Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1076
Views
0
Helpful
6
Replies

ISE Distributed Deployment Migration Approach from 2.6 to 3.2

n_nmanzoor
Level 1
Level 1

‎03-12-2023 11:32 PM

Hi All,

Any Suggestions - Please help !

We are in planning stage of our ISE upgrade from 2.6 no Patch to 3.1, details are below in current and proposed setup. Can somebody please help me with the upgrade approach ? We plan to build a parallel setup and gradually migrate all the radius/TACCAS NADs.

Current Setup:

We have distributed deployment. with PAN/MNT/PxGrid/PSN on SNS-3595 in 1 DC as Primary & Secondary PAN/MNT/PxGrid/PSN on SNS-3595. We have 2x PSNs only deployed in a remote location. These are configured as a single deployment running on 2.6 with no patch. 

Proposed Setup:

We plan to upgrade the primary PAN/MNT/PxGrid/PSN running on SNS-3595 to SNS-3755 in DC-1 and decouple the PSN from the existing node to dedicate a PSN only BOX at each DC. So we will have 4 Appliances (SNS-3755) rather that 2 in DC-1 and DC-2. we also have the dedicated remote 2x PSN only on 2x SNS-3655 appliances. We do not plan to upgrade these as these are not EOL soon.

Thanks in Advance

0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎03-13-2023 01:17 AM

check this discussion recently user trying to do same or near by your kind of setup :

https://community.cisco.com/t5/network-access-control/ise-upgradation-from-2-7-patch-9-t-o-3-1/m-p/4790590#M580356

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

n_nmanzoor
Level 1
Level 1
In response to balaji.bandi

‎03-13-2023 02:21 AM

Thanks for directing me to the link - will go through and come back if required

0 Helpful

n_nmanzoor
Level 1
Level 1
In response to balaji.bandi

‎03-13-2023 10:59 AM

Hi 

 

I just checked the link - it seems to be more related to Licenses, i am clear off .

can you provide me with some insight regarding the the whole migration ? maybe a good document which covers all aspects of ISE 2.6 to 3.1 ISE migration like ,  existing certificates, ISE existing database , existing PSNs migration ?

Regards

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to n_nmanzoor

‎03-15-2023 07:32 PM

Personally, I would install 3.1 fresh installation,s and Migrate the Data (offline ) and test it, and add them to the network.

or you can install on the new Kit 2.6 and upgrade to 3.1 as per below guide (make sure you do testings before you put them back in Live environment)

check below guides :

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/upgrade_guide/HTML/b_upgrade_method_3_1.html

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/upgrade_guide/HTML/b_upgrade_overview_3_1.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee

‎03-16-2023 05:15 AM

@n_nmanzoor wrote:

Proposed Setup:

We plan to upgrade the primary PAN/MNT/PxGrid/PSN running on SNS-3595 to SNS-3755 in DC-1 and decouple the PSN from the existing node to dedicate a PSN only BOX at each DC. So we will have 4 Appliances (SNS-3755) rather that 2 in DC-1 and DC-2. we also have the dedicated remote 2x PSN only on 2x SNS-3655 appliances. We do not plan to upgrade these as these are not EOL soon.

Thanks in Advance

  1. First, install the latest Patch on 2.6, then take a configuration backup.
  2. Export the certificate store through the CLI.
  3. The current setup is for all personas on a single node x 2 (PAN/MnT/pxGrid/PSN), use the IP Addresses for these nodes as the IP addresses for the new PSNs so that you do not have to update all network devices with new IPs for the RADIUS server
  4. Install 3.1 on the new Admin nodes with new IP addresses (this will require new certificates) and install the latest patch.
  5. Restore the backup from 2.6.
  6. De-register the Secondary Admin Node from the 2.6 deployment.  Since this has PSN services enabled, make sure that the Network Devices can reach the other PSN in this deployment so RADIUS service is not interrupted.
  7. Install 3.1 on the new PSN using the IP address from the secondary Admin you just de-registered.  Install latest Patch.
  8. Register to 3.1 deployment.
  9. De-register a remote PSN from 2.6 deployment (SNS-3655).  Since this is a PSN, make sure that the Network Devices can reach the other PSN in this deployment so RADIUS service is not interrupted.
  10. Install 3.1 on the new PSN using the IP address from the remote PSN you just de-registered.  Install latest Patch.
  11. Register to 3.1 deployment.
  12. De-register the second remote PSN from 2.6 deployment (SNS-3655).  Since this is a PSN, make sure that the Network Devices can reach the other PSN in this deployment so RADIUS service is not interrupted.
  13. Install 3.1 on the new PSN using the IP address from the remote PSN you just de-registered.  Install latest Patch.
  14. Shut down the 2.6 Primary Admin Node
  15. Install 3.1 on the second new PSN using the IP address from the Primary Admin you just shut down.  Install latest Patch.
  16. Register to 3.1 deployment.

 

0 Helpful

Darkmatter
Level 1
Level 1
In response to Charlie Moreton

‎03-16-2023 12:55 PM

Maybe a small tip: don't forget to domain join your freshly installed nodes, or any authentication that uses AD groups will fail

0 Helpful
Customers Also Viewed These Support Documents