topic Re: ISE 2.6 FULL / PIC - Patching nightmare. in Network Access Control

ISE 2.6 FULL / PIC - Patching nightmare.

Erwan LE BIHAN — Mon, 10 May 2021 10:09:51 GMT

hi all.

Let's say you need to install ISE PIC 2.6 or ISE PIC 2.7.

If you look at cisco Support, the latest patch version for ISE PIC 2.6 is Patch5.

And if you have a look at ISE PIC 2.7, there's no patch available at all.

https://software.cisco.com/download/home/286313041/type/286314948/release/2.7.0

We all know there's patch3 for 2.7, and latest for 2.6 is Patch9.

When I asked TAC about this, their answer is:

My name is Ahmed from AAA team. I am sending this email to let you know that I took ownership of the case.

The ISE-PIC is a subset of the functionality offered with the Cisco Identity Services Engine. The Cisco ISE-PIC only support the passive ID functionality contained in the ISE.

So you can only upgrade to ISE-PIC patch 5, Not ISE patch 9.

But, according to ISE PIC Administrator manual, software patch Installation Guidelines, p111

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/pic_admin_guide/PIC_admin26.pdf

Cisco ISE patches can be installed on ISE-PIC as well.

So:

* Should I follow the manual, disregard TAC, and install the latest Patch for ISE (Patch9)

* Should I disregard the manual, follow TAC, and install only Patch5 ?

Thanks in advance

Regards.

Re: ISE 2.6 FULL / PIC - Patching nightmare.

Marcelo Morais — Mon, 10 May 2021 15:31:13 GMT

Hi @Erwan LE BIHAN ,

excellent point ...

First of all ... ISE PIC is a subset of ISE, in other words, you must install the ISE PIC ISO and not the ISE ISO:

Second ... although ISE PIC software download has up to P5 (for 2.6😞

if you take a look at Upgrade Cisco ISE-PIC, search for Validate Data to Prevent Upgrade Failures, you should use the URT for that, but there is no URT software download on ISE PIC only on ISE ... the same for ISE Upgrade Bundle (search for Cisco ISE-PIC Upgrade Overview).

IMO, I agree with the documentation "Cisco ISE Patches can be installed on ISE-PIC as well".

Note: if the documentation is incorrect, TAC could request the change.

Hope this helps !!!

Re: ISE 2.6 FULL / PIC - Patching nightmare.

Erwan LE BIHAN — Thu, 20 May 2021 14:03:31 GMT

A bit of follow up:

I did install Patch9 on my ISE PIC VM and of course it works.

I'm quite sure now that TAC was wrong. There's a lot of security bugfixes in Patch 6-9 and I can't find any reason to stay at patch5.

I also found on top of this that, according to compatibility matrix, only ISE PIC V2.6Patch6+ is allowed when using FMC 6.7

Source: Cisco Firepower Compatibility Guide - Cisco