization report:

Step 1 Choose ISE Reports > Device Administration > TACACS Authorization.

Step 2 Choose Settings > Fix Columns > Command.

The Command column moves as the first column in the report. You can drag the boundary on the right side of the Command column heading until you reach the desired column width.

Note You can perform the above steps to view the last column in any report, which does not fit existing content.

Custom Attributes in TACACS+ Profiles

When adding custom attributes in TACACS+ profiles, it is recommended not to use asterisk (*) and equal to (=) symbols in the argument. TACACAS+ considers asterisk (*) and equal to (=) symbols as separators, which reformats the Name and Value fields and changes the Mandatory Type to Optional.

Resolved Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 3

Table 11 lists the issues that are resolved in Cisco Identity Services Engine, Release 2.1 cumulative patch 3. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.1, log in to the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.

Patch 3might not work with older versions of SPW. MAC users need to upgrade their SPW to MacOsXSPWizard 2.1.0.42 or later and Windows users need to upgrade their SPW to WinSPWizard 2.1.0.51 or later.

Then refer to the “Installing a Software Patch ” section of the “Administering Cisco ISE” chapter of the Cisco Identity Services Engine Administrator Guide, Release 2.1. for instructions on how to apply the patch to your system.

Table 11 Cisco ISE Patch Version 2.1.0.474-Patch 3 Resolved Caveats
Description
CSCva86642	ISE services had to be restarted to failover to next available AD DC.
CSCvb52063	EP attributes on ISE 2.0 does not display when upgrading to ISE to 2.1.
CSCvb85648	Evaluation of ISE for CVE-2016-5195 (DIRTY CoW).
CSCuz11105	ISE fails to export language archive from the portal after modification.
CSCuz75818	ISE 1.3 p6 Importing language file removes new line characters.
CSCva46542	ISE SQL injection vulnerability.
CSCva94541	ISE: Evaluation of Leap Second 2016.
CSCvb16285	ISE App Server taking 16 minutes to start.
CSCvb46625	MNT live authentications page takes long time to query when greater than 3 hours logs are set.
CSCvb46648	When you run multiple MNT reports concurrently, it slows down ISE PAN.
CSCvb52608	In MNT 1.3 and 2.0.1, live logs search takes longer than expected time.
CSCvb86455	alarmexp.txt doesn’t show alarm data shows in ISE Support Bundle.
CSCvb89774	Email notification is not sent for password expiration reminder, if the domain validation fails for ISE domain.
CSCvb97903	ISE support bundle missing alarm logs.
CSCvc04382	High authentication latency alarm details pop up URL displays incorrectly.
CSCvc05024	Endpoint purge goes to infinite loop when purge policies are configured on ISE.
CSCvc08063	From ISE 2.1, you can download the migration application from cisco.com.
CSCvc33873	RADIUS authentication report takes more time to generate for last 30 days.
CSCvc38488	GUI upgrade fails due to SSL exception while upgrading from 2.1P2 to 2.2.
CSCvc40801	ISE MnT becomes slow when ISE is integrated with Prime Infrastructure.
CSCvc53146	Endpoint Purge takes more than expected time (2-3 days) for 700 thousand Endpoint.
CSCvc53948	Guest user does not get an account expiration notification email when it is about to expire.
CSCvc54673	In ISE 2.1, the number of admin-http-pool threads is insufficient for large deployments.
CSCvc59667	In ISE 2.0.1 Sponsor Portal, shows Error 500 after successful login.
CSCva80278	You can not use Filter field to retrieve LDAP groups.
CSCvb70006	Hotspot portal in Apple mini browser takes longer time (8 seconds) to complete the operation.
CSCva52212	In ISE 2.1, Date format is inconsistent on Account Information page
CSCva53650	In ISE 2.1 when acknowledging alarm on primary node, alarm replication does not work in secondary node.
CSCuz53809	None option is missing from the PM severity level drop-down list.
CSCuz57982	In ISE 1.3 P5, SMS Reset password is unavailable in Portal Customization Page.
CSCuz93183	ISE fails to onboard device with multiple NICs and empty SCCM policy.
CSCvb33604	CWA Chaining doesn't work with SAML web-authentication.

Known Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 3

Issues with upgrading from 2.0 to 2.3 via GUI

When you upgrade from 2.0 to 2.3 through GUI simultaneously on all nodes, it shows Download failed - Upgrade bundle download timed out.

However, in ADE.log shows Upgrade preparation success message.

It is recommended to download the bundle to one node at a time. Do not download the bundle simultaneously on all the nodes.

Resolved Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 2

Patch Parity : Cisco ISE 2.1 Patch 2 has parity with Cisco ISE 1.3 Patch 7, 1.4 Patch 9, 2.0 Patch 4 and 2.0.1 Patch 1.

Table 12 lists the issues that are resolved in Cisco Identity Services Engine, Release 2.1 cumulative
patch 2. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.1, log in to the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.

