Ask the Experts: ISE Upgrade
Date: December 8, 2023
Disclaimer
This document is Cisco Confidential information provided for your internal business use in connection with the Cisco Services purchased by you or your authorized reseller on your behalf. This document contains guidance based on Cisco's recommended practices.
You remain responsible for determining whether to employ this guidance, whether it fits your network design, business needs, and whether the guidance complies with laws, including any regulatory, security, or privacy requirements applicable to your business.
免責: この文書は、お客様またはお客様の代理人である認定リセラーが購入したシスコサービスに関連して、お客様が社内業務において使用することを目的としてシスコが提供するシスコの機密情報です。この文書にはシスコが推奨するプラクティスに基づく手引きが記載されています。
お客様は、この手引きを使用するか否かやお客様のネットワーク設計および業務上のニーズにこの手引きが適合しているか否か、さらにはこの手引きが法律(お客様の業務に適用される規制上の要件、セキュリティ上の要件およびプライバシーに関する要件を含みます)に準拠しているか否かを判断する責任を引き続き負います。
Today's Topics
- Reasons to Upgrade
- Planning and Preparation
- Upgrade Execution
- Post-Upgrade Tasks
Reasons to Upgrade
This section details the benefits and motivations for upgrading Cisco ISE.
ISE 3.2 Release Highlights (Cisco Recommended - Golden Star Release)
- Microsoft Azure Cloud ISE
- Oracle Cloud (OCI) ISE
- ERS API Patch Request
- Internal User Password Expiration
- Azure AD with EAP-TLS and TEAP Authentication
- AnyConnect Rebranding
- ERS API Open API Specification
- ZTP - Security Update
- Light Mode/Dark Mode for Cisco ISE
- Posture Condition Script Support
- Minimal Deployment for Small-Scale Virtual Machines
- Data Connection
- GUID Entries per CV Endpoint
- MDM Enhancement
- PassivelD User Approval Policy
- Log Analysis
The document also displays a dashboard with metrics such as Total Endpoints, Authentications, and Alarms, along with a breakdown of endpoint types and locations.
ISE Release Cycle (Before ISE 2.7)
Short-Term Releases (2-Year, Odd Versions)
This section illustrates the lifecycle of short-term ISE releases, indicating release dates, End-of-Life (EOL) notifications, and end-of-support timelines.
Long-Term Releases (4-Year, Even Versions)
This section illustrates the lifecycle of long-term ISE releases, indicating release dates, End-of-Life (EOL) notifications, and end-of-support timelines.
All EOL and EOS information can be found on cisco.com. You can also register for automatic notifications.
EOL/EOS Information [English]
ISE Release Cycle - New Model
Starting with ISE 2.7, short-term and long-term releases are discontinued. A new release cycle is applied.
- ISE 2.7 includes an additional 6-month maintenance period.
- This aims to improve stability and performance based on customer deployment examples.
- Applies to all versions from 2.7 onwards.
- Versions from 2.7 onwards comply with a standardized lifecycle.
- It is recommended to always check the recommended software version.
For details on the ISE lifecycle, click the following link [English]:
[Link to ISE Lifecycle Details]
End-of-Life/EOS Announcements
This section provides announcements regarding End-of-Life (EOL) and End-of-Sale (EOS) for various ISE versions, including dates for software maintenance, software maintenance end, and support end.
- Version 2.6: EOL/EOS dates provided.
- Version 2.7: EOL/EOS dates provided.
- Version 3.0: EOL/EOS dates provided.
- Version 3.1: EOL/EOS dates provided.
- Version 3.2: Recommended Release.
- Version 3.3: Latest Release.
Key milestones include Software Maintenance, Software Maintenance End, and Support End.
Find more information at: cs.co/ise-software
Planning and Preparation
- Compatibility Check and Upgrade Path
- Pre-Upgrade Activities
- Upgrade Preparation Tool
- Maintenance Window
ISE 3.x Supported Platforms
This table details the hardware platforms supported by ISE 3.x, including appliance models, session capacities, processors, memory, disk, RAID, and network interfaces.
