topic Re: Cisco ISE 2.7 Patch upgrade in Network Access Control

Cisco ISE 2.7 Patch upgrade

alinbabyy — Fri, 04 Mar 2022 18:36:27 GMT

Hi All - Currently we are running on ISE v2.7 patch 3 and due the latest RADIUS vulnerability need perform a patch upgrade to 6 or 7. Did anyone here installed patch 7 on ISE 2.7 version. Please let me know if any issues are reported and is it recommended to go for patch 7 or patch 6?

Re: Cisco ISE 2.7 Patch upgrade

balaji.bandi — Fri, 04 Mar 2022 19:04:02 GMT

read the release notes and caveats of patch 7:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/release_notes/b_ise_27_RN.html#id_82860

you can install the patch with the below documents help :

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/upgrade_guide/Upgrade_Journey/HTML/b_upgrade_install_patch_2_7.html

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215406-patch-installation-on-ise-and-faq-durin.html

Re: Cisco ISE 2.7 Patch upgrade

alinbabyy — Fri, 04 Mar 2022 19:12:15 GMT

I have gone through this. But there is no confirmation that the vulnerability (CVE-2022-20756) is fixed in patch 7. Also considering that patch 7 was released very recently and open & resolved caveats in patch 6 and 7 i am trying to figure out which patch would be the best option.

Re: Cisco ISE 2.7 Patch upgrade

Marcelo Morais — Fri, 04 Mar 2022 20:37:33 GMT

Hi @alinbabyy ,

ISE 2.7 P6 is a good patch, using it for the last 3 months.

ISE 2.7 P7 was released on Mar 2nd, still testing in a LAB.

Hope this helps !!!

Re: Cisco ISE 2.7 Patch upgrade

balaji.bandi — Sat, 05 Mar 2022 01:29:45 GMT

My Environment we are using stable patch 6 with 2.7 and ISE 3.0 patch 4 i guess

Re: Cisco ISE 2.7 Patch upgrade

alinbabyy — Sat, 05 Mar 2022 05:53:38 GMT

Hi @Marcelo Morais and @balaji.bandi - thanks for the response. Have you observed any bugs in patch 6 so far? Because i could see many resolved caveats in patch 7.

Re: Cisco ISE 2.7 Patch upgrade

balaji.bandi — Sat, 05 Mar 2022 08:47:37 GMT

Not really impacting one we see, but it all depends on the features you using and the kind of deployment.

If you really concerned, worth opening a TAC, they can suggest you look at your deployment and config.

Some bugs you may encounter as cisco TAC said they fixed, so we need to bear that in mind, and you have the option to roll back patches.

Re: Cisco ISE 2.7 Patch upgrade

Marcelo Morais — Sat, 05 Mar 2022 12:08:48 GMT

Hi @alinbabyy ,

for 2.7 P6 I`m using RADIUS (no TACACS+), the bugs that I observed are related to:

. RBAC Policy

. CSCwa19573 - Catalina.out file is huge because of SSL audit events (solved on 2.7 P7) ... this one I opened a TAC Case months ago to solve the issue

. CSCwa47133 - ISE Evaluation log4j CVE-2021-44228 (solved on 2.7 P7) ... this one I applied a Hot Patch.

Hope this helps !!!

Re: Cisco ISE 2.7 Patch upgrade

alinbabyy — Sat, 05 Mar 2022 18:26:50 GMT

Okay. Thanks.

Re: Cisco ISE 2.7 Patch upgrade

alinbabyy — Sat, 05 Mar 2022 18:29:52 GMT

What was the symptoms for the bug related to RBAC? Was that causing any impact in production?

Re: Cisco ISE 2.7 Patch upgrade

imanv — Sat, 05 Mar 2022 19:53:53 GMT

Currently I have Cisco ISE 2.7 patch 6 and all features working fine.

Log4j bug also patched with Cisco instruction here :

https://www.cisco.com/web/software/283802505/159582/README_Hotpatch_CSCwa47133_Log4j2-fix-2.4-3.0.txt

Re: Cisco ISE 2.7 Patch upgrade

Marcelo Morais — Sun, 06 Mar 2022 04:37:52 GMT

Hi @alinbabyy ,

please take a look at this post Access Right in ISE.

Hope this helps !!!

Re: Cisco ISE 2.7 Patch upgrade

Janne K. — Fri, 18 Mar 2022 09:50:20 GMT

Went on our 2.7 install with patch 3 to patch 7 two weeks ago, and everything runs smoothly.