Patch 2 might not work with older versions of SPW. MAC users need to upgrade their SPW to MacOsXSPWizard 2.1.0.42 or later and Windows users need to upgrade their SPW to WinSPWizard 2.1.0.51 or later.

Table 12 Cisco ISE Patch Version 2.1.0.474-Patch 2 Resolved Caveats
Description
CSCuh61180	ISE node contacts remote site for call home at ISE service startup.
CSCuw48837	Authentication stops on PSN with no logs reported on MnT.
CSCux99134	Upon upgrading from ISE 2.0.1 to 2.1, Passive Identity Tracking checkbox is not saved properly.
CSCuy99854	When FIPS mode is enabled in ISE 1.4 Patch 7, application server gets stuck in initialization state.
CSCuz08717	Performance degradation observed in ISE 1.4 patch 7 due to profiler changes.
CSCuz17763	When client switches from SSID with 802.1x based authentication to SSID with guest based authentication, concurrent sessions are dropped.
CSCuz30471	Delay in wired guest COA while using Cisco ISE 2.0.
CSCva02380	“HTTP Status 400 - Bad Request” error occurs when an FQDN is used to login to ISE.
CSCva32914	After upgrading from ISE 1.2 to 1.4, when the device is not operational in the AD domain, ISE responds to Nagios Radius Probes and prevents “Process Failure” response.
CSCva80275	ISE nodes attempt to check updates from third party websites.
CSCva81452	AD ValidateAccount mechanism optimization.
CSCva84936	ISE is unable to profile Cisco access points due to cdpCacheAttribute null value during SNMP query probe.
CSCva86683	In ISE 2.1, EAP-Chaining fails to retrieve AD user attributes when the user name and machine name in AD are same.
CSCva91557	ISE fails to send notification emails to guest users from Sponsor Portal.
CSCvb10382	When there is large amount of data in the network, WMI events are not published to pxgrid client.
CSCvb32929	Attempt to join new node to ISE 2.1 deployment fails, if FQDN contains numbers in the top-level domain (TLD).
CSCvb34404	On ISE 1.3 PSN, high load is seen when posture discovery traffic is allowed.
CSCvb48654	Evaluation of positron for OpenSSL September 2016.
CSCuo16506	Internal users cannot change their password in the guest portal.
CSCur11333	MNT Session API shows XML Errors and inaccurate information while processing the REST request.
CSCut02199	Sponsor Portal internal error occurs when proxy is enabled or host name is unresolvable.
CSCuu21473	Portal users for the existing BYOD on-boarded devices are missing from the endpoints page after upgrading ISE 1.3 to 2.0.
CSCuu39225	Authentications against AD in ISE 1.3 fail sporadically. “Communication with domain controller failed” error message is seen in the logs.
CSCuv89453	Repeated password change and login loop occurs in the Guest and Sponsor Portals.
CSCuv97343	While creating new guest accounts, ISE 1.3 caches the previous Sponsor's email address.
CSCuw88244	ISE-TACACS Term licenses are shown as permanent licenses after import.
CSCux58966	User password is showing up under External RADIUS server.
CSCuy30044	Problems in issuing EPS and ANC remediations against IPv6 clients.
CSCuy49511	Java exception is seen on visiting SXP Settings page.
CSCuy81577	Certificate hierarchy is not loading in Firefox browser.
CSCuy86957	Unable to delete guest compound condition and user identity groups mapped to sponsor group policy, after upgrading from ISE 1.2 to 1.4.
CSCuy89909	ISE takes incorrect information from AD Query.
CSCuy91317	Restore process does not get completed during ISE database sync up.
CSCuz06632	After failover, Alarms or Live Logs take more time to load.
CSCuz10364	Overlap error is seen on DHCP and DNS services page (Administration > Settings) when the network ID is different.
CSCuz13452	In ISE 2.0, endpoint purging policies match only “Purge” rules and ignore “Never Purge” rules.
CSCuz48664	Request to provide option to set and change guest user's password via guest API. National song of india vande mataram mp3 free download.
CSCuz72316	After upgrading ISE 2.0 to ISE 2.0 patch 3, manually registered devices in the My Devices portal stay in “NOTREGISTERED” status.
CSCuz95810	State.yml file does not get updated with “Authorized state” after restarting app server.
CSCuz98694	EAP-Chaining does not drop the authentication request when all the domains are unreachable.
CSCva00168	When Sponsor is a member of ALL_ACCOUNTS and GROUP_ACCOUNTS, ISE displays newly created accounts under pending accounts though approval is not required.
CSCva11953	SMS notification is not sent when guest password is reset.
CSCva32911	After migrating from ISE 1.2 to ISE 1.4 and joining AD domain, “Pwdlastset” field does not get updated when re-joining ISE devices.
CSCva55881	Joined domain must not be marked as unusable in the event of encountering “KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN” error.
CSCva56166	First rule that is added in authorization policy overrides the default TACACS+ authorization policy.
CSCva58328	Device registration through Hotspot portal fails with an error if the endpoint exists in ISE database and the endpoint was created by an ISE component other than a portal.
CSCva58575	ISE libxml2 Package Outdated.
CSCva58582	ISE pcre Package Outdated
CSCva66772	Unable to add domain names containing more than three parts under DHCP and DNS services.
CSCva75869	On ISE 2.1, TACACS authorization fails if Active directory contains same user name and computer name.
CSCvb02052	ISE Assigns DHCP IP even when the scope does not match local subnet.
CSCvb02488	In ISE 2.1 Logrotate does not run correctly.
CSCvb14848	Unable to view pending sponsor accounts when guest/sponsor's email address is in different case (usually lower case).
CSCvb15398	RegEx in TACACS command set or shell profile fail input validation.
CSCvb16324	During VSS switchover, ISE stays connected to the old VSS.
CSCvb24232	Security issues in SSH reported by retina network in Cisco ISE 1.4 Patch 9.
CSCvb28658	AD agent is unable to reconnect to Domain Controller upon receiving TCP reset.
CSCvb28695	Request to enhance concurrent handling for DC Availability Updates.
CSCvb43705	During MS-CHAPv2 session resume, user authentication is successful even when the user account is locked.
CSCvb45428	In ISE 2.1, internal server error occurs while accessing Visibility Context.
CSCvb83673	SCCM 5.x version product check fails.
CSCuw95152	While providing account details to the known guests, if the Copy me check box is unchecked, it caches the email address of the previous sponsor.
CSCux82480	The System Health - Check NTP test fails occasionally in ISE 2.0.
CSCva28741	Errors in German translations for the guest work flows.
CSCva73969	ISE must validate HTTP host before redirection.
CSCus09640	ISE 1.3, 1.4 or 2.0 on Win 8.1 device with Plus license (without Apex license) does not allow posture update.
CSCuy24899	Enhancement request to decrease the minimum value for LastAUPAcceptance check.
CSCuz97727	RADIUS authorization profiles do not support internal user attributes for DACL name.
CSCva93463	Enhancement request to add MariaDB JConnector MySQL driver.
CSCvb03953	Ability to provide regular audit report for admin privilege needs to be added in ISE.