| Appliance | Standalone Sessions | PSN Sessions | Processor | Cores | Memory | Disk | RAID | Network Interface |
|---|---|---|---|---|---|---|---|---|
| SNS-3615 | 10,000 | 10,000 | 1 - Intel Xeon 2.10 GHz 4110 | 8 | 32 GB (16 GB x 2) | 1 (600GB) | No | 2 x 10G base-T, 4 x 1G base-T |
| SNS-3655 | 25,000 | 50,000 | 1 - Intel Xeon 2.10 GHz 4116 | 12 | 96 GB (6 x 16 GB) | 4 (600 GB) | 10 | 2 x 10 G base-T, 4 x 1 G base-T |
| SNS-3695 | 50,000 | 100,000 | 1 - Intel Xeon 2.10 GHz 4116 | 12 | 256 GB (8 x 32 GB) | 8 (600 GB) | 10 | 2 x 10 GB base-T, 4x1 GB base-T |
| SNS-3515 | 7,500 | 7,500 | 1 - Intel Xeon 2.40GHz E5-2620 | 6 | 16 GB (8 GB x 2) | 1 (600 GB) | No | 6 x 1 GBase-T |
| SNS-3595 | 20,000 | 40,000 | 1 - Intel Xeon 2.60 GHz E5-2640 | 8 | 64 GB (16 GB x 4) | 4 (600 GB) | 10 | 6 x 1 Gbase-T |
| SNS-3715 | 25,000 | 50,000 | 1 - Intel Xeon 2.10 GHz 4310 | 12 | 32 GB (2 x 16 GB) | 1 (600 GB) | 0 | 2 x 10 G base-T, 4x10 GE SFP |
| SNS-3755 | 50,000 | 100,000 | 1 - Intel Xeon 2.30 GHz 4316 | 20 | 96 GB (6 x 16 GB) | 4 (600 GB) | 10 | 2 x 10 G base-T, 4x10 GE SFP |
| SNS-3795 | 50,000 | 100,000 | 1 - Intel Xeon 2.30 GHz 4316 | 20 | 256 GB (8 x 32 GB) | 8 (600 GB) | 10 | 2 x 10 G base-T, 4x10 GE SFP |
*SNS-3515 is no longer supported from ISE 3.1 onwards.
*VMware version 6.5 or later is required.
Native Deployment in Public Cloud
- AWS: aws.amazon.com/free
- Azure: azure.microsoft.com/en-us/free
- Oracle Cloud: www.oracle.com/cloud/free
Default Username Change
From 3.2 onwards, the default username for all cloud deployments is: iseadmin
ZTP (Zero Touch Provisioning)
Password change is required upon the first login to the GUI.
Secure Console Connection
SSH key-based authentication is required for SSH console access to cloud platforms.
Compatibility Check
Supported Hardware
- Cisco SNS-3595-K9 (Large) EOL
- Cisco SNS-3615-K9 (Small)
- Cisco SNS-3655-K9 (Medium)
- Cisco SNS-3695-K9 (Large)
- Cisco ISE-VM-K9**
Supported Virtual Environments
- VMware Cloud or AWS Marketplace Web Services and Azure VMware for ISE
- ESXi 6.5+ (RHEL 8.4 with KVM)
- Microsoft Windows Server 2012 R2 and later, Microsoft Hyper-V
Microsoft Active Directory Support
- 2012, 2012 R2
- 2016
- 2019
Cisco DNA Center Compatibility
- Cisco DNA Center 2.2.3.4 onwards supports ISE 3.2+
- Cisco DNA Center 2.3.3.7 onwards supports ISE 3.2+
**Verify that the virtual machine meets the ISE installation requirements.
Check the ISE Release Notes on cisco.com for the latest compatibility guidance.
ISE Licensing Model - Features
2.x Model
- Plus (Context): Profiling, BYOD (+CA, +MDP), Context Sharing (pxGrid In/Out), Rapid Threat Containment (Adaptive Network Control)
- Apex (Compliance): Posture, Mobile Device Management Compliance, Threat-centric NAC (TC-NAC)
3.x Model
- Premier (Advantage + Posture & Compliance): Posture, MDM Compliance, TC-NAC
- Advantage (Essentials + Context & Cloud): Profiling, BYOD (+CA, +MDP), Context Sharing (pxGrid In/Out), TrustSec (Group-based policy visualization and enforcement), Rapid Threat Containment (Adaptive Network Control)
- Essentials (User Visibility & Enforcement): AAA and 802.1X, Guest (Hotspot, Self-registration, Sponsor approval), Easy Connect (Passive ID)
Base (Network Onboarding): AAA and 802.1X, Guest (Hotspot, Self-registration, Sponsor approval), TrustSec (Group-based policy), Easy Connect (Passive ID)
Migration from 2.x to 3.0 and Later
ISE Migration Guide
- PAK ➔ Smart Licensing
- Raise a Support Case
- Provide Conversion Specifics
- Allocate Licenses to Virtual Account
- Upgrade ISE Image
- Ready to use!
