topic Re: ISE upgrade from 1.3 to 2.1 in Network Access Control

ISE upgrade from 1.3 to 2.1

dot1x — Wed, 15 Nov 2017 23:14:54 GMT

Hi Champs!

A quick question: We are running ISE 1.3 and would like to upgrade.

Is there any stable version we could upgrade to?

I see we can directly update from 1.3 to 2.1, but not to 2.2.

Is it a good idea to update to 2.1?

We are running ISE in distributed environment with multiple nodes.

Thanks.

Re: ISE upgrade from 1.3 to 2.1

kthiruve — Thu, 16 Nov 2017 01:03:38 GMT

Hi Moin,

Please see the release notes for ISE 2.1 and 2.2 to see what version you can upgrade to.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/release_notes/ise21_rn.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/release_notes/ise22_rn.html

In general, it is recommended to upgrade to the latest patch.

Curious to know if there are there specific reasons why you want to upgrade?

Also good to know features and functionalities that you are using in ISE 1.3.

ISE 2.2 is a two step upgrade and Patch 4 is the latest.

For ISE 2.1, please see another thread related to the patches in the community forum.

https://communities.cisco.com/thread/84256?start=15&tstart=0

Thanks

Krishnan

Re: ISE upgrade from 1.3 to 2.1

dot1x — Thu, 16 Nov 2017 01:13:29 GMT

Krishnan Thiruvengadam wrote:

Hi Moin,

Please see the release notes for ISE 2.1 and 2.2 to see what version you can upgrade to.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/release_notes/ise21_rn.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/release_notes/ise22_rn.html

In general, it is recommended to upgrade to the latest patch.

Curious to know if there are there specific reasons why you want to upgrade?

Also good to know features and functionalities that you are using in ISE 1.3.

ISE 2.2 is a two step upgrade and Patch 4 is the latest.

For ISE 2.1, please see another thread related to the patches in the community forum.

https://communities.cisco.com/thread/84256?start=15&tstart=0

Thanks

Krishnan

Hi Krishnan,

Thanks for your response.

Curious to know if there are there specific reasons why you want to upgrade?

Customer requirement to update the software versions on ISE, WLC and Prime.

Also good to know features and functionalities that you are using in ISE 1.3.
We are using ISE for Wired/Wireless User Authentication/Authorization using External Identity Source (AD), Certificate based Authentication, VPN User Authentication etc.

Re: ISE upgrade from 1.3 to 2.1

hslai — Thu, 16 Nov 2017 22:41:39 GMT

For customer deployment still in ISE 1.x.x, our general recommendation is to upgrade it to ISE 2.2 latest patch (Patch 4 is the current latest) as Krishnan suggested.

Re: ISE upgrade from 1.3 to 2.1

dot1x — Thu, 16 Nov 2017 23:25:05 GMT

hslai wrote:

For customer deployment still in ISE 1.x.x, our general recommendation is to upgrade it to ISE 2.2 latest patch (Patch 4 is the current latest) as Krishnan suggested.

Would you suggest if the latest patch is stable version or would it be a good idea to upgrade to 2.1?

If upgrading to 2.2, we would have to update 1.3-->1.4-->2.2?

Re: ISE upgrade from 1.3 to 2.1

hslai — Thu, 16 Nov 2017 23:36:40 GMT

That would work but I would suggest 1.3 -> 1.3 latest patch -> 2.1 -> 2.1 latest patch-> 2.2 -> 2.2 latest patch.

It could be a time saving, in case of operational data not important, by

taking an ISE CFG backup of ISE 1.3 with latest patch,
restoring (1) to either a new ISE node or a de-registered ISE node from ISE 1.3 deployment and freshly installed with ISE 2.1 and applied the latest patch
upgrading (2) to ISE 2.2 and then applying the latest patch or taking a CFG backup of (2) and restoring it to a fresh installed ISE 2.2 latest patch.
using (3) as the primary ISE admin node and fresh installing all other nodes and joining them to the ISE 2.2 deployment.

If operational data is important to keep, then we will also need to take an OPS backup, to restore it to ISE 2.1 latest patch, and then to upgrade it to ISE 2.2.

Re: ISE upgrade from 1.3 to 2.1

dot1x — Wed, 22 Nov 2017 23:09:43 GMT

hslai wrote:

That would work but I would suggest 1.3 -> 1.3 latest patch -> 2.1 -> 2.1 latest patch-> 2.2 -> 2.2 latest patch.

It could be a time saving, in case of operational data not important, by

taking an ISE CFG backup of ISE 1.3 with latest patch,

restoring (1) to either a new ISE node or a de-registered ISE node from ISE 1.3 deployment and freshly installed with ISE 2.1 and applied the latest patch

upgrading (2) to ISE 2.2 and then applying the latest patch or taking a CFG backup of (2) and restoring it to a fresh installed ISE 2.2 latest patch.

using (3) as the primary ISE admin node and fresh installing all other nodes and joining them to the ISE 2.2 deployment.

If operational data is important to keep, then we will also need to take an OPS backup, to restore it to ISE 2.1 latest patch, and then to upgrade it to ISE 2.2.

1. taking an ISE CFG backup of ISE 1.3 with latest patch,

Taking config backup of only Primary Admin Node?

2. restoring (1) to either a new ISE node or a de-registered ISE node from ISE 1.3 deployment and freshly installed with ISE 2.1 and applied the latest patch

When we de-register Primary Admin Node, the Primary and Secondary PSNs would still be serving the client requests?