New Features and Resolved Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 1

New Features and Resolved Issues:

Addition of CoA Reauthenticate in CoA Type of Hotspot Portal
Posture Patch Management Enhancements
Important Note After you Install Cisco ISE 2.1 Patch 1
Resolved Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 1

Addition of CoA Reauthenticate in CoA Type of Hotspot Portal

CoA Reauthenticate is added in CoA Type of Hotspot Portal and you can configure CoA Type in Hotspot portal by choosing CoA Terminate or CoA Reauthenticate options.

If you choose CoA Terminate, no VLAN is required for configuration of Hotspot Portal and VLAN DHCP Release Page Settings option is disabled. If you choose CoA Reauthenticate, you can configure VLAN.

Note We recommend that you configure hotspot using CoA Reauthenticate option (selected by default) to avoid experiencing delay in getting connected to the guest network. CoA Terminate starts a new network session, which causes the client to go through the DHCP process again. Some wireless clients may not reconnect automatically to the ISE guest network, which forces guests to manually connect to the network.

Posture Patch Management Enhancements

Support for severity levels is added to the Posture Patch Management Condition and Patch Management Remediation.

The following are the newly added severity levels:

Critical only
Important & critical
Moderate, Important & critical
All - low to critical

You can check if the patches with selected severity levels are up to date from Posture Patch Management Condition. The Check patches installed drop-down with the severity levels is enabled in Patch Management Condition only when the Check Type is chosen as Up to Date.

You can check and install missing patches with selected severity levels from Posture Patch Management Remediation. The Check patches installed drop-down with the severity levels in Patch Management Remediation is enabled only when the Remediation Option is chosen as Install missing patches.

This Severity Level enhancement is applicable only for clients that have AnyConnect 4.3 or later versions. If you have not configured the severity level in posture patch management condition in ISE and a client with AnyConnect 4.3 or later connects to the ISE server, AnyConnect defaults to Critical only support.

Note Windows compliance module 3.6.10611.2 is required for this update.

Important Note After you Install Cisco ISE 2.1 Patch 1

If you are not using the TrustSec features, we recommend you to disable the statistics collection. To stop the statistics collection in Cisco ISE GUI, navigate to Work Centers> TrustSec > Overview > Dashboard and click the Stop icon above the dashlets.

Note If you see the statistics already in stop status in TrustSec dashboard, we still recommend you to start and stop the statistics.

Resolved Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 1

Table 13 lists the issues that are resolved in Cisco Identity Services Engine, Release 2.1 cumulative
patch 1. To obtain the patch file necessary to apply the patch to Cisco ISE, Release 2.1, log in to the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine.

