Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1465
Views
5
Helpful
2
Replies

ISE 2.6 FULL / PIC - Patching nightmare.

Erwan LE BIHAN
Level 1
Level 1

‎05-10-2021 03:09 AM - edited ‎05-10-2021 03:09 AM

hi all.

Let's say you need to install ISE PIC 2.6 or ISE PIC 2.7.

If you look at cisco Support, the latest patch version for ISE PIC 2.6 is Patch5.

And if you have a look at ISE PIC 2.7, there's no patch available at all.

https://software.cisco.com/download/home/286313041/type/286314948/release/2.7.0

 

We all know there's patch3 for 2.7, and latest for 2.6 is Patch9.

When I asked TAC about this, their answer is:

My name is Ahmed from AAA team. I am sending this email to let you know that I took ownership of the case. 

 

The ISE-PIC is a subset of the functionality offered with the Cisco Identity Services Engine. The Cisco ISE-PIC only support the passive ID functionality contained in the ISE.

So you can only upgrade to ISE-PIC patch 5, Not ISE patch 9.

 

But, according to ISE PIC Administrator manual, software patch Installation Guidelines, p111

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/pic_admin_guide/PIC_admin26.pdf

 

Cisco ISE patches can be installed on ISE-PIC as well.

 

So:

* Should I follow the manual, disregard TAC, and install the latest Patch for ISE (Patch9)

* Should I disregard the manual, follow TAC, and install only Patch5 ?

 

Thanks in advance

Regards.

0 Helpful
2 Replies 2

Marcelo Morais
VIP
VIP

‎05-10-2021 08:31 AM

Hi @Erwan LE BIHAN ,

 excellent point ...

 First of all ... ISE PIC is a subset of ISE, in other words, you must install the ISE PIC ISO and not the ISE ISO:

ISEPIC.png

 

 Second ... although ISE PIC software download has up to P5 (for 2.6

ISEPIC2.png

if you take a look at Upgrade Cisco ISE-PIC, search for Validate Data to Prevent Upgrade Failures, you should use the URT for that, but there is no URT software download on ISE PIC only on ISE ... the same for ISE Upgrade Bundle (search for Cisco ISE-PIC Upgrade Overview).

 IMO, I agree with the documentation "Cisco ISE Patches can be installed on ISE-PIC as well".

Note: if the documentation is incorrect, TAC could request the change.

 

Hope this helps !!!

0 Helpful

Erwan LE BIHAN
Level 1
Level 1

‎05-20-2021 07:03 AM

A bit of follow up:

I did install Patch9 on my ISE PIC VM and of course it works.

I'm quite sure now that TAC was wrong. There's a lot of security bugfixes in Patch 6-9 and I can't find any reason to stay at patch5.

I also found on top of this that, according to compatibility matrix, only ISE PIC V2.6Patch6+ is allowed when using FMC 6.7

Cisco FMC-ISE-Matrix.png

 

Source: Cisco Firepower Compatibility Guide - Cisco 

 

Customers Also Viewed These Support Documents