For details on ISE licensing, refer to the accelerator "ISE Smart Licensing".
Upgrade Path to ISE 3.2
- 2-Step Upgrade: ISE < 2.7
- Single-Step Upgrade: Use 2.7/3.0/3.1
- Target Version: Use 3.2
Upgrade: Pre-Upgrade Checklist (To-Do List)
Best Practices
Backup
- Configuration, Operational, Endpoints.csv
- Load Balancer
- Export Certificates and Private Keys
- Export Internal CA Certificates via CLI
Notes
- AD Credentials: Token Credentials (RSA)
- MDM Credentials
- Each PSN's Profiler Settings
Clean Up
- Remove Expired Certificates
- Clear Excessive Operational Data, Inactive Endpoints, and Guest Accounts
Important Points
- Before proceeding with this list, perform a software compatibility check for network devices using the ISE Compatibility Matrix.
- Disable automatic PAN failover.
- Disable scheduled backups.
- Configure the repository and download the latest URT and upgrade bundle.
Upgrade Readiness Tool (URT) - Download and Execute
This section describes the process of downloading and running the Upgrade Readiness Tool (URT).
- Supported ISE Versions: 2.7 ~ 3.0
- Execution: Standalone PAN or Secondary PAN
- URT Bundle: 45-day validity
- Pre-check Status: Disk, NTP, RAM, Certificates
- Configuration and Database Replication
- Execution of Replicated Database Schema and Data Upgrade
- Success: Display of upgrade time
- Failure: Log Bundle, TAC
Important: Do not perform the following simultaneously while running URT:
- Backup or data restoration
Estimated Time for URT in Demo Upgrade
- Secondary PAN, 1 MNT, PSN: 74 minutes
- PSN (Individual or Tandem): 57 minutes
- Primary PAN, 2 MNT, PSN: 67 minutes
- URT Estimated Time: 198 minutes
- GUI Estimated Time: 660 minutes
The document notes that estimates are based on configuration and maintenance data only and do not account for network latency.
On-Demand ISE Health Check*
Verify Deployment Against Critical Errors
Verification Items:
- Platform Support
- Deployment Validation
- DNS Resolvability
- Trust Store Certificate Validation
- System Certificate Validation
- Disk Space
- NTP Reachability
- System Load Average
- MDM Validation
- License Validation
Download the verification results before upgrading. If critical errors are found, they can be corrected. This is an optional step and not a replacement for URT, but rather an additional check.
*Available for 2.6 and 2.7 with the latest patch.
Demo: Upgrade Preparation Tool and Health Check
This section likely covers a demonstration of the tools mentioned previously.
Maintenance Window Scheduling
Adopting Maintenance Windows
For Updates and Upgrades.
Notification
Share scheduled downtime.
Minimizing Downtime
- Do not upgrade all PSNs at once.
- Schedule buffer time for contingencies.
Scheduling
Factors Affecting Upgrade Time:
- Number of Endpoints
- Number of Users and Guest Users
- Log Volume on Monitoring Nodes or Standalone Nodes
- Profiling Service (if enabled)
Estimation Method:
| Deployment Type | Node Persona | Estimated Time |
|---|---|---|
| Standalone | Admin, Policy Services, Monitoring | 15 GB data per 240 min + 60 min |
| Distributed | Secondary Admin Node | 240 min |
| Policy Services Node | 180 min | |
| Monitoring | 15 GB data per 240 min + 60 min |
Upgrade Execution
This section details the process of executing the upgrade.
ISE Upgrade
- Deployment Type
- Upgrade Type and Process
- Upgrade Options
ISE Deployment Types
- Policy Administration Node (PAN)
- Monitoring and Troubleshooting Node (MnT)
- Policy Service Node (PSN)
- pxGrid Controller
Diagrams illustrate different deployment scenarios:
- Lab and Evaluation
- Small HA Deployment (PAN + MnT + PSN) x2
- Medium Distributed Deployment (PAN + MnT + PSN) x2, PSN x6 or less
- Large Distributed Deployment (PAN x2, MnT x2, PSN x50 or less, PXG x4 or less)
Types of Upgrades
Split Upgrade and Full Upgrade
Split Upgrade:
- Sequential process with multiple steps, upgrading the deployment while services are available.
- Takes longer than a full upgrade.
Full Upgrade:
- Two-step process, upgrading all nodes in parallel with service interruption.
- Takes less time than a split upgrade.