Patch 1 might not work with older versions of SPW. MAC users need to upgrade their SPW to MacOsXSPWizard 2.1.0.40 or later and Windows users need to upgrade their SPW to WinSPWizard 2.1.0.51 or later.

Table 13 Cisco ISE Patch Version 2.1.0.474-Patch 1 Resolved Caveats
Description
CSCuz44971	Inconsistent Endpoint inactivity timer causes purge issues in Cisco ISE 1.3.
CSCuz76370	Determination of Endpoint owner is dependent on Oracle when purging the Endpoint.
CSCuz95165	Context directory fails to work after PAN promotion and Certificate unknown issue can be seen in the elasticsearch.log file.
CSCva01828	Cisco ISE Indexing Engine fails to start when upgrading from ISE 2.0/2.0.1 to 2.1.
CSCva14899	Cisco ISE does not support MAC version 10.12.
CSCva66532	After upgrading from Cisco ISE 2.0 to 2.1, MDM vendor data in the MDM server does not match actual vendor data in the database.
CSCva84867	Custom attributes containing caret(^) character are not supported in ISE and TACACS+ shell profiles with caret(^) character fail security validation.
CSCux47128	SAML Config XML is rejected due to unsupported tag (NetIQ Support).
CSCuy42911	SNMP MIB walk does not work consistently.
CSCuz42662	PxGrid services are stuck in initializing state.
CSCuz51077	Guest Credentials sent via email on Apple iOS and macOS are not readable.
CSCuz52493	Evaluation of positron for OpenSSL May 2016.
CSCuz53423	Performance degradation observed for different protocols in AD.
CSCuz56208	ISE application server crashed when a pre upgrade configured secure syslog server is enabled after upgrade.
CSCuz69655	In Cisco ISE 2.1, Boolean endpoint custom attribute is not evaluated correctly.
CSCuz74505	SXP ClassCastException stack trace is shown when adding static SXP mappings into Cisco ISE.
CSCuz80362	After upgrading from ISE 2.0, IdP cannot be added without the meta data.
CSCuz81660	Unable to retrieve groups from LDAP when using custom schema and Group Name attribute is set to “cn”
CSCuz83559	Endpoint purge does not work in distributed deployment with base license.
CSCuz85663	In ISE server with a dedicated SXPN, SXP mappings are not sent to SXP table when PSN is enabled on the PAN.
CSCva04654	Restore or upgrade of ISE 2.0 to 2.1 removes Default DenyShell Profile.
CSCva05058	Cisco ISE 2.1 has issues with ERS Endpoint custom attribute update and SDK.
CSCva15475	ISE does not populate SGT for ACI EPG if default SGT value is used in the security groups.
CSCva35555	When the description for internal user is longer than 255 characters, “Commit transaction failed” error occurs in ISE 2.1 and upgrade to ISE 2.1 fails for ISE version 2.0 or earlier.
CSCva39593	MnT nodes trigger high load average alarm due to continuous TrustSec query.
CSCva56869	EPS Unquaratine from UI does not work in ISE 2.1.
CSCva57479	Null certificate chain issue is seen in Context Visibility after upgrading to ISE 2.1.
CSCva76776	ISE MnT live logs, filtering and detailed reports are slow when the incoming data rate is high on the MnT node.
CSCva94171	When proxy server is configured and there is no network connectivity, ISE 2.1 GUI automatic posture updates settings take a long time and save operation fails.
CSCuz77291	ISE does not support dash or colon in the tag name in the SGT (for APIC).
CSCut93791	Issues with Admin-Reset CoA type. Enhancement request to change the Hotspot CoA type from Admin-Reset to ReAuth.
CSCuy60352	ISE provides severity levels support on Posture patch management conditions.
CSCuz09501	Unable to set passwords while importing guest users.

Cisco ISE, Release 2.1 Open Caveats

The following table lists the caveats that are open in Release 2.1.

