Solved: Re: ISE PIC Updating to 3.2

sysad43 · ‎11-02-2022

1. Im trying to update ISE PIC from 3 to 3.2 to see if it includes fix for below issue, but all I can download is the ISO. The update instructions say I need a patch gzip file. So how do I update?

2. Has the issue with WMI connecting to AD been fixed? On 3.0 I still get "The server-side authentication level policy does not allow the user X from address Y to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application."

A previous thread a year ago mentioned Cisco needing to fix this to be compatible with a Windows patch.

sysad43 · ‎11-03-2022

Ok, I was able to update to 3.2, the problem with RPC still exists. Due to MS hardening DCOM, ise pic is unable to use WMI or Agent to get passive identity. Ill wait for the next patch.

View solution in original post

ahollifield · ‎11-02-2022

https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/pic_install_upgrade/b_pic_install_upgrade_32/pic_upgrade.html
This sounds like a user permissions issue to me.

sysad43 · ‎11-02-2022

2. Its not

Solved: ISE-PIC WMI failing on Windows Server 2019 with KB5005568 - Cisco Community

1. Thanks, the release notes pointed to admin guide, which didnt have "install a patch".

sysad43 · ‎11-02-2022

Actually the guide doesnt really help either. Theres no upgrade bundle to download for 3.2, just the full ISO.

Software Download - Cisco Systems

ahollifield · ‎11-02-2022

"You must use the Cisco ISE upgrade bundle to upgrade Cisco ISE-PIC. You can download the upgrade bundle from Cisco.com."

ISE-PIC is just ISE with a license level restriction. So you use the "normal" ISE upgrade bundle to upgrade ISE-PIC.

sysad43 · ‎11-02-2022

My bad, reading comprehension.

sysad43 · ‎11-03-2022

Ok, I was able to update to 3.2, the problem with RPC still exists. Due to MS hardening DCOM, ise pic is unable to use WMI or Agent to get passive identity. Ill wait for the next patch.