Re: ISE upgrade from 1.3 to 2.1

hslai — Sat, 25 Nov 2017 00:47:25 GMT

On (1), yes, please take the config backup from the primary admin node.

On (2), we usually de-register one of the ISE secondary nodes (including the ISE secondary admin), instead of the ISE primary admin node. If you do prefer to de-register the ISE primary admin node, then first promote the secondary admin to primary and de-register the original primary admin node. The deployment will always have one and only one primary admin node, unless standalone.

Re: ISE upgrade from 1.3 to 2.1

dot1x — Mon, 11 Dec 2017 09:38:45 GMT

Hi guys!

Was busy with WLCs upgrade which went good.

Now we'll be updating ISE. While reading the upgrade guide for ISE 2.1; at one stage it says:

Release 2.1 supports Red Hat Enterprise Linux (RHEL) 7.0.

If you are upgrading Cisco ISE nodes on VMware virtual machines, after upgrade is complete, ensure that you change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down the VM, change the Guest Operating System to RHEL 7, and power on the VM after the change.

On another place, it says:

If you are upgrading Cisco ISE nodes on virtual machines, ensure that you change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down the VM, change the Guest Operating System to RHEL 7, and power on the VM after the change. RHEL 7 supports only E1000 and VMXNET3 network adapters. Be sure to change the network adapter type before you upgrade.

Doe it mean to change adapter first, upgrade and then change the guest operating system?

Re: ISE upgrade from 1.3 to 2.1

Jason Kunst — Mon, 11 Dec 2017 12:48:43 GMT

You change the adapter before upgrade and the operating system after

Re: ISE upgrade from 1.3 to 2.1

dot1x — Wed, 13 Dec 2017 01:10:15 GMT

Hi Champs!

What order should we apply the patch if we are using CLI?

Would there be any downtime when applying the patch individually on each node?

Re: ISE upgrade from 1.3 to 2.1

hslai — Wed, 13 Dec 2017 01:17:49 GMT

Primary PAN first. Then, the rest can be in any order.

Yes, there would be downtime but you would have the control over which ISE nodes down when doing it via CLI. ISE patching usually will restart ISE services and some patches will reboot the O/S.

Re: ISE upgrade from 1.3 to 2.1

Jason Kunst — Wed, 13 Dec 2017 01:20:20 GMT

Please check the admin guide on this process, it’s all explained

Re: ISE upgrade from 1.3 to 2.1

dot1x — Wed, 13 Dec 2017 01:20:38 GMT

Thanks hslai,

When we do the Primary PAN first, wouldn't there be a patch mismatch between Primary PAN and all other nodes?

Would this cause any issues?

Re: ISE upgrade from 1.3 to 2.1

hslai — Wed, 13 Dec 2017 01:28:35 GMT

During patching, it's fine that not all ISE nodes in the same patch level as that is expected.

Re: ISE upgrade from 1.3 to 2.1

dot1x — Wed, 13 Dec 2017 01:32:17 GMT

The guide says:

When you install a patch from the Primary PAN that is part of a distributed deployment, Cisco ISE installs the patch on the primary node and then all the secondary nodes in the deployment. If the patch installation is successful on the Primary PAN, Cisco ISE then continues patch installation on the secondary nodes. If it fails on the Primary PAN, the installation does not proceed to the secondary nodes. However, if the installation fails on any of the secondary nodes for any reason, it still continues with the next secondary node in your deployment. Secondary Cisco ISE nodes are restarted consecutively after the patch is installed on those nodes. While installing a patch on secondary nodes, you can continue to perform tasks on the Primary PAN.

whichh I believe is true when we use GUI. I'd be using CLI to apply patch on individual nodes.

Any thoughts?

Re: ISE upgrade from 1.3 to 2.1

dot1x — Wed, 13 Dec 2017 01:35:25 GMT

We have 2 PSNs running.

1. We update patch on Primary PAN.

2. Update patch on 1st PSN.

At this point of time Primary PAN has latest patch and 2nd PSN is on older patch. Would 2nd PSN still be working and authenticating the clients while 1st PSN patch update is in progress?

Re: ISE upgrade from 1.3 to 2.1

hslai — Wed, 13 Dec 2017 01:37:21 GMT

Correct. The info is on using the ISE admin web UI to apply the patches.

When using CLI, the ISE admin has the control which one ISE node got applied first and when to start patching on any of the ISE nodes.

Re: ISE upgrade from 1.3 to 2.1

hslai — Wed, 13 Dec 2017 01:41:30 GMT

Yes.

Re: ISE upgrade from 1.3 to 2.1

dot1x — Wed, 13 Dec 2017 04:48:41 GMT

Hi,

This change of Guest OS is so confusing:

The Upgrade Guide 2.1 says:

Prep for the Upgrade Section: Cisco Identity Services Engine Upgrade Guide, Release 2.1 - Prepare for Upgrade [Cisco Identity Services Engine] - Cis…

If you are upgrading Cisco ISE nodes on virtual machines, ensure that you change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down the VM, change the Guest Operating System to RHEL 7, and power on the VM after the change. RHEL 7 supports only E1000 and VMXNET3 network adapters. Be sure to change the network adapter type before you upgrade.

Post-Upgrade Tasks Section: Cisco Identity Services Engine Upgrade Guide, Release 2.1 - Post-Upgrade Tasks [Cisco Identity Services Engine] - Cisc…

Ensure that the Guest Operating System on the VMware virtual machine is set to Red Hat Enterprise Linux (RHEL) 7 and the network adapter is set to E1000 or VMXNET3.

Should this be doen before or after?