Table 14 Cisco ISE Release 2.1 Open Caveats
Description
CSCuz23657	The SPW.log file is located in the Settings > USB & Storage > Explore > Downloads folder in the Google Nexus Phone Version 5 and later.	—
CSCuz19359	While navigating through the Context Visibility pages, sometimes 'Server Undefined Error' is seen on the GUI. Workaround Reload the page.	—
CSCuz32537	404 error is displayed if Logout Options are not included in the SAML metadata.	—
CSCuz39101	After installing Elliptical Curve Cryptography (ECC) certificate type P-192, Android 6.0.1 device crashes and restarts. Workaround Install May 2016 Android Security Patch on your device or change the ECC curve type to any other curve type (other than P-192) in the Certificate Templates page	—
CSCuz42652	After 2.0P2 upgrade Meraki MDM custom portal is not working. Workaround Copy existing portal and update the policy results on this portal or create a new portal and update the policy results.	—
CSCuz42662	PxGrid services are stuck in initializing state. Workaround Go to /opt/xgrid/install. If there are multiple zip files, remove xcp-1.3-iteration-1.20.zip file and .bin file. Go to /opt/xgrid/gc. If there are multiple tar.gz files, remove pxgrid-controller-1.0.2-.tar.gz file. Run the following commands: `/opt/xgrid/xgridinstallhelper.sh deloyxcp` `/opt/xgrid/xgridinstallhelper.sh deploygc` `/opt/xgrid/xgridinstallhelper.sh installxgrid`	Patch 1
CSCuz51077	Guest credentials sent in email are displayed in foreign language when viewed on iPad device. Workaround Use non iPad devices to view the Guest user credentials.	Patch 1
CSCuz54073	After ISE restart, authentication policy is changed to 'all_Users_ID_Store' Workaround This issue is seen only on the GUI, authentication policy is working properly in the backend.	—
CSCuz54688	AnyConnect posture module does not retain USB check conditions. Workaround Remove the endpoint from the controller and re-authenticate to start a new session or wait for the session to timeout on controller.	—
CSCuz55579	After adding NAD to Fully Deployed matrix, Work flow status bar is not showing any data. Workaround Refresh the page or logout and login again.	—
CSCuz56208	ISE application server crashed when a pre upgrade configured secure syslog server is enabled after upgrade. Workaround Enable the secure syslog server before upgrade.	Patch 1
CSCuz57874	Guest password policy defaults to 4 numeric characters. Workaround You can manually configure a complex password policy.	—
CSCuz60238	On Safari 9.x browser, Sponsor portal flow via IdP gets stuck after redirection from IdP. Workaround Use a different browser.	—
CSCuz63141	After upgrade to 2.1, system summary shows high authentication latency on MnT node. Workaround	—
CSCuz80362	After upgrading from ISE 2.0, IdP cannot be added without the metadata. Workaround Import the metadata of IdP into ISE and then add the IdP.	Patch 1
CSCuz81660	Unable to retrieve groups from LDAP when using custom schema and Group Name attribute is set to “cn” Workaround Change the Group Name attribute to “dn”	Patch 1
CSCuy08706	Configuration change notification post deployment upgrade is not refreshed.	—
CSCuy81577	Certificate hierarchy is not loading in Firefox browser. Workaround Use a different browser.	Patch 2
CSCuz23479	Upgrade UI is reading Version/Patch mismatch and blocking GUI upgrade. Workaround Apply the same patches on all nodes.	—
CSCuz50937	Authentications fail for devices using legacy ciphers after upgrading to 2.1. Workaround Choose Policy> Results> Allowed protocols and enable Allow weak ciphers for EAP option.	—
CSCuz55875	BYOD fails on Mac 10.10.5 with MDM profile. Workaround Perform the BYOD flow on Mac 10.10.5 device which do not have the MDM profile configured.	—
CSCuz59045	When status of an internal user is changed from enabled to disabled using Change Status option, it fails with exception. Workaround Select the user, click Edit, and the change to Disable status.	—
CSCuz59219	When a new node is registered to the existing deployment, Certificate Replication Failed alarm is triggered.	—
CSCuz63011	Drill-down options should not be displayed on the Home page dashboard for a node with secondary Admin role and primary Monitoring role, because Context Visibility menu is not available for this deployment.	—
CSCuz69267	The Monitoring node upgrade fails with a failed-reverted state. If you try to upgrade the node again, you will see the following error message: `Cancelling upgrade as Monitoring persona could not be enabled on old Primary PAN.` Workaround Disable the Monitoring persona from the Primary Administration Node in the old deployment and proceed with upgrading the last Monitoring node followed by the Primary Administration Node from the GUI.	—
