05-10-2021 03:09 AM - edited 05-10-2021 03:09 AM
hi all.
Let's say you need to install ISE PIC 2.6 or ISE PIC 2.7.
If you look at cisco Support, the latest patch version for ISE PIC 2.6 is Patch5.
And if you have a look at ISE PIC 2.7, there's no patch available at all.
https://software.cisco.com/download/home/286313041/type/286314948/release/2.7.0
We all know there's patch3 for 2.7, and latest for 2.6 is Patch9.
When I asked TAC about this, their answer is:
My name is Ahmed from AAA team. I am sending this email to let you know that I took ownership of the case.
The ISE-PIC is a subset of the functionality offered with the Cisco Identity Services Engine. The Cisco ISE-PIC only support the passive ID functionality contained in the ISE.
So you can only upgrade to ISE-PIC patch 5, Not ISE patch 9.
But, according to ISE PIC Administrator manual, software patch Installation Guidelines, p111
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/pic_admin_guide/PIC_admin26.pdf
Cisco ISE patches can be installed on ISE-PIC as well.
So:
* Should I follow the manual, disregard TAC, and install the latest Patch for ISE (Patch9)
* Should I disregard the manual, follow TAC, and install only Patch5 ?
Thanks in advance
Regards.
05-10-2021 08:31 AM
Hi @Erwan LE BIHAN ,
excellent point ...
First of all ... ISE PIC is a subset of ISE, in other words, you must install the ISE PIC ISO and not the ISE ISO:
Second ... although ISE PIC software download has up to P5 (for 2.6
if you take a look at Upgrade Cisco ISE-PIC, search for Validate Data to Prevent Upgrade Failures, you should use the URT for that, but there is no URT software download on ISE PIC only on ISE ... the same for ISE Upgrade Bundle (search for Cisco ISE-PIC Upgrade Overview).
IMO, I agree with the documentation "Cisco ISE Patches can be installed on ISE-PIC as well".
Note: if the documentation is incorrect, TAC could request the change.
Hope this helps !!!
05-20-2021 07:03 AM
A bit of follow up:
I did install Patch9 on my ISE PIC VM and of course it works.
I'm quite sure now that TAC was wrong. There's a lot of security bugfixes in Patch 6-9 and I can't find any reason to stay at patch5.
I also found on top of this that, according to compatibility matrix, only ISE PIC V2.6Patch6+ is allowed when using FMC 6.7
Source: Cisco Firepower Compatibility Guide - Cisco
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide