Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
979
Views
5
Helpful
3
Replies

ISE 3.1 Upgrade from 2.7

MAGNUS SVENSSON
Level 1
Level 1

‎11-15-2022 06:47 AM

Hi. I have performed a upgrade from ISE2.7 patch7 to ISE3.1 Patch 4. And would like to share some interesting things that happened during this activity. My environment is a two node deployment. I performed the upgrade from cli. Started the upgrade on the secondary admin and then on the primary admin. When I started I hade my licensing reverted to traditional as suggested in the upgrade guide.

When I tried do start the gui I was prompted to enter a license file. I supplied a file but that did not help. Contacted Cisco TAC and that was a known bug and I was suggested to apply patch4 that would solve that issue. The patch solved that issue. I then converted the license to smart licensing and it did work.

In the logs i could see that my MAB authentication/authorization did not work, Wired-dot1x, Wiredless-dot1x worked and admin logins using radius (PAP) worked as well, BUT not MAB. The cause for this behavior is that the profiling service was disabled during the upgrade. Enabling it the MAB starts working.

I just have the basic 3.1 license (Essentials) installed and I am still able to enable and run the Profiling service.

3 Replies 3

ahollifield
VIP
VIP

‎11-15-2022 09:44 AM

You will get licensing alarms for this.  Essentials does not include profiling.  You need to purchase Advantage.  Keep in mind any compliance issues regarding the EULA.

0 Helpful

MAGNUS SVENSSON
Level 1
Level 1
In response to ahollifield

‎11-15-2022 11:25 PM

For MAB to work you must enable profiling, If I don’t enable profiling i am not able to edit  the identity groups containing the MAC addresses I use to group the endpoints connecting.

Essentials:

  • RADIUS authentication, authorization, and
    accounting, including 802.1X, MAC
    authentication bypass and easy connect, and web
    authentication.

The advantage states:

  • Profiling services, including basic asset visibility
    and enforcement features.

It is confusing. I am not getting any License alarms, I am compliant.

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎11-19-2022 05:12 PM

@MAGNUS SVENSSON Static endpoint group assignments do not consume advantage endpoint licenses.

Cisco ISE Licensing Guide has been recently updated. If some info there is not clear, please use the feedback link at the bottom of the page to provide your input.

0 Helpful
Customers Also Viewed These Support Documents