CSCuz77106	If the primary admin node (PAN) upgrade fails, the node persona is lost and is moved to Standalone mode. In this case you cannot do the upgrade using UI. Workaround You can upgrade the PAN using CLI and re-join the node to new deployment if it fails to join automatically.	—
CSCuy27978	Chromebook: Multiple certificates are created for a single user. Workaround Ensure that certificate attribute values defined in the Google Admin Console matches the installed certificate template attributes.	—
CSCuy27971	Chromebook: Occasionally fails to connect automatically after certificate installation. Workaround The Chromebook device user can manually connect to the configured SSID.	—
CSCuv35246	Node is upgraded and added to the new deployment, but it is stuck and shows the following message: ISE Node not upgraded (Version Mismatch). Workaround Power cycle the affected node.	—
CSCuz74505	When adding static SXP mappings to ISE, ise-psc log shows ClassCastExceptions warnings and the mappings are not added to the SXP table. This happens only when both Passive Identity and SXP service are enabled on the same node. Workaround SXP service must be enabled on a dedicated node.	Patch 1
CSCva18665	Limited by the current Google Chrome OS design, EAP-TLS WiFi settings are not available to system-wise on a Chromebook and a user must log on to the Google account to receive the WiFi settings.	—
CSCva44235	When upgrading to ISE2.1 (CLI or GUI), upgrade fails with following error: “% Error: Need at least 11GB free disk space before the upgrade can continue”. Workaround Re-image to ISE 2.1 and restore backup from ISE 2.0.	—
CSCuz95165	Context directory fails to work after PAN promotion and Certificate unknown issue can be seen in the elasticsearch.log file.	Patch 1
CSCva57479	Null certificate chain issue is seen in Context Visibility page after upgrading to ISE 2.1.Similar issue may occur while adding an endpoint or while navigating to Administration > Identities.	Patch 1
CSCva56322	In ISE 2.1, an internal error occurs when accessing Workcenters > Identities. Workaround Generate admin persona certificates for all ISE nodes in the deployment with their IP as a SAN field.	—
CSCva01828	Cisco ISE Indexing Engine fails to start when upgrading from ISE 2.0/2.0.1 to ISE 2.1 in distributed deployment. Workaround Contact TAC to have the duplicate entries removed, as the indexing engine does not start due to duplicate host entries in the `/etc/hosts` file.	Patch 1
CSCuz49154	When you upgrade Cisco ISE from GUI, old deployment shows PSN is upgraded 80% while the new deployment upgrade page displays “Active” status, though PSN is still getting upgraded.	—
CSCux07023	When upgrading ISE from 1.4 to ISE 2.0 with trust certificates containing large size serial numbers, upgrade process fails with an error.	—
CSCva13610	Enrollment over Secure Transport (EST) services do not run on ISE 2.1 even when CA is enabled.	—
CSCva96507	ISE 2.0.1 upgrade to 2.1 fails on SNS-3415 appliance due to anaconda exception.	—
CSCvb75125	After upgrading from ISE 2.0 to ISE 2.1 and enabling AD profiling probe in GUI, operation success message is displayed. However, AD probe field remains unchecked after navigating to another tab and returning to the previous page.	—
CSCvc40084	After upgrading from ISE 1.3 to ISE 2.1, blank page is seen (Home page is not displayed). This issue occurs if custom RBAC policies and custom created Admin groups are present in ISE configuration before upgrade. Workaround Roll back to ISE 1.3 Delete all the custom created RBAC policies and custom created Admin groups Upgrade to ISE 2.1	—
CSCve55308	Multihoming (enabling both wired and wireless) must not be used with posture. Workaround Choose one of the following options: Enable only one interface Disable PRA, when both interfaces are enabled Enable posture lease, if both interfaces must be enabled	—
CSCve89369	You can create advanced filter and save it for the current sessions. The filter is lost once you log out and start a new session on the browser. Workaround Save cookies in the browser and modify the expiration date.	—
CSCvd38467	When iPhone is upgraded to 10.3.x, EAPTLS flow doesn’t work as per expected behavior. Profile installation fails and displays the following error message: `Profile Installation Failed` `The server certificate for “https://<ISE-FQDN-or-IP>:<ISE-web-portal-port>/auth/OTAMobileConfig?..”` Workaround If ISE root certificate shows untrusted certificate, on Apple iDevices, go to General > About > Certificate Trust Settings and manually set trust in the ISE root certificate. Note This only happens when you run unknown trusted certificates. It is recommended to deploy well known certificates to your PSNs to prevent installation failure.	—