Upgrade Options - Split Upgrade
CLI, GUI, Backup/Restore
- CLI: First, upgrade all secondary nodes, then upgrade the PAN*. Requires manual upload of the upgrade bundle to all nodes.
- GUI: ISE automatically pushes the upgrade bundle to all nodes. Single-click upgrade is possible.
- Backup/Restore: Allows backing up the old version and restoring to the new version, minimizing downtime. Ideal for virtual environments.
*Refer to the Upgrade Guide for details.
Upgrade Options GUI - Split Upgrade
- Step 1: Single Click Upgrade
- Step 2: Customize PSN Upgrade Order
- Step 3: Tandem or Group PSN Upgrade
- Step 4: Promote Original PAN and MNT after Completion
- Step 5: Install Latest Patch
Upgrade Options CLI - Split Upgrade
- Step 1: Manual Process
- Step 2: Individually Upgrade Each Node
- Step 3: Copy Upgrade Image to Each Node (9 GB)
- Step 4: Prepare and Execute Upgrade
- Step 5: Monitor Each Node Individually
- Step 6: Install Latest Patch
Note: Recommended for troubleshooting only.
Upgrade Options Backup, Re-image (New Deployment), Restore - Split Upgrade
- Step 1: Backup Configuration Database
- Step 2: Install ISE 3.2 (New Virtual Machine or Wear) or Re-image Existing Nodes
- Step 3: Restore Backup
- Step 4: Add New Deployment Nodes
- Step 5: Install Latest Patch
Hybrid Approach - Split Upgrade
- Step 1: Deregister Secondary PAN from GUI or CLI
- Step 2: Re-image all other nodes in the deployment
- Step 3: Manually add all nodes to PAN and synchronize
- Step 4: Promote the original primary PAN
- Step 5: Re-image the upgraded single node
- Step 6: Add the re-imaged node to the deployment
- Step 7: Install the latest patch
Choosing the Best Option
| Feature | Backup/Restore | GUI | CLI | Hybrid |
|---|---|---|---|---|
| Complexity | Medium | Easy | Complex (Involves many manual operations) | Easy |
| Appliance and VM Access | Required | Minimal (Mainly for URT) | Required | Required |
| Parallel Functionality | Yes | PSN only | Limited | Yes |
| Rollback | Impossible, requires re-imaging to previous version | Limited | Yes | Limited |
| Previous Artifacts | None, requires clean re-image of disk | Maintenance (Due to previous issues with disk) | Maintenance | None, clean re-image |
| Time | Medium | Short | Long | Medium |
| Related Materials | Staff numerous, additional VM resources | Staff few | Staff few | Staff numerous, temporary VM resources |
| Errors | Minor | Minor if best practices are not followed | Occurs if CLI operation skills are lacking | Minor |
Demo: GUI - Split Upgrade
This section likely covers a demonstration of the GUI-based split upgrade process.
Full Upgrade
Pre-checks:
- Verify that the repository is configured for all nodes.
- Download the upgrade bundle and prepare for DB upgrade on all nodes.
- Ensure 25% free space on PAN or standalone, and 1 GB on other nodes.
- Verify PAN-HA is enabled.
- Verify scheduled backups are enabled.
- Verify the latest backup (within the last week).
Checklist:
- Repository Verification
- Bundle Download
- Memory Check
- PAN Failover Verification
- Scheduled Backup Check
- Configuration Backup Check
- Configuration Data Upgrade
- Platform Support Status Check
- Deployment Verification
- DNS Reachability
- Trust Store Certificate Validation
- System Certificate Validation
- Disk Space Check
- NTP Reachability and Time Source Verification
- Load Average Check
- License Validation
- Service or Process Failure
Demo: Full Upgrade
This section likely covers a demonstration of the full upgrade process.
Post-Upgrade Tasks
Best Practices
- Perform on-demand health checks to conduct basic health checks.
- Perform cleanup from the previous upgrade: Run
application upgrade cleanupvia CLI (Split Upgrade only). - Test and verify use cases and authentication.
- Reconfigure backups - Perform manual backups.
- Enable automatic PAN failover (if configured) and heartbeat between PANs.
Today's Recap
- Select the upgrade path and type (Split or Full).
- Prepare for system upgrade.
- Install the latest patch after upgrading.
- Perform post-upgrade tasks.
Resources
- Cisco ISE Useful Links Collection
- https://community.cisco.com/t5/-/-/ta-p/4527229
- You can also check resource links other than today's ATXs.
Continue the conversation in our ISE community.