Resolved Caveats

Table 15 Cisco ISE, Release 2.1, Resolved Caveats
Description
CSCuw41269	HTTP sessions are not redirected (dropped by iPEP) when PSN01 is down or PSN02 response is slow.
CSCuu18570	Getting an error while trying to edit an authorization profile with dynamic attributes.
CSCuv79263	ISE 1.4 Profiler does not process netflow probes.
CSCuw93790	ISE 2.0 WinSPW does not support Aruba 3600 redirect request.
CSCux41070	Allow Guest to Bypass the Guest Portal option is not working properly.
CSCux68828	ISE 2.0 blank screen after GUI login.
CSCux71816	Incorrect authentication reporting when logging suppression is enabled.
CSCux82848	Coredumps on MnT Collector observed while running BYOD onboarding.
CSCuy13524	Upgrade to ISE 2.0 fails if default compound conditions are missing or renamed.
CSCuy18234	Adding TACACS device to ISE 2.0 fails if % character is used.
CSCuy27494	Post BYOD issues with Proxy Auto-Config file URL on Windows 10.
CSCuy46406	Authentication policy is missing after restart if Radius:Username condition is used.
CSCuy72189	Apple iphone is profiled as unknown.
CSCuz25672	Insufficient space in new root partition in ISE 2.0.1.
CSCtz07197	ISE is not SEC-TLS-CURR compliant.
CSCue78265	Log Collection error in Mnt-collector.out.
CSCuh80199	Configuration Changed alarm triggered when Admin logs in.
CSCul82600	ISE custom attribute could not be deleted.
CSCuq63521	RevisedOUI.csv not restored from CFG backup.
CSCur14757	Active endpoints distribution data is incorrect.
CSCus85695	Undo Latest option in Profiler Feed Service does not rollback MAC OUI CSV.
CSCut51088	ISE 1.2.1 patch 1: Application services restart after Out of Memory error.
CSCut63214	Custom field cannot be deleted from guest access settings even if the custom field has a null value.
CSCuv23151	After client provisioning, MAC OSX certificate subject includes only the CN field.
CSCuv32485	Endpoint purge value should not be modified in guest pages.
CSCuv73308	ISE 1.3/1.4 REST API not returning child identity groups
CSCuv91265	PSN node cannot send logs about successful authentication to MNT node if multiple rules are evaluated during authentication and authorization.
CSCuw12965	RBAC policy not getting replicated in distributed ISE setup.
CSCuw29841	ISE 1.4 login to sponsor/guest portal fails if < and > characters are used in the password.
CSCuw32187	ISE 1.4 TCP syslog is truncated, if Radius String type attribute is empty.
CSCuw35766	Plus license is being consumed even if static group assignment is set
CSCuw39793	Database Priming Failed error is returned for application reset-config ise CLI command.
CSCuw40417	Export to NFS repository fails when multiple reports are exported in succession.
CSCuw55331	High CPU usage when accessing guest portal if $ symbol is included in custom AUP.
CSCuw58535	Sponsor summary email is incorrectly labeled.
CSCuw85362	ISE could not add instructional text in sponsor account manage page.
CSCuw98952	ISE cannot map dynamic attributes from AD if period(.) character is used in the join point.
CSCuw99962	ISE 1.3 cannot configure authentication success URL with numerical value.
CSCux08913	TACACS authorization entries are not included in TACACS live log when more than 100 custom attributes are used.
CSCux09644	Renaming an authorization rule under Device Admin Default Policy Set changes default authorization rule to the renamed authorization rule.
CSCux18729	ISE 1.4: Guest Account time period is automatically changed when guest account is edited.
CSCux20246	Enable Portal Customization with HTML and JavaScript setting not saved.
CSCux22668	ERS GET on internaluser with id=1 exposes superuser.
CSCux36620	COA command update-cts-policies fails if SGACL is modified before it is pushed to the NAD.
CSCux39753	Posture remediation: Using the pipe character ( ) in the program parameters results in a java exception.
CSCux39763	ISE Posture cannot execute two instances of same installation path and program name combinations.
CSCux44143	ISE 2.0 Posture updates not going through proxy.
CSCux44311	ISE RADIUS Live Log not working after IP change on standalone setup.
CSCux48635	BYOD endpoints stuck in Pending if more than 2 endpoints are provisioned within 20 minutes.
CSCux51819	Expiration Date column in the Trusted Certificates page cannot be sorted based on the expiration date.
CSCux53995	ISE 1.4: Cannot select multi-choice as data type for custom field via Firefox.
CSCux54017	Guest API allows account creation with guest portal IDs.
CSCux58014	Secondary ISE node does not give read access to sponsor when primary node is down.
CSCux66349	ISE 1.3: SMS message body needs to be unicode rather than ASCII encoded.
CSCux67000	ISE XML policy export does not recognize OR relationship.
CSCux74242	Policy sets using NAD profile attribute are not used sometimes; instead default authentication rule is used.
CSCux76143	RBAC policy cannot be disabled.
CSCux81127	ISE2.0: Time based authorization rule is not evaluated if time crosses 12:00 AM.
CSCux84140	ISE 2.0: When uploading Cisco Provided Packages via local disk, the administrator is unable to verify the hash values to the files on cisco.com as the hash algorithms are not the same.
CSCux95991	ISE 1.3: Profile policy ending with '-' shows invalid syntax in GUI.
CSCux99022	Internal error or resource not found error is displayed if Enter button is used for the input-required tabs in the Sponsor portal.
CSCux99221	BYOD followed by CWA with Automatic Device Registration enabled fails.
CSCuy06080	Invalid FQDN error is displayed if a hyphen is used in the sponsor portal FQDN.
CSCuy07004	Live log and ISE very slow after upgrade from 1.3 to 2.0.
CSCuy11635	Node sync is failing due to lack of reference on the IP tables.
CSCuy27607	Sponsor portal not accessible after guest group rename.
CSCuy35716	ISE 1.3, 1.4 and 2.0 cannot generate CSRs that have multiple Organizational Unit (OU) fields.
CSCuy36208	ISE 2.0 cannot use two consecutive hyphens in LDAP group.
CSCuy46081	ISE 1.4 patch 4 does not allow user UPN with apostrophe to view devices in My Devices portal.
CSCuy46307	Unable to create SFTP backup via ISE 2.0 GUI using vShell SFTP server.
CSCuy46322	Default Deny Access option present in ACS is missing in ISE TACACS feature.
CSCuy68000	ISE 2.0 should not update the session cache with the attributes returned in the dACL request for the same session.
CSCuy78320	ISE 1.3 AD authentication failed if CN is longer than 20 characters.
CSCuy96184	SMS gateway provider FQDN cannot contain numbers.
CSCuy99383	ISE attempts the 3-way handshake only once per email.
CSCuz05113	When adding regular expressions to a match condition the validation prevents saving changes.
CSCuz28550	ISE internal administrator summary report shows 'No data available'
CSCuz42229	ISE 2.0 custom NAD template CoA not sending NAS-Port-Id from session.
CSCux70535	Policyconfig.xml has incomplete TACACS+ names in results.
CSCuy29953	Width of the Name field in the Network Access Users page and admin user listing page is too small.
CSCus05072	ISE 1.3 Guest type is missing the fromfirstlogin option that was present in ISE 1.2 time profile.
CSCus07618	ISE 1.3 SMS gateway not using Proxy
CSCuv69149	ISE 1.4 Guest password policy issue
CSCuw34150	Add reference to supported crypto_key types in ISE CLI Reference Guide.
CSCuw47686	Support of custom port for NMAP Scan action.
CSCuw87241	Migration support for internal users password type to external ID store.
CSCux04189	Loss of AD connections after direct upgrade to ISE 2.0.

Documentation Updates

Table 16 Updates to Release Notes for Cisco Identity Services Engine, Release 2.1
Description
06/09/2017	Added and updated Resolved Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 5 section.
10/26/2017	Added and updated Resolved Issues in Cisco ISE Version 2.1.0.474—Cumulative Patch 8 section.

Table 17 Product Documentation for Cisco Identity Services Engine
Location
Release Notes for the Cisco Identity Services Engine, Release 2.1	http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-release-notes-list.html
Cisco Identity Services Engine Admin Guide, Release 2.1	http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-installation-and-configuration-guides-list.html
Cisco Identity Services Engine Hardware Installation Guide, Release 2.1	http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-installation-guides-list.html
Cisco Identity Services Engine Upgrade Guide, Release 2.1	http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-installation-guides-list.html
Cisco Identity Services Engine, Release 2.1 Migration Tool Guide	http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-installation-guides-list.html
Cisco Identity Services Engine Sponsor Portal User Guide, Release 2.1	http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-user-guide-list.html
Cisco Identity Services Engine CLI Reference Guide, Release 2.1	http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-command-reference-list.html
Cisco Identity Services Engine API Reference Guide, Release 2.1	http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-command-reference-list.html
Active Directory Integration with Cisco ISE	http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-installation-and-configuration-guides-list.html
Cisco ISE In-Box Documentation and China RoHS Pointer Card	http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-documentation-roadmaps-list.html
Network Access Device Profiles with Cisco Identity Services Engine	http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-105-Network_Access_Device_Profiles_with_Cisco_ISE.pdf

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.1.

This document is to be used in conjunction with the documents listed in the “Related Documentation” section.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Also See for Agria 3400

Related Manuals for Agria 3400

Summary of Contents for Agria 3400

Page 2: Amount Of Delivery

Page 3: Differential Version

Page 5: Table Of Contents

Page 6: Recommendations Lubricants

Page 7: Designation Of Parts

Page 9: Fuel

Page 11: Designation

Page 12: Designation

Page 15: Designation

Page 17: Safety Instructions

Page 24: Specifications

Page 25: Machine

Page 26: Track Widths

Page 27: Track Widths

Page 28: Petrol Engine

Page 29: Diesel Engine

Page 30: Devices And Operating

Page 32: Safety Circuit

Page 33: Clutch

Page 34: Gearbox

Page 35: Differential Gear

Page 36: Steering Brake Clutch

Page 37: Pto

Page 38: Steering Handle

Page 41: Drive-wheels

Page 45: Front And Wheel Weights

Page 46: Engine Cover

Page 47: Electric Starter Version

Page 48: Mounting And Dismounting Implements

Page 49: Commissioning And Operation

Page 50: Starting The Petrol Engine

Page 52: Starting The Diesel Engine

Page 54: Shutting Off The Petrol Engine

Page 55: Shutting Off The Diesel Engine

Page 56: Operation

Page 57: Working On Slopes

Page 58: Driving With Mounted Trailer

Page 62: Maintenance

Page 63: Air Filter

Page 64: Spark Plug

Page 67: Diesel Engine

Page 68: Air Filter

Page 70: Diesel Engine

Page 71: Machine

Page 73: Adjustments On Levers

Page 75: General Maintenance

Page 76: Storage

Page 77: Troubleshooting

Page 79: Troubleshooting

Page 80: Varnishes, Wear Parts

Page 82: Figs. G + H, Diesel Engine / Steering Brake Clutch Version . 15 Fig. J, Diesel Engine

Page 83: Lubrication Chart

Page 84: Inspection And Maintenance Chart

Page 85: Figs. A + B, Petrol Engine

Page 86: Figs. E + F, Petrol Engine

Page 87: Conformity Declaration

Table of Contents